On May 13, 2010, at 20:34 , Viktor TARASOV wrote: > Using actual trunk I cannot sign with Feitian card neither with > conventional reader nor with pin pad. > The reason, afais, in both cases is the same -- after user PIN was > validated, the signing key parent DF is selected by full path. Feitian > UserPIN is local one, and so its 'validated' flag is lost. (Still to be > looked for -- why PKCS#15 pin cache is not working here.) > > In fact, there is no real need to select key DF -- it's already selected > by the previous operations, > but the card->cache (that keeps current path) is invalidated and > 'compute signature' procedure has to other way to ensure sign key's DF > then re-selection. > > To keep valid card->cache (and current path) I'll do two small changes > to trunk: > - in entersafe profile for the user PIN add flag 'local' (in fact it's > really 'local', but actual profile has no this flag); > - set default value of 'lock_login' to 'true' (as it stated by the > comments in opensc.conf, but not in reality) .
That's not good. It was turned off a long time ago because the default option renders many cards useless for the rest of the system this way. Then it was turned on because of "security reasons" which are somewhat valid but was not the case (engine_pkcs11 refused to work). The comment in opensc.conf should be fixed instead. For some cases having a lock on the card during C_SignInit -> C_Sign(Final), but this probably does not concern the cache invalidation between C_Login and C_Sign. While the card support and requirements vary, there can't be a universal solution for non-locking scenarios (not using pinpad readers, PIN caching, authentication cookies etc) the *default* can't be locking the reader either. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
