[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 22 19:33:53 AEDT 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=2638
--- Comment #5 from Jakub Jelen <jjelen at redhat.com> ---
Unfortunately ... but you can try that with your yubikey and with
OpenSC if you load the private key in the "SIGN KEY" slot 9c [0].
Note, that after [1] being merged in OpenSC last year, the trick with
only single login does not work anymore so in the proposed patch, we
should drop the did_login variable, otherwise it will not work (at
least with OpenSC pkcs11 module). Therefore, in the single-shot
connection, the pin is asked twice, which is unfortunate, but probably
closest to the PIV specification.
One note for the code style:
+ struct pkcs11_slotinfo *si;
+ CK_FUNCTION_LIST *f;
+ CK_BBOOL flag = 0;
+ CK_ATTRIBUTE attr;
+ CK_RV rv;
^-- misaligned indentation (missing
space in flag, attr)
[0]
https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
[1] https://github.com/OpenSC/OpenSC/pull/1256
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list