Sorry - I did not read the OpenSC mailinglist for a while, otherwise I could have informed you about my FireFox 2/3 experiences regarding smart cards and PIN-dialogs.
1) FireFox 2 always asks for a PIN before C_Login is called. If CKF_PROTECTED_AUTHENTICATION_PATH is set FireFox 2 will ignore whatever PIN was entered and calls C_Login with pPin==NULL. If CKF_PROTECTED_AUTHENTICATION_PATH is not set FireFox 2 feeds the entered PIN into C_Login. FireFox 3 tries to do it the correct way. If CKF_PROTECTED_AUTHENTICATION_PATH is not set it behaves like FireFox 2 (ask for PIN then feed it into C_Login). If CKF_PROTECTED_AUTHENTICATION_PATH is set FireFox 3 does not ask for a PIN and immediately calls C_Login with pPin==NULL. At the same time a seperate thread is started that displays a message what requests the user to authenticate with the token by whatever method the token may support (PIN-pad, fingerprint). This is perfect behaviour, but unfortunately FireFox 3.0.1 crashes when C_Login returns and the separate thread is killed. This bug will be fixed in a furure version (hopefully FireFox 3.0.2, if you cannot wait and need an unofficial version of FireFox 3.0.1 without this bug - let me know). 2) FireFox (2 and 3) do not implement the re-authentication method that is described in PKCS#11 V2.20 10.9 and it is my impression that the Mozilla NSS team will not change this is the near future. This means that any error code that C_Sign returns will be fatal, even CKR_USER_NOT_LOGGED_IN. But read on - you don't need this. 3) Every PKCS#11 application must be prepared that the session state will change due to side effects of operations that happen within other sessions that were opened with the same token. Therefore FireFox will check the session state before every cryptographic operation. If the session state is either CKS_RO_PUBLIC_SESSION or CKS_RW_PUBLIC_SESSION then C_Login will be called and if the Login is successfull C_Login will have the side effect of changing the session state changes to CKS_RO_USER_FUNCTIONS or CKS_RW_USER_FUNCTIONS for all sessions that are open with the token in question. What happens in your case is that using the private key has the side effect of changing the session state back to CKS_RO_PUBLIC_SESSION or CKS_RW_PUBLIC_SESSION. Before FireFox will do the next cryptographic operation it will check the session state by calling C_GetSessionInfo. FireFox will then realize that a new C_Login is required and will ask you for your PIN again. So all you must do is to change the session state after every signature operation. This works for me. Some german signature cards have a signature counter that require a PIN-verification every 100 signature operation. So I check the signature counter after every cryptographic operation and whenever the signature counter reaches 0 I do an implicit logout. I have not tried this with the OpenSC PKCS11-library. But calling C_Logout(hSession) from within C_Sign() for certain cards should be easy to realize. Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
