[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 22 19:33:53 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2638

--- Comment #5 from Jakub Jelen <jjelen at redhat.com> ---
Unfortunately ... but you can try that with your yubikey and with
OpenSC if you load the private key in the "SIGN KEY" slot 9c [0].

Note, that after [1] being merged in OpenSC last year, the trick with
only single login does not work anymore so in the proposed patch, we
should drop the did_login variable, otherwise it will not work (at
least with OpenSC pkcs11 module). Therefore, in the single-shot
connection, the pin is asked twice, which is unfortunate, but probably
closest to the PIV specification.

One note for the code style:

+       struct pkcs11_slotinfo  *si;
+       CK_FUNCTION_LIST        *f;
+       CK_BBOOL                flag = 0;
+       CK_ATTRIBUTE            attr;
+       CK_RV                    rv;
                                ^-- misaligned indentation (missing
space in flag, attr)

[0]
https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
[1] https://github.com/OpenSC/OpenSC/pull/1256

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list