[Bug 2652] PKCS11 login skipped if login required and no pin set

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Feb 23 22:10:47 AEDT 2018 

https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #12 from Jakub Jelen <jjelen at redhat.com> ---
(In reply to Daniel Kucera from comment #11)
> (In reply to Jakub Jelen from comment #10)
> > Thank you for testing the patch. But your changes again change the
> > semantics and issue the pinpad login even if the PIN is NULL, which
> > is not what you generally want.
> 
> But if CKF_LOGIN_REQUIRED is set why would one want to skip login?

The PKCS#11 specification does not say what can and what can not be
accessed if this flag is provided:

> CKF_LOGIN_REQUIRED: True if there are *some* cryptographic functions that a user MUST be logged in to perform

From:
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html

We do not skip login for the private-key operations, but only for the
listing of the keys, which is a valid use case.

> > Or is your card requiring the login also for the listing of public
> > keys? What do you get if you try to list the public objects from
> > pkcs11-tool?
> > 
> > pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so
> 
> My card requires login for absolutely everything
> 
> $ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so
> -O
> Using slot 0 with a present token (0x1)
> $ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so
> -l -O
> Using slot 0 with a present token (0x1)
> Private Key Object; RSA 
>   label:      571cd7f3-0935-4218-b7cf-4b43af29d1bc
>   ID:         ...
>   Usage:      decrypt, sign
>   Access:     always authenticate
> Certificate Object; type = X.509 cert
>   label:      571cd7f3-0935-4218-b7cf-4b43af29d1bc
>   ID:         ...

Yes, this is the same problem as described in the bug #2430 some while
back, which I hit with some soft tokens and that are also visible in
eID cards as I tried to point out.

Prompting for the PIN for public key operations is nothing we would
like to do automatically, so there really should be some switch to do
the login before listing the keys or the login should be proposed
explicitly by for example a PIN in PKCS#11 URI.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list