Skip to content

Avoid prompting for pin on pinpad without the implicit call to C_Login() #2933

New issue
New issue
Open
Open
Avoid prompting for pin on pinpad without the implicit call to C_Login()#2933
@Jakuje

Description

@Jakuje
Jakuje
opened on Nov 13, 2023

Problem Description

Initially brought up by @larssilven in #2916 (comment) the way how sc_pkcs15init_verify_secret() is implemented, it can result in prompts for PIN in totally unexpected places for a user, without any prompt by the application in case the pinpad is enabled:

OpenSC/src/pkcs15init/pkcs15-lib.c

Line 3961 in 8fc2c20

r = sc_pkcs15_verify_pin(p15card, pin_obj, use_pinpad || pinsize == 0 ? NULL : pinbuf, use_pinpad ? 0 : pinsize);

Proposed Resolution

Given for how long this code is in, I would propose to address this after 0.24.0 will be out

Steps to reproduce

  • Have reader with pinpad, make sure the enable_pinpad = true is in opensc.conf
  • Have a card which supports key pair generation through pkcs11
  • Modify test program to not call C_Login before C_GenerateKeyPair()
  • Run the test program

Current results: The opensc will prompt for the pin off-band on the pinpad reader

Expected results: The OpenSC should fail with CKR_USER_NOT_LOGGED_IN

I am wondering why the following code does not kick in though:

OpenSC/src/pkcs11/pkcs11-object.c

Line 1168 in 8fc2c20

if (!(session->flags & CKF_RW_SESSION)) {

Logs

See the above referenced comment for more logs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions