Hello, On Fri, Jul 1, 2011 at 00:41, Juan Antonio Martinez <jons...@terra.es> wrote: > Playing with OpenDNIe on MacOSX 10.6 I found a nasty ¿bug?¿feature?: > Once the PIN is entered, the keychain layer remembers it forever :-( > > By mean of a friend's report I found this link: > > http://lists.apple.com/archives/apple-cdsa/2008/May/msg00003.html > > Cut&paste: > > "The smart card support code in securityd provides each Tokend with a > cache directory where it may deposit cached information for a particular > token (so that if the card is re- inserted and recognized as the same, > the cache directory is made available to the Tokend for its use). Any > actual caching is the work of the Tokend in question. The keychain layer > itself does not cache anything from a smart card." > > So seems that OpenSC stores in their tokend cache info about pin. > Is this a known feature? > Is it desirable? > ¿How can we control tokend cache behaviour?
You are mixing two things: Tokend cache, which is more like "use_file_caching" in opensc.conf, deals with caching certificates in /private/var/cache/db/tokend (or something similar, writing this from Linux) which does not relate to PIN caching. It *does* create problems with some cards, if a certificate is replaced for example, as the certificates used to be cached based on file ID-s, rather than certificate serial or something similar. The same problem exists in OpenSC file cache, if caching is enabled and a certificate is replaced in the same file. The real problem is PIN caching, which is controlled by "use_pin_caching" in opensc.conf and which caches a PIN if enabled and allowed by policy (user consent PINs are not cached). The way Tokend-s work is starting an OpenSC.tokend process once the card is entered. You can control how many times the PIN is used in the cache by setting the pin_cache_counter to "1" for example - this should trigger PIN entry sooner than "forever". Caching is common to libopensc and should thus behave similarly in all interfaces, if the interface (CDSA in this case) or calling application (like Firefox) don't intervene. Try with disabling PIN cache in opensc.conf and/or reducing the retry counter. If the problem persists, debugging might be necessary. Best, Martin _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
