Re: [opensc-devel] Small correction on westcos card.
Am Montag 23 November 2009 11:19:18 schrieb François Leblanc: > I repost the patch to improve pkcs15init on westcos and I add one to > correct issue on p15emu thanks, both commited to trunk. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pam_pkcs11 & CFK_LOGIN_REQUIRED
Hi! pam_pkcs11 doesn't work with cards with no PIN installed. It tries to C_Login() whenever PIN is really needed and fails with "C_Login() failed: 0x0102". I've made a patch which corrects this behavior: * implements get_slot_login_required() function what checks whether current slot requires login * makes pam_pkcs11 ask for PIN only if it is needed -- Regards, Oleg Smirnov pam_pkcs11_login_required.diff Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Wed, 2 Dec 2009 16:05:13 +0300 "Aktiv Co. Aleksey Samsonov" wrote: > Pierre Ossman: > > On Wed, 2 Dec 2009 12:48:56 +0300 > > "Aktiv Co. Aleksey Samsonov" wrote: > >> Pierre Ossman: > >>> Comment away! > >> Please see: > >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012894.html > >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012891.html > > > > I see. Does anyone have any comments on the general principle though > > before I start putting time into updating to trunk? > > What are your going to do with cache_pin and pkcs15_slot_data::pin ? I didn't check what the new changes entailed, so I can't answer what changes I'll have to do. I assume there is still some PIN cache functionality in place? -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Pierre Ossman: > On Wed, 2 Dec 2009 12:48:56 +0300 > "Aktiv Co. Aleksey Samsonov" wrote: >> Pierre Ossman: >>> Comment away! >> Please see: >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012894.html >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012891.html > > I see. Does anyone have any comments on the general principle though > before I start putting time into updating to trunk? What are your going to do with cache_pin and pkcs15_slot_data::pin ? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Wed, 2 Dec 2009 12:48:56 +0300 "Aktiv Co. Aleksey Samsonov" wrote: > Pierre Ossman: > > I've had another look at this and implemented a somewhat ugly hack to > > provide this functionality. Basically C_Login will return success for > > CKU_SO if it can't find an auth object and then rely on the PIN cache > > in C_InitPIN. > > > > Comment away! > > Please see: > http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012894.html > http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012891.html > I see. Does anyone have any comments on the general principle though before I start putting time into updating to trunk? > > > --- src/pkcs11/framework-pkcs15.c (revision 18564) > The revisions are from our internal repo, so you should just ignore those in my diffs. Rgds -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Pierre Ossman: > I've had another look at this and implemented a somewhat ugly hack to > provide this functionality. Basically C_Login will return success for > CKU_SO if it can't find an auth object and then rely on the PIN cache > in C_InitPIN. > > Comment away! Please see: http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012894.html http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012891.html > --- src/pkcs11/framework-pkcs15.c(revision 18564) For current trunk: In file included from framework-pkcs15.c:23: framework-pkcs15.c: In function 'pkcs15_login': framework-pkcs15.c:973: warning: implicit declaration of function 'cache_pin' framework-pkcs15.c: In function 'pkcs15_init_pin': framework-pkcs15.c:1144: error: 'struct pkcs15_slot_data' has no member named 'pin' framework-pkcs15.c:1145: error: 'struct pkcs15_slot_data' has no member named 'pin' make[3]: *** [framework-pkcs15.lo] Error 1 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Wed, 2 Dec 2009 09:51:20 +0100 Pierre Ossman wrote: > On Tue, 10 Nov 2009 18:48:21 +0100 > Pierre Ossman wrote: > > > I'm looking at implementing support for unblocking a locked PIN in my > > application, but looking at OpenSC that doesn't