-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minidriver.c pkcs15-piv.c - Support PinCacheAlwaysPrompt #3167
base: master
Are you sure you want to change the base?
Conversation
This should be a fix for #3159 when PIV is used with the minidriver. Mindriver looks for a So when an application like (For PKCS11, framework-pkcs15.c also sets The This has been tested on Windows 11 PRO using an IDEMIA ID-One PIV 2.4.1 test card with ECDSA and RSA keys using I have been using opesc.conf so as to avoid any OpenSC caching and get PIN debugging:
registry was modified like what https://github.com/ckahlo did to use the OpenSC minidriver for a PIV with the correct ATR. Note that Windows is caching the What I have not done is test with others cards, especially with cards that have a |
src/minidriver/minidriver.c
Outdated
p->PinPurpose = DigitalSignaturePin; | ||
/* may need to check pin auto_info for auth_method SC_AC_CONTEXT_SPECIFIC */ | ||
p->PinCachePolicy.PinCachePolicyType = PinCacheAlwaysPrompt; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this force PIN re-prompts for every MD_ROLE_USER_SIGN
PIN, not only the new PIV type?
Minidriver spec says that:
Note: Windows logon may not work properly if a PIN is not cached. This behavior is by design.
Therefore, careful consideration should be given when setting a PIN cache mode to any value other thanPinCacheNormal
.
I guess it really should be a special PKCS15 API PIN flag that says that this PIN needs re-sending before each operation. Or some other way to retrieve this information about PIN from the particular OpenSC card driver.
And then when this OpenSC API PIN flag is set the Minidriver can return PinCacheAlwaysPrompt
for this PIN.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this force PIN re-prompts for every MD_ROLE_USER_SIGN PIN, not only the new PIV type?
Maybe I have taken a different approach with the force push today:
minidriver.c - Create shadow MD_ROLE_USER_ALWAYS and MD_ROLE_USER_SIGN_ALWAYS
PKCS11 defines CKA_ALWAYS_AUTHENTICATE attribute for private keys, which is converted
to `user_consent` for PKCS15 for private keys. Windows has `PinCacheAlwaysPrompt`
on PINS to accomplish the same thing - prompt user before using a key.
But a key "is secured by" only one pin, but a pin may secure multiple keys where only
a subset of keys need `PinCacheAlwaysPrompt`
Two new pin roles are defined and use a sc_pkcs15_id auth_id of
auth_id_md_role_user_always = {"MD_ROLE_USER_ALWAYS", 18};
and
auth_id_md_role_user_sign_always = {"MD_ROLE_USER_SIGN_ALWAYS", 18};
When building containers for pkcs15 key objects, if user_consent > 0, the auth_id
is set to one of the above. Thus when Windows CSP selects a key, it will find
a pin that matches the correct role for the key.
This is still being tested. But should work for any card the has PKCS15 user_consent > 0
for
the User key and/or the Sign key.
ce6d33d
to
01c418a
Compare
Version 3 of this PR... But none of these tried to address the PKCS11 Cards may have multiple pins, which may or may not have a
The PIV card has just one PIN but if the 9C key is used the verify ADPU must immediately proceed the crytpo ADPU. So it needs
In this version of the PR:
This should also work for the other 4 cards, but they should be tested. "is secured by" is used in the debug logs with level 7. @maciejsszmigiero can you have a look at this too? |
b8991ef
to
b16400e
Compare
At least 5 card drivers set user_consent on a sign pin The user_consent indicates a prompt for the pin should always be done by minidriver. PKCS15 can also set user_consent and PKCS11 sets key attribute CKA_ALWAYS_AUTHENTICATE when key has user_consent, but windows need the PinCacheAlwaysPrompt flag set on the pin. pkcs15-piv.c now defines a sign pin which is used only with the 9C key. ======= On branch minidriver-PinCacheAlwaysPrompt Changes to be committed: modified: libopensc/pkcs15-piv.c modified: minidriver/minidriver.c
b16400e
to
bc0b511
Compare
The PR has been rebased to a single commit, and tested with two PIV type cards with:
Card drivers that do not use
So this PR will be useful for the 5 drivers. But registry entries for OpenSC with PIV are not installed be default and the JPKI still has problems. No bug reports (that I know of) with |
Add SC_PKCS15_CO_FLAG_PRIVATE on "Digital Signature Public Key" and set pubkey_obj.flags and pubkey_obj.auth_id to use the Sign KEY so minidriver.c can request the pin before reading the public key. Card enforces this as perspecs. Partial fix for OpenSC#3169 Only pkcs15-jpki.c is changed. In addition to changes in OpenSC#3167 that address "user_consent" using "PinCacheAlwaysPrompt", The JPKI card forces the user to verify the Sign PIN before the public key is read. But to use the Sign KEY, Windows minidriver specs V7.07 says: the "CCP_CONTAINER_INFO" contains "cbSigPublicKey" and "pbSigPublicKey" which is needed before the key is selected. It might be possible to add bogus information in these and substitute the real values at a later time. But this will require someone with a working card. On branch minidriver-PinCacheAlwaysPrompt Changes to be committed: modified: libopensc/pkcs15-jpki.c On branch JPKI-Improvments Changes to be committed: modified: libopensc/pkcs15-jpki.c
The changes overall seem reasonable to me, but I don't have the ability to test them - my test setup for OpenSC minidriver is long gone by now |
if (i == 0 && pin_info.attrs.pin.reference == 0x80) { | ||
if ((i == 0 || pins[i].cardmod)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to change the logic condition from (i == 0
AND pin.reference == 0x80
) to (i == 0
OR cardmod
).
Is this change intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It logic may need some changes. The intent is when run by minidriver, the pins[i].cardmod is set on pin[2] which will be treated as the Sign PIN by minisriver with the same pin reference as PIN[0]. With PKCS11 or any application other than minidriver, lines 969-971 will cut the loop short and only two pins are defined: pin[0] as the auth pin, and pin[1] as the PUK PIN/Admin PIN.
((i == 0 || pins[i].cardmod)) {
is really if (i == 0 || i == 2)
set the auth_id of the PUK/ADMIN PIN on the other pin(s).
sp800-73-X (all version) only defines one PIN which when used with the 9C key, must be verified just before the APDU (00 87 XX 9C) crypto operation.
sp800-73-X also allows for a Global PIN with reference 00 or a local pin with reference 80 to be use for pin[0] It defines which is preferred or which is the only one to use from the DISCOVERY object. (The prompt to the user
will say USER PIN or Global PIN, just incase they are different.
NIST says only the local PUK PIN (key_ref 81) can be used by the user to unlock/change the pin. Some PIV like cards may allow a Global PUK/Admin pin (key_ref 01) to be used as a PUK. This restriction was relaxed by removing pin_info.attrs.pin.reference == 0x80
The card should enforce this.
The point is when not run with minidriver, pkcs15 tools and routines will list only two pins. Only the minidriver sees a copy of the pin[0] as pin[2] so minidriver uses pin[2] when the 9C key is being used: usrr_consent > 0
. The minidriver tests for need_pin_always
.
if (key_obj->user_consent) | ||
vs->need_pin_always = 1; | ||
logprintf(pCardData, 7, "vs->need_pin_always %d\n", (int) vs->need_pin_always); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this should print need_pin_always
only when it is being set (inside that if
block)?
This value can be deducted from the above user_consent
printout anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left the logprintf
outside to show value of need_pin_always
after the test.
the need_pin_always
could be an array for each ROLE, if there is ever a third type of Sign Pin.
(WIP may fix #3159 waiting to download the MSI artifacts for testing.)
PKCS11 supports CKA_ALWAYS_AUTHENTICATE and PKCS15 user_consent Windows minidriver supports PinCacheAlwaysPrompt
Mindriver has MD_ROLE_USER_SIGN for a pin which is taken to be a second user local pin to be used for signing.
A second user local pin was defined in pkcs15-piv.c which is a duplicate of the user pin except the sc_pkcs15_auth_info_auth_method set is set SC_AC_CONTEXT_SPECIFIC So when a key is used that requires "ALWAYS" authentication it will be be handled like framework-pkcs15.c handles CKA_ALWAYS_AUTHENTICATE
On branch minidriver-PinCacheAlwaysPrompt
Changes to be committed:
modified: libopensc/pkcs15-piv.c
modified: minidriver/minidriver.c
Checklist