Martin Paljak wrote:
On 18.11.2009, at 16:53, François Leblanc wrote:
Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in
opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a
specialist of pkcs11 I'd rather wait to have opinion of someone who know
what he do. So for the moment I hope pkcs11 expert to have a look.
For the trunk branch, I don't know if the comment to changeset 3784 is OK:
https://www.opensc-project.org/opensc/changeset/3784
This can't affect 0.11.
'pkcs15-init' provide it's own function to get pin and ask for pin when
necessary, for opensc-pkcs11 the pin is given by application so we can't
provide function to ask pin. I think we can cache pin at login and call
'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but
what about security and so-pin...
There are two targets:
1. If a PIN is entered via software, cache it in a single location, usable by
all layers above libopensc by same mechanism
2. Allow to personalize a card with all PIN-s going through a pinpad.
1. is possible, but 2 via PKCS#11 might be a problem, if a card requires
several times a PIN for a single operation...
Actually:
- C_Login() caches PIN in one of the p15card->pin_cache[] entries ;
- sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do
not look for PIN in this cache, but in a global cache (static 'secret *'
and 'named_pin' in keycache.c) .
What is the reason of co-existence of these two caches?
Maybe sc_pkcs15init_authenticate() should look for the PIN in
p15card->pin_cache[] also ?
IMHO, at least, it will solve the problem for the 'target 1.', and will
not change the situation for 'target 2.' .
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
