Re: [Opensc-devel] State of stateless support

[Martin V. <mv...@gm...>]

On Thu, Nov 12, 2015 at 5:38 PM, Douglas E Engert <dee...@gm...>
wrote:

>     Each applet, card or calling application may have its own issues.
>
>>     Can you say what applets, cards or applications you are trying to
>> address?
>> Starcos 3.2 from Thunderbird/Firefox/Cisco VPN, like some time ago:
>> (*) https://www.opensc-project.org/opensc/ticket/373
>>
>
> How about:
>
> https://github.com/OpenSC/OpenSC/pull/357
> "Code inspired by experimental STARCOS 3 driver by Martin Vogt"
> Are you in github.com/OpenSC ?
> Last commit for card-starcos.c was July 31.
>
> OpenSC has many developers, but unlike other projects, developers only
> have one or maybe two cards that they are interested in.
> (Starcos is not on my list, PIV is.) So to get the attention of a
> developer rephrase your concern with the card you are interested in.
>

I like to have the "stateless" support for the STARCOS3 driver.
My idea was to extend the card-starcos.c plugin with two callback functions.
The driver knows how to save/restore its state, but it does not know when.
But I think the pkcs11 layer does.

Then every entry/exit to a pkcs11 function looks up the driver, by a pkcs11
session handle, after the reader is locked
and tries to restore the previous state. If the thread exists the pkcs11
function it saves the state and logout of the card.
The state is a PIN/directory structure.

I think this is what the commercial software does.
This will have some issues with with pinpad readers, (Therefore the pkcs11
driver cannot be used for these readers)
and because its a different functionality, the resulting pkcs11 lib needs
another name for example "pkcs11stateless.so"...



> But have you looked at the opensc.conf for PCSC?
> Not sure if these would work for you.
>
>                 # Connect to reader in exclusive mode?
>
>[snip]


The last time I looked at it (*) the config options didn't help. It leaves
the card unlocked for every application in some
circumstances.

  > [point 1-25]
>>
>> All are valid points.
>> I assume that the commercial pkcs11 driver won't work in some cases.
>> Maybe they return an error if the state restore fails.
>> But for me, it looks the majority of the application do not behave
>> evil/that way.
>>
>>
> I would assume if they don't understand the save/restore pkcs11 attributes
> or new calls
> they wont use it, and just do what they do now, which is have problems if
> some other application
> grabs the card.
>

The modification should not be visible to the outside, eg "pkcs11.h". Its
an internal modification.
Thunderbird or firefox do a C_Login on start and keep the card locked the
whole time.
The pkcs11 driver internally has to do the "logout" and keep the state
associated with a pkcs11 session handle.

I haven't looked at the pkcs11 code yet, so that's only my idea how it may
work...
Therefore I would like to have some advise, how it may be done.
(Or if there a other ways how to do it.)

Best regards,

Martin