On 28/04/2011 10:51, Martin Paljak wrote:
>> Don't know how this could be done for OpenSC, since it caches PIN codes.
> Only if the PIN does not cache "user consent" keys and only if PIN caching is
> enabled.
Found relevant code.
> Yes it does support using such PIN-s. OpenSC does not cache the PIN if any
> private key with user consent has the PIN as authentication ID. Creating them
> is AFAIK not possible through command line (a feature request ticket might be
> good)
IIUC, user_consent is never set. Unless you have it set in an imported
certificate. Doesn't "sound right" to me.
Here's a patch to test:
--- pkcs15-init.h.ori 2010-12-22 18:14:39.000000000 +0100
+++ pkcs15-init.h 2011-04-28 11:36:33.805873246 +0200
@@ -189,6 +189,8 @@
const char * puk_label;
const unsigned char * puk;
size_t puk_len;
+
+ int user_consent;
};
struct sc_pkcs15init_keyarg_gost_params {
--- pkcs15-lib.c.ori 2010-12-22 18:14:39.000000000 +0100
+++ pkcs15-lib.c 2011-04-28 11:38:51.895233831 +0200
@@ -908,6 +908,9 @@
sc_profile_get_pin_info(profile, SC_PKCS15INIT_USER_PIN, pin_info);
pin_info->auth_id = args->auth_id;
+ /* Mark it as 'user consent' pin (uncacheable) */
+ pin_obj->user_consent = args->user_consent;
+
/* Now store the PINs */
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Store PIN(%s,authID:%s)",
pin_obj->label, sc_pkcs15_print_id(&pin_info->auth_id));
r = sc_pkcs15init_create_pin(p15card, profile, pin_obj, args);
--- pkcs15-init.c.ori 2010-12-22 18:14:33.000000000 +0100
+++ pkcs15-init.c 2011-04-28 11:39:41.483645061 +0200
@@ -133,6 +133,7 @@
OPT_PUK_LABEL,
OPT_VERIFY_PIN,
OPT_SANITY_CHECK,
+ OPT_USER_CONSENT,
OPT_PIN1 = 0x10000, /* don't touch these values */
OPT_PUK1 = 0x10001,
@@ -185,6 +186,7 @@
{ "insecure", no_argument, NULL,
OPT_UNPROTECTED },
{ "use-default-transport-keys",
no_argument, NULL, 'T' },
+ { "user-consent", no_argument, NULL,
OPT_USER_CONSENT },
{ "no-prompt", no_argument, NULL,
OPT_NO_PROMPT },
{ "profile", required_argument, NULL, 'p' },
@@ -240,6 +242,7 @@
"Private key stored as an extractable key",
"Insecure mode: do not require PIN/passphrase for private key",
"Do not ask for transport keys if the driver thinks it knows the
key",
+ "Require user to re-authorize every transaction (no PIN caching)",
"Do not prompt the user; if no PINs supplied, pinpad will be used",
"Specify the general profile to use",
@@ -314,6 +317,7 @@
static unsigned int opt_actions;
static int opt_extractable = 0,
opt_unprotected = 0,
+ opt_user_consent= 0,
opt_authority = 0,
opt_no_prompt = 0,
opt_no_sopin = 0,
@@ -783,6 +787,10 @@
args.puk = (u8 *) opt_pins[1];
args.puk_len = opt_pins[1]? strlen(opt_pins[1]) : 0;
+
+ if (opt_user_consent)
+ args.user_consent=1;
+
return sc_pkcs15init_store_pin(p15card, profile, &args);
failed: fprintf(stderr, "Failed to read PIN: %s\n", sc_strerror(r));
@@ -2496,6 +2504,9 @@
this_action = ACTION_STORE_PUBKEY;
opt_infile = optarg;
break;
+ case OPT_USER_CONSENT:
+ opt_user_consent++;
+ break;
case OPT_UNPROTECTED:
opt_unprotected++;
break;
It compiles and seems to work... At least --user-consent option is
accepted and SHOULD get stored in PIN object.
BYtE,
Diego.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
