Hello again, >> That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED >> after a PIN entrr try if the method got blocked. Even NSS/Firefox used to >> ignore this return code for a long time and as a result asked for a PIN 3 >> times (hardcoded apparently) even if the PIN was already locked. That got >> fixed lately, don't know when it will arrive in Firefox though. Also see >> ticket #250, for further flags to check for usability (e.g. "This will be >> your final PIN try, failing this will block your PIN" message).
Ok, sounds good. I don't know if i got this right, but is this the "workflow" of how a authentication basically works with pkcs11 with nss enabled. login(gdm/scrennsaver/whatever) => pam_pkcs11 => nss => opensc => pcscdriver => pcscd So opensc returns "whatever" to nss and nss returns "whatever" to whats calling it ? Is this the return codes from nss we are talking about, http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1039257, cant really see anything about blocket pin or similar. (maybe they haven't updated it yet) And as long as nss doesn't return "whatever" opensc returns, it's impossible for pam_pkcs11 to tell the calling application the "correct" return code ? I'm asking all this out of curiosity so i can get the basic understanding of what I'm talking about.... >> No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to >> the fact that it has nothing to do with Open*CT*. Ok cool. Is there anything i can debug to help us out here ? I would really like to get this working and I'm willing to spend alot of time on it to get there, just need some info on how to go further. /Patrik Martinsson, Sweden. On 09/01/2010 01:17 PM, Martin Paljak wrote: > Hello, > > On Sep 1, 2010, at 1:58 PM, Patrik Martinsson wrote: > >> As a Linux user today at our company you need to find a Windows computer or >> go to our helpdesk to get your card unlocked, you also need to call the >> helpdesk to get your puk. >> I guess what I'm asking for is a simple way for the user to understand that >> their card is locked, eg. telling the user that the 'card is locked' instead >> of 'logon failure' as it is today. But again, maybe this is not possible, or >> maybe this is applications specific rather then opensc. >> > That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED > after a PIN entrr try if the method got blocked. Even NSS/Firefox used to > ignore this return code for a long time and as a result asked for a PIN 3 > times (hardcoded apparently) even if the PIN was already locked. That got > fixed lately, don't know when it will arrive in Firefox though. Also see > ticket #250, for further flags to check for usability (e.g. "This will be > your final PIN try, failing this will block your PIN" message). > > > > >>>> Only if they integrate standard CCID readers directly to the USB bus. >>>> Unfortunately they use integrated chips that do "secure digital" and >>>> "smart card". Some Linux tutorials in the wild, that talk about OpenSC,>> >>>> direct people to memory card reader listings (where, indeed, some chips >>>> support smart cards but AFAIK only on Windows) instead of libccid's >>>> extensive list... >>>> >> Yep, i was actually talking about one of those chips,R5C822 >> (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to >> the homepage the chip is discontinued however HP still delivers them in >> their brand new models, 8440p for example, god knows why. Is there any >> chance that we would see some support on these chipsets under Linux ? >> > This has been discussed before [2] on MUSCLE mailing list. I doubt it will > happen [3]. > > > >> >>>> Check the logs. OpenCT has nothing to do with it. The culprit, failing >>>> C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few >>>> e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion >>>> b) event waiting. >>>> >> Hmm yes, I've checked the logs, and as i understand it you correctly, it's a >> pcsc-lite issue ? So i should take it on their mailinglist instead ? >> > No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to > the fact that it has nothing to do with Open*CT*. > > > [1] http://www.opensc-project.org/opensc/ticket/250 > [2] http://lists.drizzle.com/pipermail/muscle/2009-December/008009.html > [3] http://lists.drizzle.com/pipermail/muscle/2009-December/008013.html > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
