local PINs. This makes the code behave the same way as PIN verification,
change and unblock, before calling the PIN command handler in the card driver.
sc_pkcs15_verify_pin say:
/* if pin cache is disabled, we can get here with no PIN data.
* in this case, to avoid error or unnecessary pin prompting on pinpad,
* check if the PIN has been already verified and the access condition
* is still open on card.
*/
It then call sc_pkcs15_get_pin_info
A context specific login is used in PKCS#11 to force the user
to enter the PIN again and a verify command be sent to the card.
(Actually it could be a different value for the PINi depending on the card)
sc_pkcs15_get_pin_info will then call the card driver, but does not
say why it is testing the login status.sc_pkcs15_get_pin_info may return
SC_PIN_STATE_LOGGED_IN=1 and sc_pkcs15_verify_pin will then skip sending
the actual verify command to the card via _sc_pkcs15_verify_pin
To avoid this, sc_pkcs15_get_pin_info will set data.pin_type = pin_info->auth_method;
In the case of a context specific login, this is SC_AC_CONTEXT_SPECIFIC
and the card driver can take action and can return SC_PIN_STATE_LOGGED_IN=0
so the verify will be done.
The PIV driver card-piv.c does this. Other drivers could do something similar.
Date: MOn May 21 20:40:00 2018 -0500
On branch History-fixes
Changes to be committed:
modified: card-piv.c
modified: pkcs15-pin.c
- eac: allow CA without EF.CardSecurity
- sc-hsm: implemented CA based on document PKI
- sc-hsm: adds receive limit for SoC card
- introduces dedicated card type for SoC card
- md: integrate card's PIN pad capabilities
- installer: added SC-HSM SoC card to registry
- pkcs15-tool: Added support for PIN entry on card
- change/unblock PIN: add support for PIN entry on card
- added OpenPACE to macOS build
- travis-ci: install gengetopt/help2man via brew
- sc-hsm: Cache EF.C_DevAut
- sc-hsm: Prevent unnecessary applet selection and state resets
- sc-hsm: added support for session pin
- sc-hsm: avoid multiple AID selection
- sc-hsm: Use the information from match_card for all subsequent selections of the applet
- sc-hsm: cache optional files as empty files (Decoding the files will reveal that they were not existing prior caching. This avoids selecting the file though we have already tried to cache the file before.)
- use dedicated directory for CVC trust anchors
- appveyor: added OpenPACE to windows build
Since "Add GCC format checking attributes to log functions" commit GCC
warns us about problems with format strings and their arguments provided
to OpenSC message logging functions.
This commit fixes all cases where GCC warned about incorrect format on
64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled).
Well, almost all since on mingw GCC does not recognize "ll" size specifier
(present at least since Visual Studio 2005, also in mingw own CRT) so these
(few) warnings about it remain.
In most cases format size specifier for size_t type was missing (usually
size was left at default int level, with is different on 64-bit x86).
Some formats had too few / too many arguments.
In some cases pointers were printed as integers.
Some long variables were missing "l" prefix (especially with regard to %x
format).
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
_validate_pin was not being called at all during a PIN verification.
After this tools report correctly when the PIN length is invalid, even on pkcs11 layer.
Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
PIN cache is not updated when PIN is verified using the PIN value from cache.
That's the case of validating PIN in 'revalidate' context.
Few source format fixes included
closes#805
introduced paramter to signal back the login state
- used for the pin command SC_PIN_CMD_GET_INFO
- implemented in accordance to ISO 7816-4; all other implementations
are currently set to an unknown login state
implemented and exporeted sc_pkcs15_get_pin_info
use sc_pkcs15_get_pin_info in C_GetTokenInfo
C_GetSessionInfo: Check whether a logout was done
Closes https://github.com/OpenSC/OpenSC/pull/624
rebased by @viktorTarasov
In pkcs15-verify the value of PIN is not more validated for conformity with PIN policy,
value is only checked for maximal allowed length.
So that, no more need of 'ignore-pin-length' configuration option - now it's default behavior of common framework.
When OpenSC is used with a card that enforces user_consent
and the calling PKCS#11 application does not understand how
to handle the CKA_ALWAYS_AUTHENTICATE, signature operations
will fail.
OpenSC will not cache a PIN that protects a user_consent
object as one would expect.
This mods allows PINs to be cached even if protecting a
user_consent object by adding
pin_cache_ignore_user_consent = true;
option in opensc.conf.
Thunderbird is the prime example of this situation.
Mozilla has accepted mods (357025 and 613507) to support
CKA_ALWAYS_AUTHENTICATE that will appear in NSS-3.14 but
this may be some time before this version is in vendor
distribution.
* Print out warning when mlock fails, and continue.
* The warning required a ctx to be passed in, so that means
changing a few function signatures.
https://www.opensc-project.org/opensc/ticket/389
Such PIN codes were erroneously cached in memory, even though not used with revalidation..
User consent relates to private keys, not PIN codes.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5124 c6295689-39f2-0310-b995-f0e70906c6a9
If re-validation of a cached PIN fails, then free that cached PIN to ensure that it isn't used again for re-validation.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4924 c6295689-39f2-0310-b995-f0e70906c6a9
* reduce to a few, supported functions.
* change all functions to take the debug level as parameter.
* use symbolic names for the debug levels.
* fix tools to pass "verbose"/"opt_debug" as ctx->debug.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
Zoltan Kelemen
Frank Morgner
Jakub Jelen
Doug Engert
Hannu Honkanen
Maciej S. Szmigiero
Nuno Goncalves
Jakuje
Viktor Tarasov
Andreas Schwier
vletoux
Frank Morgner
Doug Engert
Stef Walter
vtarasov
andre
martin
viktor.tarasov
aj