Re: [opensc-devel] do not always fail when SC_ERROR_SECURITY_STATUS_NOT_SATISFIED?

Mon, 25 Sep 2006 23:44:05 -0700 

Ludovic Rousseau wrote:

On 22/09/06, Nils Larsch <[EMAIL PROTECTED]> wrote:

the reason for this patch was that afaik in your patch the protected
DF file would never be parsed even after the pin has been verified.
Did you perhaps test whether DF enumerations works after you've verified
the pin ?


Even if I C_Login() with the correct PIN the protected DF will not be
read again. In fact the VERIFY APDU is sent to the card, 90 00 comes
back and then no more exchanges with the card.


I guess this is a missing feature of our pkcs11 lib, the list
of objects isn't really updated once the user has logged in



I have also discovered that login in slot 0 works but fails in slot 1
with CKR_USER_PIN_NOT_INITIALIZED even if "pkcs11-tool --list-slots"
gives:
Slot 0:
 token flags:   login required, PIN initialized, token initialized
Slot 1:
 token flags:   PIN initialized, token initialized


The returned error code comes from pkcs15_login() in 
pkcs11/framework-pkcs15.c


Any idea why it fails?


from a quick lock at framework-pkcs15.c I would say that the
CKF_USER_PIN_INITIALIZED flag is always set (see pkcs15_init_slot()).
The attached patch might fix this issue.


Should it really fail even if the token has the "PIN initialized" flag set?


IMHO no

Cheers,
Nils

Index: src/pkcs11/framework-pkcs15.c
===================================================================
--- src/pkcs11/framework-pkcs15.c	(Revision 3007)
+++ src/pkcs11/framework-pkcs15.c	(Arbeitskopie)
@@ -642,8 +642,9 @@
 	char tmp[64];
 
 	pkcs15_init_token_info(card, &slot->token_info);
-	slot->token_info.flags |= CKF_USER_PIN_INITIALIZED
-				| CKF_TOKEN_INITIALIZED;
+	slot->token_info.flags |= CKF_USER_PIN_INITIALIZED;
+	if (auth != NULL)
+		slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
 	if (card->card->slot->capabilities & SC_SLOT_CAP_PIN_PAD) {
 		slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
 		sc_pkcs11_conf.cache_pins = 0;

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel





















					Reply via email to