search

PeculiarVentures / fortify-examples

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is a set of examples of how to use Fortify in your own applications.
MIT License
8 stars 5 forks source link

Force USB Smart Card PIN validation or prevent caching #5

Open rrightwrong opened 5 years ago

rrightwrong commented 5 years ago

Hey Ryan ! My web application uses USB Smart Card for reading of document signing certificates. While signing using WebCrypto (with FortifyApp) the PIN is automatically asked but only once. The next time(without unplugging the USB) if I use the same certificate for signing, the PIN is not asked but the function gets through successfully.

Assuming, the PIN is cached at some layer, is there any method to prevent caching of smart card PIN or forcing the PIN validation every time the signing is done. Is yes, how?

rmhrisk commented 5 years ago

Pin could be being cached in the cards middleware.

Which card and middleware?

Try with app.hancockapp.com (select require smart card under transaction options) and let me know if you observe same thing.

rmhrisk commented 5 years ago

I bet what is happening is your middleware caches pin per session.

microshine commented 5 years ago

@rrightwrong You can try to call crypto.logout() after key using