Minidriver.c sign_pin and user_consent - PinCacheAlwaysPrompt

At least 5 card drivers set user_consent on a sign pin The user_consent indicates a prompt for the pin should always be done by minidriver. PKCS15 can also set user_consent and PKCS11 sets key attribute CKA_ALWAYS_AUTHENTICATE when key has user_consent, but windows need the PinCacheAlwaysPrompt flag set on the pin. pkcs15-piv.c now defines a sign pin which is used only with the 9C key. ======= On branch minidriver-PinCacheAlwaysPrompt Changes to be committed: modified: libopensc/pkcs15-piv.c modified: minidriver/minidriver.c
dengert · Jun 8, 2024 · 01c418a · 01c418a
1 parent 6ceb50e
commit 01c418a
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 8 deletions.
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
@@ -385,8 +385,20 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		  SC_PKCS15_PIN_FLAG_INITIALIZED |
 		  SC_PKCS15_PIN_FLAG_LOCAL,
 		  -1, 0xFF,
-		  SC_PKCS15_CO_FLAG_PRIVATE },
-		{ "02", "PIV PUK", "", 0x81,
+		  SC_PKCS15_CO_FLAG_PRIVATE},
+
+		{ "02", "PIN", "", 0x80,
+		  /* used in minidriver as the sign key and for 9C key */
+		  /* label, flag  and ref will change if using global pin */
+		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
+		  8, 4, 8,
+		  SC_PKCS15_PIN_FLAG_NEEDS_PADDING |
+		  SC_PKCS15_PIN_FLAG_INITIALIZED |
+		  SC_PKCS15_PIN_FLAG_LOCAL,
+		  -1, 0xFF,
+		  SC_PKCS15_CO_FLAG_PRIVATE},
+
+		{ "03", "PIV PUK", "", 0x81,
 		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
 		  8, 4, 8,
 		  SC_PKCS15_PIN_FLAG_NEEDS_PADDING |
@@ -540,7 +552,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_SIGN |
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
-			"", 0x9C, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x9C, "02", SC_PKCS15_CO_FLAG_PRIVATE, 1}, /* use sign pin and user_consent */
 		{ "03", "KEY MAN key",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
@@ -968,7 +980,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		sc_format_path(pins[i].path, &pin_info.path);
 
 		label = pins[i].label;
-		if (i == 0 &&
+		if ((i == 0 || i == 1) &&
 			sc_card_ctl(card, SC_CARDCTL_PIV_PIN_PREFERENCE,
 					&pin_ref) == 0 &&
 				pin_ref == 0x00) { /* must be 80 for PIV pin, or 00 for Global PIN */

diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
@@ -233,6 +233,9 @@ typedef struct _VENDOR_SPECIFIC
 	struct md_dh_agreement* dh_agreements;
 	BYTE allocatedAgreements;
 
+	/* if any key used with the MD_ROLE_USER_SIGN has user_consent set PinCacheAlwaysPrompt */
+	BYTE need_pin_always;
+
 	CRITICAL_SECTION hScard_lock;
 } VENDOR_SPECIFIC;
 
@@ -1888,6 +1891,10 @@ md_set_cmapfile(PCARD_DATA pCardData, struct md_file *file)
 						  cont->flags & CONTAINER_MAP_DEFAULT_CONTAINER ?
 						  " (default)" : "");
 
+					/* set flag that at least one key that uses the sign key needs PinCacheAlwaysPrompt */
+					if (key_obj->user_consent)
+						vs->need_pin_always = 1;
+
 					if (pin_mode < pin_mode_n) {
 						pin_mode = pin_mode_n;
 						pin_cont_idx = ii;
@@ -6475,16 +6482,27 @@ DWORD WINAPI CardGetProperty(__in PCARD_DATA pCardData,
 					  "returning info on normal PIN [%lu]\n",
 					  (unsigned long)dwFlags);
 
-				if (dwFlags == ROLE_USER)
+				if (dwFlags == ROLE_USER) {
+					p->PinCachePolicy.PinCachePolicyType = PinCacheNormal;
 					p->PinPurpose = PrimaryCardPin;
-				else if (dwFlags == MD_ROLE_USER_SIGN)
+				}
+				else if (dwFlags == MD_ROLE_USER_SIGN) {
+					if (vs->need_pin_always) {
+						p->PinCachePolicy.PinCachePolicyType = PinCacheAlwaysPrompt;
+						logprintf(pCardData, 7, "Setting PinCacheAlwaysPrompt\n)";
+					}
+					else
+					p->PinCachePolicy.PinCachePolicyType = PinCacheNormal;
+
 					p->PinPurpose = DigitalSignaturePin;
-				else
+				}
+				else {
 					p->PinPurpose = AuthenticationPin;
+					p->PinCachePolicy.PinCachePolicyType = PinCacheNormal;
+				}
 
 				p->PinCachePolicy.dwVersion = PIN_CACHE_POLICY_CURRENT_VERSION;
 				p->PinCachePolicy.dwPinCachePolicyInfo = 0;
-				p->PinCachePolicy.PinCachePolicyType = PinCacheNormal;
 				p->dwChangePermission = CREATE_PIN_SET(dwFlags);
 				p->dwUnblockPermission = CREATE_PIN_SET(ROLE_ADMIN);
 				break;