Hello, On Sep 13, 2010, at 12:04 PM, Martin Paljak wrote: >> I just did a quick "grep LOGIN_REQUIRED *.c" and it seems that only >> the WestCOS and OpenPGP emulations set LOGIN_REQUIRED >> while all other emulation-routines don't. > > CKF_LOGIN_REQUIRED from PKCS#11 (which is the flag missing in the 0.12 > version for TCOS card) does not map 1:1 to TokenInfo.flags->loginRequired. > > (From PCKS#15): > """ > TokenInfo.tokenflags: This field contains information about the token per se. > Flags include: ... if login (i.e. authentication) is required before > accessing any data, ... > """ > So in PKCS#11 terms it is maybe more similar to CKA_PRIVATE, because: > > (From PKCS#11): > """ > Applications are not required to log into the token to view “public objects”; > however, to view “private objects”, a user must be authenticated to the token > by a PIN or some other token-dependent method (for example, a biometric > device). > """ > """ > CKF_LOGIN_REQUIRED: True if there are some cryptographic functions that a > user must be logged in to perform > """ > > Further, CKF_LOGIN_REQUIRED is not set based on the existence of > SC_PKCS15_CARD_FLAG_LOGIN_REQUIRED, but if the tokens are arranged so that a > slot will contain an authentication object [1]
Actually I think OpenSC should not try to set SC_PKCS15_CARD_FLAG_LOGIN_REQUIRED (loginRequired in TokenInfo.flags) at all. The description in PKCS#15 v1.1 is too broad to be precisely useful and as OpenSC does not make any use of the flag (in PKCS#11 or Tokend or elsewhere), it should be left untouched. What I read out from the spec is that loginRequired should be set if the token refuses to give out *anything* before a successful PIN verification (with the exception of TokenInfo file itself, apparently ;) ). Something that NSS assumes without the friendly certs flag set on a slot (first a PIN prompt and C_Login, even if certificates are publicly readable) Also, the two emulation drivers that set the flag do it mot probably erroneously (the flag sounds as useful at first) and pkcs15init should not try to set it either [1] and only set SC_PKCS15_CARD_FLAG_USER_PIN_INITIALIZED. [1] http://www.opensc-project.org/opensc/changeset/4130 -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel