On Friday, May 06 at 03:03PM, Jean-Michel Pouré - GOOZE wrote: > Le vendredi 06 mai 2011 à 14:41 +0300, Martin Paljak a écrit : > > Have a look at the wiki: > > http://www.opensc-project.org/opensc/wiki/SecurityConsiderations > > Sure. > > I am worried about: > * Application A opens communication with token and locks it. > * Application B tries to open communication with token. > * Application B has no knowledge token is locked by application A. No > error message is given. The user waits during minutes, thinking "My > token does not work". > > Is there any mechanism informing an application requesting > opensc-pkcs11.so that a smartcard is locked in exclusive more (=being > accessed)?
> To give an example, I could verify: > * Firefox runs, logs in the token in exclusive mode. > * SSH client runs with pkcs11 authentication. SSH client will wait for > minutes until it times out. No specific error message is displayed. > > Is there a way to inform opensc-pkcs11.so that a communication is > already established by Firefox and that SSH should start without using > pkcs11? AFAIK, SCardConnect immediately returns an error if an application wants to access a reader which is already in exclusive use. Have you tried switching on exclusive mode in the configuration file of OpenSC? (Note that this does not completely remove security issues.) Cheers, Frank.
pgpzABZh648Lh.pgp
Description: PGP signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
