Martin Paljak wrote: > On May 13, 2010, at 20:34 , Viktor TARASOV wrote: > >> Using actual trunk I cannot sign with Feitian card neither with >> conventional reader nor with pin pad. >> The reason, afais, in both cases is the same -- after user PIN was >> validated, the signing key parent DF is selected by full path. Feitian >> UserPIN is local one, and so its 'validated' flag is lost. (Still to be >> looked for -- why PKCS#15 pin cache is not working here.) >> >> In fact, there is no real need to select key DF -- it's already selected >> by the previous operations, >> but the card->cache (that keeps current path) is invalidated and >> 'compute signature' procedure has to other way to ensure sign key's DF >> then re-selection. >> >> To keep valid card->cache (and current path) I'll do two small changes >> to trunk: >> - in entersafe profile for the user PIN add flag 'local' (in fact it's >> really 'local', but actual profile has no this flag); >> - set default value of 'lock_login' to 'true' (as it stated by the >> comments in opensc.conf, but not in reality) . >> > > That's not good. It was turned off a long time ago because the default option > renders many cards useless for the rest of the system this way. > Then it was turned on because of "security reasons" which are somewhat valid > but was not the case (engine_pkcs11 refused to work). The comment in > opensc.conf should be fixed instead. >
I have no preferences and no objections to change . > For some cases having a lock on the card during C_SignInit -> C_Sign(Final), > but this probably does not concern the cache invalidation between C_Login and > C_Sign. > Do we really need to invalidate cache inside the sc_(un)lock? IMHO, it should be invalidated only when serious 'file select' error happens . > While the card support and requirements vary, there can't be a universal > solution for non-locking scenarios (not using pinpad readers, PIN caching, > authentication cookies etc) the *default* can't be locking the reader either. > -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
