search

OpenSC / libp11

PKCS#11 wrapper library
GNU Lesser General Public License v2.1
310 stars 187 forks source link

Is force_login supposed to prompt user to re-enter their PIN? #535

Open totszwai opened 4 months ago

totszwai commented 4 months ago

https://github.com/OpenSC/libp11/blob/master/src/eng_back.c#L211

Looking at the code, if force_login is set, and they are already logged in, it just returns true.

Shouldn't we force it to log out first if force_login is enabled?

+   if (ctx->force_login && slot_logged_in(ctx, slot))
+           PKCS11_logout(slot);
+
    if (!(ctx->force_login || tok->loginRequired) || slot_logged_in(ctx, slot))
        return 1;
olszomal commented 4 days ago

According to the PKCS #11 Cryptographic Token Interface Base Specification Version 3.0, the CK_TOKEN_INFO structure includes the CKF_LOGIN_REQUIRED flag, which is set to True if there are cryptographic operations that require the user to be logged in.

However, some tokens do not have the CKF_LOGIN_REQUIRED flag set. In these cases, providing the token PIN via the PIN command fails, while entering it interactively when prompted by the engine works correctly.

The FORCE_LOGIN command can enforce a login to the token when the CKF_LOGIN_REQUIRED flag is not set.

In my opinion, enforcing a logout is unnecessary in this case. I recommend closing this issue.