Enable using objects with no user PIN #695
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using password-less SSH keys is a nice feature, which can be achieved in PKCS#11 by not setting
CKF_LOGIN_REQUIRED
in token information.The information whether a PIN is empty or not is stored in a new attribute of the token configuration, named
empty-user-pin
. This attribute is set whentpm2_ptool addtoken
is used with--userpin=""
and it is updated when users change their PIN usingtpm2_ptool changepin
ortpm2_ptool initpin
.In
src/pkcs11.c
, updateauth_min_ro_user
in order to accept using functions such asC_SignInit
without the user being logged in, when the user PIN is empty.Regarding operations related to the TPM, using no user PIN is implemented as using an empty PIN. So table
sealobjects
is still used to unseal the wrapping key. The main difference between "no PIN" and "a usual PIN" is that an empty string is combined withuserauthsalt
instead of a user PIN.With this change, using OpenSSH client does not prompt for a PIN code,
when using a key stored in a token with an empty PIN.
Fixes: #629