Ludovic Rousseau wrote:
...
> I have also discovered that login in slot 0 works but fails in slot 1
> with CKR_USER_PIN_NOT_INITIALIZED even if "pkcs11-tool --list-slots"
> gives:
> Slot 0:
> token flags: login required, PIN initialized, token initialized
> Slot 1:
> token flags: PIN initialized, token initialized
>
> The returned error code comes from pkcs15_login() in
> pkcs11/framework-pkcs15.c
>
> Any idea why it fails?
from a quick lock at framework-pkcs15.c I would say that the
CKF_USER_PIN_INITIALIZED flag is always set (see pkcs15_init_slot()).
The attached patch might fix this issue.
That does not fix the issue. I now have:
of course, stupid typo ... please test the attached patch
Slot 1 Gemplus GemPC Twin 00 00
token state: uninitialized
But the objects (seen with pkcs11-tool --list-objects) are still
present in slot 1 only, and not in slot 0.
The real question is: why does OpenSC consider 2 slots for my card
instead of just 1?
the current policy afaik is to put everything protected by specific pin
in a separate slot (together with the pin) and all public objects in
a separate slot as well (unless hide_empty_tokens is set).
Cheers,
Nils
Index: src/pkcs11/framework-pkcs15.c
===================================================================
--- src/pkcs11/framework-pkcs15.c (Revision 3007)
+++ src/pkcs11/framework-pkcs15.c (Arbeitskopie)
@@ -642,8 +642,9 @@
char tmp[64];
pkcs15_init_token_info(card, &slot->token_info);
- slot->token_info.flags |= CKF_USER_PIN_INITIALIZED
- | CKF_TOKEN_INITIALIZED;
+ slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
+ if (auth != NULL)
+ slot->token_info.flags |= CKF_USER_PIN_INITIALIZED;
if (card->card->slot->capabilities & SC_SLOT_CAP_PIN_PAD) {
slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
sc_pkcs11_conf.cache_pins = 0;
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