seem to be possible. In > > fact, there are a number of issues along the way. > > > > I've had another look at this and implemented a somewhat ugly hack to > provide this functionality. Basically C_Login will return success for > CKU_SO if it can't find an auth object and then rely on the PIN cache > in C_InitPIN. > I should also add that this basically reverts a part of r1219 which seems to have been a mistake. Rgds -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Tue, 10 Nov 2009 18:48:21 +0100 Pierre Ossman wrote: > I'm looking at implementing support for unblocking a locked PIN in my > application, but looking at OpenSC that doesn't seem to be possible. In > fact, there are a number of issues along the way. > I've had another look at this and implemented a somewhat ugly hack to provide this functionality. Basically C_Login will return success for CKU_SO if it can't find an auth object and then rely on the PIN cache in C_InitPIN. Comment away! -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com Index: src/pkcs11/framework-pkcs15.c === --- src/pkcs11/framework-pkcs15.c (revision 18564) +++ src/pkcs11/framework-pkcs15.c (working copy) @@ -907,13 +907,18 @@ /* A card with no SO PIN is treated as if no SO login * is required */ rc = sc_pkcs15_find_so_pin(card, &auth_object); - - /* If there's no SO PIN on the card, silently - * accept any PIN, and lock the card if required */ - if (rc == SC_ERROR_OBJECT_NOT_FOUND - && sc_pkcs11_conf.lock_login) + if (rc == SC_ERROR_OBJECT_NOT_FOUND) { + /* Need to lock the card though */ rc = lock_card(fw_data); - if (rc < 0) + if (rc < 0) { + return sc_to_cryptoki_error(rc, + p11card->reader); + } + /* And cache the PIN as init_pin might need it */ + cache_pin(fw_token, userType, NULL, pPin, ulPinLen); + return CKR_OK; + } + else if (rc < 0) return sc_to_cryptoki_error(rc, p11card->reader); break; default: @@ -1006,11 +1011,11 @@ return sc_to_cryptoki_error(rc, p11card->reader); } -#ifdef USE_PKCS15_INIT -static CK_RV pkcs15_init_pin(struct sc_pkcs11_card *p11card, +static CK_RV pkcs15_create_pin(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *slot, CK_CHAR_PTR pPin, CK_ULONG ulPinLen) { +#ifdef USE_PKCS15_INIT struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) p11card->fw_data; struct sc_pkcs15init_pinargs args; struct sc_profile *profile; @@ -1052,8 +1057,52 @@ cache_pin(slot->fw_data, CKU_USER, &pin_info->path, pPin, ulPinLen); return CKR_OK; +#else + return CKR_FUNCTION_NOT_SUPPORTED; +#endif } +static CK_RV pkcs15_init_pin(struct sc_pkcs11_card *p11card, + struct sc_pkcs11_slot *slot, + CK_CHAR_PTR pPin, CK_ULONG ulPinLen) +{ + struct pkcs15_fw_data *fw_data; + struct pkcs15_slot_data *slot_data; + struct sc_pkcs15_pin_info *pin; + int rc; + + fw_data = (struct pkcs15_fw_data *)p11card->fw_data; + slot_data = (struct pkcs15_slot_data *)slot->fw_data; + + pin = slot_data_pin_info(slot_data); + + /* If we don't have a PIN then we want to create it */ + if (!pin) { + sc_debug(context, "No PIN found. Attempting to create one...\n"); + return pkcs15_create_pin(p11card, slot, pPin, ulPinLen); + } + + /* Otherwise we want to reset the one we have */ + + if (ulPinLen < pin->min_length || + ulPinLen > pin->max_length) + return CKR_PIN_LEN_RANGE; + + /* This assumes that either: + * (a) We have a cached SO PIN + * (b) We have previously logged in as CKU_SO and the card + * will therefore accept the unblock request. */ + rc = sc_pkcs15_unblock_pin(fw_data->p15_card, pin, + slot_data->pin[CKU_SO].value, + slot_data->pin[CKU_SO].len, + pPin, ulPinLen); + if (rc < 0) + return sc_to_cryptoki_error(rc, p11card->reader); + + return CKR_OK; +} + +#ifdef USE_PKCS15_INIT static CK_RV pkcs15_create_private_key(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *slot, struct sc_profile *profile, @@ -1690,14 +1739,13 @@ pkcs15_logout, pkcs15_change_pin, NULL, /* init_token */ + pkcs15_init_pin, #ifdef USE_PKCS15_INIT - pkcs15_init_pin, pkcs15_create_object, pkcs15_gen_keypair, #else NULL, NULL, - NULL, #endif NULL, /* seed_random */ pkcs15_get_random signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel