essentially revert 1bb2547

[frankmorgner]

fixes #2199

returns not allowed PKCS#11 codes to applications, however

Checklist

• Documentation is added or updated
• New files have a LGPL 2.1 license statement
• PKCS#11 module is tested
• Windows minidriver is tested
• macOS tokend is tested

[dengert]

Looks good.
@EricV can you also test this?

Tested with OpenSC configured to only recognize myeid cards with a Yubikey and empty reader:

 export PKCS11SPY=/opt/ossl-1.1/lib/opensc-pkcs11.so 
 export PKCS11SPY_OUTPUT=/tmp/spy.txt
 export OPENSC_DRIVER=myeid
./pkcs11-tool --module /opt/ossl-1.1/lib/pkcs11-spy.so  -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00
  (token not recognized)
Slot 1 (0x4): SCM Microsystems Inc. SCR 355 [CCID Interface] 01 00
  (empty)

With Yubikey and a myeid card. pkcs11-spy loads p11-kit which then loads modules for opensc-pkcs11, softhsm and ykcs11.

export PKCS11SPY=/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
export PKCS11SPY_OUTPUT=/tmp/spy.txt
export OPENSC_DRIVER=myeid
./pkcs11-tool --module /opt/ossl-1.1/lib/pkcs11-spy.so  -L
export PKCS11SPY=/opt/ossl-1.1/lib/opensc-pkcs11.so 

Slot 0 (0x10): Yubico YubiKey OTP+FIDO+CCID 00 00
  (token not recognized)    ((OpenSC configure to only recognize myeid))
Slot 1 (0x11): SCM Microsystems Inc. SCR 355 [CCID Interface] 01 00
  token label        : MyEID (Basic PIN)
  token manufacturer : Aventra Ltd.
  token model        : PKCS#15
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 40.0
  serial num         : 506325162e50244c
  pin min/max        : 4/8
Slot 2 (0x12): SCM Microsystems Inc. SCR 355 [CCID Interface] 01 00
  token label        : MyEID (Sign PIN)
  token manufacturer : Aventra Ltd.
  token model        : PKCS#15
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 40.0
  serial num         : 506325162e50244c
  pin min/max        : 4/8
Slot 3 (0x13): SoftHSM slot ID 0x3b974305
  token label        : mytoken
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 2.5
  firmware version   : 2.5
  serial num         : 75b0ec1e3b974305
  pin min/max        : 4/255
Slot 4 (0x14): SoftHSM slot ID 0x1
  token state:   uninitialized


((the ykcs11 module then finds the Yubikey)) 
Slot 5 (0x15): Yubico YubiKey OTP+FIDO+CCID 00 00
  token label        : YubiKey PIV #13412288
  token manufacturer : Yubico (www.yubico.com)
  token model        : YubiKey YK5
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 1.0
  firmware version   : 5.26
  serial num         : 13412288
  pin min/max        : 6/48

@EricV can you also test this?

[EricV]

Confirmed working for me also.

[frankmorgner]

thanks for testing!

[dengert]

@frankmorgner are you considering having a 0.21.1 release to fix this bug?

The bug will show up when using p11-kit and token is not supported by OpenSC.
So this will lead to people reporting this problem to their smart card vendor or linux distro, and not to OpenSC.
Our reputation is on the line, if we can not operate under p11-kit.

[EricV]

I support this request, we have hundreds of Linux PC that are yet not affected but that will be if the next debian version incorporates the 0.21.0. And currently freeze for this next debian version is really close (mid february)

If you want to make it secure you can just take this commit and realease 0.21.0 + this commit as 0.21.1.

Otherwyse I tested git upstream yesterday and it also works. Just to let you know.