[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?

Stef Walter stefw at collabora.co.uk
Mon Jun 13 02:11:00 PDT 2011

On 06/10/2011 07:08 PM, Martin Paljak wrote:
> On Jun 10, 2011, at 13:11 , Stef Walter wrote:
>> After sleeping on this idea, I realized it won't work in certain
>> cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE and
>> requires C_Login with CKU_CONTEXT_SPECIFIC.
> This is hardly the case with SSL.
> CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set for
> keys that require "user consent" or usually are used for
> "nonrepudiation". Most cards I've seen can use authentication keys
> once the cardholder is verified until the card is reset or removed.
> Using such card with a pinpad reader would be impossible for web
> authentication, you'd be typing the PIN most of the time.

That's a good point. I wasn't thinking about that.

That said, I've come up with what would possibly be a less hacky
solution to the problem (less hacky than logging into a session in one
library, and assuming a new session will already be logged in another
library in the same process).

Since the PKCS#11 URI's say that the pinfile attribute of the URI can be
determined by the application, we can build something simple in p11-kit
and register callbacks so that one component (in the same process) can
provide the pin for another (like gnutls).

I've roughed this out, and it works quite well. I'll post more about it
next week.



More information about the p11-glue mailing list