In pkcs15-verify the value of PIN is not more validated for conformity with PIN policy,
value is only checked for maximal allowed length.
So that, no more need of 'ignore-pin-length' configuration option - now it's default behavior of common framework.
When doing C_Login default behavior is to ignore the applied PINs with lengths less
then value of PKCS#15 PIN attribure 'min-length'. Such a PINs are not
really verified by card.
With 'ignore-pin-length' option in 'true' all applied PINs are verified by card.
When OpenSC is used with a card that enforces user_consent
and the calling PKCS#11 application does not understand how
to handle the CKA_ALWAYS_AUTHENTICATE, signature operations
will fail.
OpenSC will not cache a PIN that protects a user_consent
object as one would expect.
This mods allows PINs to be cached even if protecting a
user_consent object by adding
pin_cache_ignore_user_consent = true;
option in opensc.conf.
Thunderbird is the prime example of this situation.
Mozilla has accepted mods (357025 and 613507) to support
CKA_ALWAYS_AUTHENTICATE that will appear in NSS-3.14 but
this may be some time before this version is in vendor
distribution.
- Create/delete the PKCS#15 'DATA' objects destinated to supply support of minidriver. For a while only 'Gemalto' style of such support is implemented.
- Declare epass2003 pkcs15init operations.
- include into OpenSC configuration the SM related sections
'OnePIN' version of opensc-pkcs11 module is not installed.
Instead, in the 'pkcs11' section of OpenSC configuration,
there is a possibility to define in a different manner
how to create slots for the present PINs and applications.
* Detect different cards based on ATR-s and on card objects
* Set the card name from the ATR table
* Conditionally add support for 2048b keys
* Add workarounds for broken MULTOS and JavaCard cards.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4893 c6295689-39f2-0310-b995-f0e70906c6a9
* One sc_context has only a single reader driver.
* remove dynamic reader driver loading capabilities
* remove opensc-tool -R command
* change the internal API, we don't need to pass around a "driver data" pointer as it can be found directly from the context.
* check in ./configure for only a single enabled reader driver
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4709 c6295689-39f2-0310-b995-f0e70906c6a9
Support for importing cleartext keys is left untouched, but all transparent key generation by either opensc-pkcs11.so or pkcs15-init is removed, to make the operation with cleartext keys visible to the user and his explicit wish.
OpenSC is a PKCS#11 library for accessing keys protected by a smart card. Key material in software is not protected by smart cards and can leave a false sense of security to the user.
http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013877.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4646 c6295689-39f2-0310-b995-f0e70906c6a9
In fact, the middleware of the manufacturer of the gemalto (axalto, gemplus) cards
reports the CKA_ID of CA certificates as '0'.
But it's not true for the others middlewares (Oberthur), NSS (afais) and PKCS#11 standard.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4097 c6295689-39f2-0310-b995-f0e70906c6a9
One of the three unblock methods can be activated from the 'opensc-pkcs11' section of opensc.conf:
- C_SetPin() in the unlogged sesssion;
- C_SetPin() in the CKU_SPECIFIC_CONTEXT session;
- C_InitPin() in CKU_SO session (inspired by Pierre Ossman).
-- This last one works, for a while, only for the pkcs15 cards without SOPIN auth object.
For the pkcs15 cards with SOPIN, this method will be useful for the cards
that do not have then modes '00' and '01' of ISO command 'RESET RETRY COUNTER'.
Test commands:
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --unlock-pin --puk "123456" --new-pin "9999"
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --unlock-pin -l --login-type context-specific --puk "123456" --new-pin "9999"
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --init-pin -l --new-pin "9999"
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3901 c6295689-39f2-0310-b995-f0e70906c6a9
Raul Metsma
Viktor Tarasov
Nikos Mavrogiannopoulos
Doug Engert
Diego Elio Pettenò
Stef Walter
martin
andre
vtarasov
flc
ep
viktor.tarasov
aj