Re: [Opensc-devel] "Waiting for touch" notification

[Douglas E E. <dee...@gm...>]

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    What does Yubico say about this feature?<br>
    Have you asked them?<br>
    <br>
    Is there any documented on the APDU command to tell  if the feature
    is on?<br>
    <br>
    And can it be set for individual keys or applies to all keys? <br>
    <br>
    As Frank implied the PKCS#11<span style="color: rgb(0, 0, 0);
      font-family: Arial, sans-serif; font-size: 13.3333px; font-style:
      normal; font-variant-ligatures: normal; font-variant-caps: normal;
      font-weight: normal; letter-spacing: normal; orphans: 2;
      text-align: start; text-indent: 0px; text-transform: none;
      white-space: normal; widows: 2; word-spacing: 0px;
      -webkit-text-stroke-width: 0px; display: inline !important; float:
      none;"> CKF_PROTECTED_AUTHENTICATION_PATH is another way to map
      the feature to PKCS#11 . But any card driver would still need to
      know </span>how to test for it. <br>
    <br>
    <div class="moz-cite-prefix">On 10/17/2016 9:03 AM,
      <a class="moz-txt-link-abbreviated" href="mailto:fra...@gm...">fra...@gm...</a> wrote:<br>
    </div>
    <blockquote
      cite="mid:201...@gr..."
      type="cite">
      <pre wrap="">There is
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver.c#L2446-L2479">https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver.c#L2446-L2479</a>
to ask a PIN on Windows and
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-dnie.c#L197-L370">https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-dnie.c#L197-L370</a>
to ask for consent (OK/Abort) on Linux, macOS and Windows.

Be aware that showing a GUI while the Windows minidriver tells you to be
"silent" may result in system instability (according to the docs).

I am working on a card with an integrated PIN-Pad and Fingerprintreader
[1]. Similarly to a reader with a PIN-Pad, all requests for verifying the
PIN or fingerprint are delegated to the card [2] (search for
`SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH`). Additionally I added the
Session PIN feature to OpenSC's minidriver for delegating an
authenticated session without user interaction.

As Doug suggested, you may similarly use the prompt for inserting the PIN on
an emulated PIN pad reader to tell the user to tap the card. This would
be quick and dirty, but has some drawbacks: 1. Verifying the PIN is not
neccecarily bound to using the key; 2. you need to handle the User's
PIN.


Greets, Frank.

[1] <a class="moz-txt-link-freetext" href="https://www.bundesdruckerei.de/en/3867-cebit-bundesdruckerei-exhibits-employee-id-card-tomorrow">https://www.bundesdruckerei.de/en/3867-cebit-bundesdruckerei-exhibits-employee-id-card-tomorrow</a>
[2] <a class="moz-txt-link-freetext" href="https://github.com/frankmorgner/OpenSC">https://github.com/frankmorgner/OpenSC</a>

On Monday, October 17 at 08:40AM, Martin Paljak wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hi,

I made a wrapper for OSX that shows a notification when the PGP keys are 
used, can probably be extended to work on Linux etc.

Will publish the setup guide on Github after I verify that the 
instructions are repeatable.

Martin

On 16/10/2016 19:02, Thomas Habets wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">When it's waiting for a touch it just waits with no user notification
outside of the yubikey blinking. Since I have a Yubikey 4 Nano the
blinking is not always in view, which makes me type "ssh"/"git push"
and just stare at the screen.

Has anyone explored how to surface this "please touch the smartcard"
or something message to the user with opensc?

I can imagine an ugly solution where if there's an outstanding "sign"
operation for more than epsilon time, then maybe connect to this unix socket
and say something, or shell out to this command. I can then use that
to do something better than, but similar to, running:
   xmessage 'touch the yubikey'

[1] <a class="moz-txt-link-freetext" href="https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof">https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof</a>

</pre>
        </blockquote>
        <pre wrap="">

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! <a class="moz-txt-link-freetext" href="http://sdm.link/slashdot">http://sdm.link/slashdot</a>
_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>

</pre>
      </blockquote>
      <pre wrap="">
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="200">-- 

 Douglas E. Engert  <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm...">&lt;DEE...@gm...&gt;</a>
 
</pre>
  </body>
</html>