Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkcs11: If user consent is ignored through configuration, do not pres… #2040

Merged
merged 2 commits into from Jul 3, 2020
Merged

pkcs11: If user consent is ignored through configuration, do not pres… #2040

merged 2 commits into from Jul 3, 2020

Conversation

Jakuje
Copy link
Member

@Jakuje Jakuje commented May 27, 2020

…ent ALWAYS_AUTHENTICATE attribute

Fixes #2039

This extends the function of pin_cache_ignore_user_consent to prevent presenting CKA_ALWAYS_AUTHENTICATE to applications, which understand this attribute and issue useless second PIN prompt (even though pin is already cached in OpenSC or not needed at all).

I believe current documentation is fine (man opensc.conf), but if you believe it needs to be updated, please suggest.

Checklist
  • Documentation is added or updated
  • PKCS#11 module is tested
  • Windows minidriver is tested
  • macOS tokend is tested

@frankmorgner frankmorgner mentioned this pull request May 28, 2020
Closed
@Jakuje
Copy link
Member Author

Jakuje commented May 28, 2020

I tested this with yk, but I would like to see this tested also with PIV test cards, which should enforce reauthentication and therefore the cached pin should get used. But I do not have these at hand now.

@Jakuje
Copy link
Member Author

Jakuje commented Jun 2, 2020

After reading through #2039 (comment) I believe this should happen only in combination with use_pin_caching = yes. I always forget about this option. What do you think?

frankmorgner
frankmorgner requested changes Jun 9, 2020
View reviewed changes
Copy link
Member

@frankmorgner frankmorgner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After reading through #2039 (comment) I believe this should happen only in combination with use_pin_caching = yes. I always forget about this option. What do you think?

I think we should clearify the description in the manual pages and in opensc.conf.example. Currently the text only mentions older applications, that don't support CKA_ALWAYS_AUTHENTICATE. We should also mention that switching on PIN caching is recommended when enabling pin_cache_ignore_user_consent.

@Jakuje
Copy link
Member Author

Jakuje commented Jun 9, 2020

Thanks for suggestion. I added this note both to manual pages and example configuration file.

@Jakuje
pkcs11: Propagate ignore_user_consent
f18b8e6 
If user consent is ignored through configuration, do not present
ALWAYS_AUTHENTICATE=TRUE attribute in PKCS#11

Fixes OpenSC#2039
@Jakuje
doc: Recommend pin caching in combination with pin_cache_ignore_user_…
25f7804 
…consent configuration option
@frankmorgner frankmorgner merged commit 0defebf into OpenSC:master Jul 3, 2020
@frankmorgner
Copy link
Member

thank you

@Jakuje Jakuje mentioned this pull request Sep 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frankmorgner frankmorgner frankmorgner requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PIN has to be entered twice with pkcs11 keys
2 participants
@Jakuje @frankmorgner