oops, lock_login is off by default? and my standard test procedure doesn't event work in that situation at all (init, create pin, create key, create self-signed cert, store cert, run test procedures ... all with egate+cryptoflex 32k).
not sure how many times we discussed it already, and not even sure what possition I had last time. but right now I think: if lock_login=true results in both a more secure setup and normal test procedures will work as well, then it is the right thing to do. note: the errors I get are these with pkcs11-tool --test --login: [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Security status not satisfied [opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card returned error: Security status not satisfied [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security status not satisfied [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied and I get the same with openssl and engine_pkcs11. everything still works, despite these errors. still it confuses the user to generate such output, thus I think lock_login=true is better (and more secure). yes, people will hate me, because everyone using firefox and thunderbird at the same time, with smart cards enabled in both needs to fix his opensc.conf to make it work. we can handle that in a FAQ entry. also I noticed, the code in pkcs11/misc.c has the defaults twice - once if there is a "pkcs11" block in the config file, and once for the case if that is not the situation. a bit confusing, I tried to clean this up. I fixed the security issue (at least for cryptoflex), will commit the changes later. Regards, Andreas _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
