minidriver.c pkcs15-piv.c - Support PinCacheAlwaysPrompt

PKCS11 supports CKA_ALWAYS_AUTHENTICATE and PKCS15 user_consent Windows minidriver supports PinCacheAlwaysPrompt Mindriver has MD_ROLE_USER_SIGN for a pin which is taken to be a second user local pin to be used for signing. A second user local pin was defined in pkcs15-piv.c which is a duplicate of the user pin except the sc_pkcs15_auth_info_auth_method set is set SC_AC_CONTEXT_SPECIFIC So when a key is used that requires "ALWAYS" authentication it will be be handled like framework-pkcs15.c handles CKA_ALWAYS_AUTHENTICATE On branch minidriver-PinCacheAlwaysPrompt Changes to be committed: modified: libopensc/pkcs15-piv.c modified: minidriver/minidriver.c
dengert · Jun 1, 2024 · 15b00bf · 15b00bf
1 parent 6ceb50e
commit 15b00bf
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 7 deletions.
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
@@ -71,6 +71,7 @@ typedef struct pdata_st {
 	int         tries_left;
 	const unsigned char  pad_char;
 	int         obj_flags;
+	unsigned int auth_method;
 } pindata;
 
 typedef struct pubdata_st {
@@ -385,7 +386,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		  SC_PKCS15_PIN_FLAG_INITIALIZED |
 		  SC_PKCS15_PIN_FLAG_LOCAL,
 		  -1, 0xFF,
-		  SC_PKCS15_CO_FLAG_PRIVATE },
+		  SC_PKCS15_CO_FLAG_PRIVATE, SC_AC_CHV},
 		{ "02", "PIV PUK", "", 0x81,
 		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
 		  8, 4, 8,
@@ -394,8 +395,20 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		  SC_PKCS15_PIN_FLAG_LOCAL | SC_PKCS15_PIN_FLAG_SO_PIN |
 		  SC_PKCS15_PIN_FLAG_UNBLOCKING_PIN,
 		  -1, 0xFF,
-		  SC_PKCS15_CO_FLAG_PRIVATE },
-		{ NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+		  SC_PKCS15_CO_FLAG_PRIVATE, SC_AC_CHV},
+		{ "03", "PIV ALWAYS", "",  0x80,
+		  /* label, flag  and ref will change if using global pin */
+		  /* used with minidriver to indicate CKA_ALWAYS_AUTHENTICATE i.e. user_consent */
+		  /* same as pin "01" */
+		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
+		  8, 4, 8,
+		  SC_PKCS15_PIN_FLAG_NEEDS_PADDING |
+		  SC_PKCS15_PIN_FLAG_INITIALIZED |
+		  SC_PKCS15_PIN_FLAG_LOCAL,
+		  -1, 0xFF,
+		  SC_PKCS15_CO_FLAG_PRIVATE, SC_AC_CONTEXT_SPECIFIC},
+
+		{ NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
 	};
 	// clang-format on
 
@@ -540,7 +553,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_SIGN |
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
-			"", 0x9C, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x9C, "03", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "03", "KEY MAN key",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
@@ -965,10 +978,11 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		pin_info.attrs.pin.max_length    = pins[i].maxlen;
 		pin_info.attrs.pin.pad_char      = pins[i].pad_char;
 		pin_info.tries_left              = pins[i].tries_left;
+		pin_info.auth_method             = pins[i].auth_method;
 		sc_format_path(pins[i].path, &pin_info.path);
 
 		label = pins[i].label;
-		if (i == 0 &&
+		if ((i == 0 || i == 3) &&
 			sc_card_ctl(card, SC_CARDCTL_PIV_PIN_PREFERENCE,
 					&pin_ref) == 0 &&
 				pin_ref == 0x00) { /* must be 80 for PIV pin, or 00 for Global PIN */
@@ -978,7 +992,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		}
 		strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
 		pin_obj.flags = pins[i].obj_flags;
-		if (i == 0 && pin_info.attrs.pin.reference == 0x80) {
+		if ((i == 0 || i == 3) && pin_info.attrs.pin.reference == 0x80) {
 			/*
 			 * according to description of "RESET RETRY COUNTER"
 			 * command in specs PUK can only unblock PIV PIN

diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
@@ -6477,8 +6477,11 @@ DWORD WINAPI CardGetProperty(__in PCARD_DATA pCardData,
 
 				if (dwFlags == ROLE_USER)
 					p->PinPurpose = PrimaryCardPin;
-				else if (dwFlags == MD_ROLE_USER_SIGN)
+				else if (dwFlags == MD_ROLE_USER_SIGN) {
 					p->PinPurpose = DigitalSignaturePin;
+					/* may need to check pin auto_info for auth_method SC_AC_CONTEXT_SPECIFIC */
+					p->PinCachePolicy.PinCachePolicyType = PinCacheAlwaysPrompt;
+				}
 				else
 					p->PinPurpose = AuthenticationPin;