I did not get any comments back on my note from 6/8 but have some
more information. on the same subject.
Looking at framework-pkcs11.c, it looks like there is a bug in the
handling of auth_count, if there is more then one pin, and one
of the pins is a SC_PKCS15_PIN_FLAG_SO_PIN
The for loop at line 767 will add a slot for each non SO_PIN
or UNBLOCKING_PIN. But at line 812, the auth_count is still
set to the number of pins, even though the SO_PIN did not cause a
new slot to be allocated and thus the test of hide_empty_tokens
will not be used.
With the attached patch, I can get the expected behavior
when hide_empty_tokens = yes in the opensc.conf from
pkcs11-tool -L, pkcs11-tool -O and pkcs11-tool -O -l
There is only 1 slot allocated, the pkcs11-tool -O
shows all the public objects, and pkcs11-tool -O -l (after PIN)
shows all the objects, and Heimdal PKINIT still runs.
I still think that if two or more slots need to be allocated
for multiple auth pins, then all the public objects should be
added to each. I have an additional mod for this too.
Since the cards I am working with only have 1 pin, the
attached mods works for me. Note it looks like the pkcs15-openpgp.c
might also be affected by this change as it defines two pins
an auth pin and a SO_PIN, much like the PIV card does.
Douglas E. Engert wrote:
I am trying to understand the logic in the framework-pkcs15.c
which uses two (or more) slots for objects that require a PIN,
and an additional slot for all remaining objects that don't.
That makes some sense espeicall with multiple PINS, but why then
is the certificate (which does not require a PIN,) placed in the
first slot with the objects that do? (I suspect to get it to work...)
On my card, one of the certs and its prvkey do not require a PIN,
as they can be used to authenticate the card, and as expected they
are placed in the last slot.
The 3 private data objects on the card are placed in the first slot,
and the 3 public data objects are placed in the last slot.
WHAT I WOULD LIKE TO DO IS ADD ALL PUBLIC OBJECTS TO ALL THE SLOTS.
Does any one see a problem with this?
The SC_PKCS15_CO_FLAG_PRIVATE appears to be used to set the PKCS#11
CKA_PRIVATE attribute so an application calling PKCS#11 can tell if an
object needs to use a PIN or not before trying to use the object.
Looks like someone has though about this, with the onepin-opensc-pkcs11.so
which uses hack-enable.c (hack_enable=1) and only uses one slot, but adds
all the certs, pubkey, and prvkeys but not the data objects to the slot!.
(The use of the word "hack" implies this may have been a temporary
solution.)
If I added the code to add all public objects to all the slots, for cards
with only one PIN, I believe the calling application would see no
difference
between the opensc-pkcs11.so and the onepin-opensc-pkcs11.so. Thus the
code to
support the onepin-opensc-pkcs11.so could be dropped.
I have a card (PIV) with 4 certs, 4 prvkeys, 3 public data
objects, and 3 private data object requiring the PIN.
(I am cleaning up the code that calls in pkcs15-piv.c to sc_PKCS15emu...
to create the objects and run into the problems of how to handle the
objects, and get pkcs15-tool and pkcs11-tool to list and read them.)
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Index: framework-pkcs15.c
===================================================================
--- framework-pkcs15.c (revision 3173)
+++ framework-pkcs15.c (working copy)
@@ -719,6 +719,7 @@
struct sc_pkcs11_slot *slot = NULL;
int i, rv, reader = p11card->reader;
int auth_count;
+ int found_auth_count = 0;
unsigned int j;
rv = sc_pkcs15_get_objects(fw_data->p15_card,
@@ -777,6 +778,8 @@
if (hack_enabled && (pin_info->flags & SC_PKCS15_PIN_FLAG_UNBLOCKING_PIN) != 0)
continue;
+ found_auth_count++;
+
rv = pkcs15_create_slot(p11card, auths[i], &slot);
if (rv != CKR_OK)
return CKR_OK; /* no more slots available for this card */
@@ -805,6 +808,8 @@
}
}
+ auth_count = found_auth_count;
+
/* Add all public objects to a virtual slot without pin protection.
* If there's only 1 pin and the hide_empty_tokens option is set,
* add the public objects to the slot that corresponds to that pin.
@@ -2371,7 +2376,7 @@
case CKA_PRIVATE:
check_attribute_buffer(attr, sizeof(CK_BBOOL));
*(CK_BBOOL*)attr->pValue =
- (dobj->base.p15_object->flags & 0x01) != 0;
+ (dobj->base.p15_object->flags & SC_PKCS15_CO_FLAG_PRIVATE) != 0;
break;
case CKA_MODIFIABLE:
check_attribute_buffer(attr, sizeof(CK_BBOOL));
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
