Menu
▾
▴
Re: [Opensc-devel] State of session locking support
|
From: Martin V. <mv...@gm...> - 2015-11-13 14:20:37
|
On Fri, Nov 13, 2015 at 2:07 PM, Frank Morgner < mo...@in...> wrote: > Please rephrase this problem to something like "session locking"! > Doug is correct, this can't be solved purely on the lower level. Your > best bet would be the PKCS#11 Sessions. I just checked with Client > authentication in Firefox and the workflow is something like this: > > 1. Read card/token/certificates/slots/whatever > 2. C_OpenSession(0x1) > 3. C_Login > 4. C_OpenSession(0x1) > 5. C_SignInit/C_Sign > 6. (immediately after signature) C_CloseSession > 7. Go to 4. and repeat > 8. Terminate Firefox > 9. C_CloseAllSessions > > So this means, the state can be stored on the pkcs11 layer and restore/save+destroy it in the driver, if a pkcs11 call is entered (or returns)? On Fri, Nov 13, 2015 at 2:22 PM, Douglas E Engert <dee...@gm...> wrote: >The restored of a state by an application may not match the state in the card >Only by reestablishing a connection and reauthentication can you get the card >working again. (I don't consider caching the PIN to be good a security practice.) >From my commercial drivers I see from the apdu, that they always logout from the card and login/change directory. (So the pkcs11 driver stores the pin internally.) |
