On 28/04/2011 10:51, Martin Paljak wrote: >> Don't know how this could be done for OpenSC, since it caches PIN codes. > Only if the PIN does not cache "user consent" keys and only if PIN caching is > enabled. Found relevant code.
> Yes it does support using such PIN-s. OpenSC does not cache the PIN if any > private key with user consent has the PIN as authentication ID. Creating them > is AFAIK not possible through command line (a feature request ticket might be > good) IIUC, user_consent is never set. Unless you have it set in an imported certificate. Doesn't "sound right" to me. Here's a patch to test: --- pkcs15-init.h.ori 2010-12-22 18:14:39.000000000 +0100 +++ pkcs15-init.h 2011-04-28 11:36:33.805873246 +0200 @@ -189,6 +189,8 @@ const char * puk_label; const unsigned char * puk; size_t puk_len; + + int user_consent; }; struct sc_pkcs15init_keyarg_gost_params { --- pkcs15-lib.c.ori 2010-12-22 18:14:39.000000000 +0100 +++ pkcs15-lib.c 2011-04-28 11:38:51.895233831 +0200 @@ -908,6 +908,9 @@ sc_profile_get_pin_info(profile, SC_PKCS15INIT_USER_PIN, pin_info); pin_info->auth_id = args->auth_id; + /* Mark it as 'user consent' pin (uncacheable) */ + pin_obj->user_consent = args->user_consent; + /* Now store the PINs */ sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Store PIN(%s,authID:%s)", pin_obj->label, sc_pkcs15_print_id(&pin_info->auth_id)); r = sc_pkcs15init_create_pin(p15card, profile, pin_obj, args); --- pkcs15-init.c.ori 2010-12-22 18:14:33.000000000 +0100 +++ pkcs15-init.c 2011-04-28 11:39:41.483645061 +0200 @@ -133,6 +133,7 @@ OPT_PUK_LABEL, OPT_VERIFY_PIN, OPT_SANITY_CHECK, + OPT_USER_CONSENT, OPT_PIN1 = 0x10000, /* don't touch these values */ OPT_PUK1 = 0x10001, @@ -185,6 +186,7 @@ { "insecure", no_argument, NULL, OPT_UNPROTECTED }, { "use-default-transport-keys", no_argument, NULL, 'T' }, + { "user-consent", no_argument, NULL, OPT_USER_CONSENT }, { "no-prompt", no_argument, NULL, OPT_NO_PROMPT }, { "profile", required_argument, NULL, 'p' }, @@ -240,6 +242,7 @@ "Private key stored as an extractable key", "Insecure mode: do not require PIN/passphrase for private key", "Do not ask for transport keys if the driver thinks it knows the key", + "Require user to re-authorize every transaction (no PIN caching)", "Do not prompt the user; if no PINs supplied, pinpad will be used", "Specify the general profile to use", @@ -314,6 +317,7 @@ static unsigned int opt_actions; static int opt_extractable = 0, opt_unprotected = 0, + opt_user_consent= 0, opt_authority = 0, opt_no_prompt = 0, opt_no_sopin = 0, @@ -783,6 +787,10 @@ args.puk = (u8 *) opt_pins[1]; args.puk_len = opt_pins[1]? strlen(opt_pins[1]) : 0; + + if (opt_user_consent) + args.user_consent=1; + return sc_pkcs15init_store_pin(p15card, profile, &args); failed: fprintf(stderr, "Failed to read PIN: %s\n", sc_strerror(r)); @@ -2496,6 +2504,9 @@ this_action = ACTION_STORE_PUBKEY; opt_infile = optarg; break; + case OPT_USER_CONSENT: + opt_user_consent++; + break; case OPT_UNPROTECTED: opt_unprotected++; break; It compiles and seems to work... At least --user-consent option is accepted and SHOULD get stored in PIN object. BYtE, Diego. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel