As a short term solution, you may want to look at the opensc.conf cache_pins = true option.
The pkcs11/framework-pkcs15.c in revalidate_pin will do a pkcs15_login with a cached pin if a crypto operation returns SC_ERROR_SECURITY_STATUS_NOT_SATISFIED. Ludovic Rousseau wrote: > On Mon, Aug 11, 2008 at 4:56 PM, Ludovic Rousseau > <[EMAIL PROTECTED]> wrote: >> On Sun, Aug 10, 2008 at 12:26 AM, Emanuele Pucciarelli <[EMAIL PROTECTED]> >> wrote: >>> I would guess that OpenSC does not support that right now, but it should be >>> fairly easy to implement, and I would expect Firefox to support it. (Even if >>> the developers did not support it explicitly, getting CKR_USER_NOT_LOGGED_IN >>> as a result from a signature should be enough to make one want to login >>> again!) >> I will try that. > > If I return CKR_USER_NOT_LOGGED_IN at C_SignInit() I get a error from > Firefox 2.0: "Error establishing an encrypted connection to > MYSSLWEBSITE. Error Code: -8037." > > I have the same problem with Firefox 3.0 even if the error message is > much more explicit: > "Secure Connection Failed > > An error occurred during a connection to MYSSLWEBSITE. > > The operation failed because the PKCS#11 token is not logged in. > > (Error code: sec_error_token_not_logged_in) > > The page you are trying to view can not be shown because the > authenticity of the received data could not be verified. > > * Please contact the web site owners to inform them of this problem." > > And I have a "Try again" button. But clicking on the button will not > ask for the PIN. It will just try to sign again and will fail again. > > > Here is an extract of the log: > 108: C_GetAttributeValue > [in] hSession = 0x1 > [in] hObject = 0x5 > [in] pTemplate[1]: > CKA_PRIVATE requested with 1 buffer > [out] pTemplate[1]: > CKA_PRIVATE True > Returned: 0 CKR_OK > > > 109: C_OpenSession > [in] slotID = 0x1 > [in] flags = 0x4 > pApplication=0xb3780c00 > Notify=0xb6e544c9 > [out] *phSession = 0x2 > Returned: 0 CKR_OK > > > 110: C_SignInit > [in] hSession = 0x2 > pMechanism->type=CKM_RSA_PKCS > [in] hKey = 0x5 > Returned: 257 CKR_USER_NOT_LOGGED_IN > > > 111: C_CloseSession > [in] hSession = 0x2 > Returned: 0 CKR_OK > > > I then tried to return CKR_USER_NOT_LOGGED_IN on the C_Sign() instead > of C_SignInit() but Firefox react the same. > > I think it will not possible to simulate a CKA_ALWAYS_AUTHENTICATE > just by returning CKR_USER_NOT_LOGGED_IN. > > I think it would be simpler to patch Firefox so it asks for the PIN if > it gets a CKR_USER_NOT_LOGGED_IN instead of completely and correctly > supporting CKA_ALWAYS_AUTHENTICATE. > > Any other suggestion? > > Thanks > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
