Menu
▾
▴
Re: [Opensc-devel] Question about C_InitToken reinitialize
|
From: Paul W. <ma...@al...> - 2018-10-29 11:14:05
|
29.10.2018 12:59, Bob Backlund пишет: > Hi, > > Just some question on the C_InitToken implementation of OpenSC, the > PKCS#11 document states the following below. > / > If the token is being reinitialized, the *pPin parameter is checked > against the existing SO PIN* to authorize the initialization operation. > / > When the token is reinitialized, the C_InitToken should verify the PIN > passed to it with the one provided on the first initialization. > > I tried to trace the source code but it seems this is not handled on the > C_InitToken layer, the C_InitToken will just pass the data (pin, pin > length, label) to PKCS#11 framework, or the pkcs15_initialize function. Hi! It seems that the SO PIN you passed should be checked by the token itself. In other words it can be stated as: in order to re-initialize the token you have to *log on* to that token. But that leads to the following problem: what to do if you forget the SO PIN and that is why you want to *reset* the token completely? Second, if you look at the implementation of init_token() at pkcs11-tool.c, you find, that it asks for the *new* SO PIN, not the existing SO PIN. And that is true for the cards and tokens I'm working with: I enter there any SO PIN I want and get a newly initialized token with no data on it. > On this function, it will check if there is an implementation for the > SC_CARDCTL_PKCS11_INIT_TOKEN command on the card level (card-*), the > data is passed on this function. Most of the driver did not implement > this one. > After the call on this function, sc_pkcs15init_erase_card is also > called, but data is not passed. > > After this, pkcs15nit_add_app is called, this is the function that do > the initialization, but until here the existing SO validation was not > handle, data was passed on this function. > > So, my question is if wanted to support the existing SO validation (as > stated in PKCS#11 document) for the C_InitToken, what will be my > approach? I was thinking of implementing SC_CARDCTL_PKCS11_INIT_TOKEN, > but this is on the card level and it doesn't know anything about the > PKCS#11 object or the PKCS# 15 structure. > > I appreciate if someone can put me on the direction or at least the a > document that I can read that discusses this part of OpenSC. > > Thank you very much! > > > Cheers, > > fightingsibuyas > > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
