9.3 release always requires PIN for signing operation

[invidian]

It seems after upgrading to 9.3, I'm prompted for PIN on every sign operation. With 9.2, PIN has been cached until my YubiKey was unplugged. Both authentication and and encryption operations caches PIN properly.

As a workaround, one can create /etc/opensc.conf file with the following content:

app default {
        framework pkcs15 {
                pin_cache_ignore_user_consent = true;
        }
}

However, this is insecure, as PIN is being cached and re-used even when YubiKey gets re-plugged.

Do you have any idea why this behavior occurs? I was investigating and perhaps this is related to https://github.com/OpenSC/pkcs11-helper/commit/cbb453f258042503b4afddf9fe4cad6b718ab152?

Or maybe there is some configuration option which could be used to restore previous behavior?

EDIT:

Also, when YubiKey is plugged, I get asked for PIN twice. In consecutive signing operations, I get asked only once. I've also tried adding:

default-cache-ttl 34560000
maximum-cache-ttl 34560000

to gpg-agent.conf, but it does not make a difference.

[invidian]

Ah, I see that:

$ gpg --card-status  2>&1 | grep 'Signature PIN ....: forced'
Signature PIN ....: forced

So perhaps it's just being enforced now, as mentioned in https://github.com/OpenSC/pkcs11-helper/releases/tag/pkcs11-helper-1.28 changelog.

However, executing gpg --edit-card, admin, forcesig, quit does not change it for some reason. I see the command being send and key returns OK, but nothing changes:

Jan 04 17:48:48 dellxps15mateusz gpg-agent[3893785]: gnupg-pkcs11-scd[3893785]: chan_0 <- SETATTR CHV-STATUS-1 %00
Jan 04 17:48:48 dellxps15mateusz gpg-agent[3893785]: gnupg-pkcs11-scd[3893785]: chan_0 -> OK

[alonbl]

Hi,

As far as I understand yubikey PIV marks keys as CKA_ALWAYS_AUTHENTICATE hence require to authenticate every key use. While the PIN of user and key was the same.

The old pkcs11-helper did not treat the context specific login in a special way, it tried to use the cached PIN as it assumed that the session was timed out, since it was the same key it succeeded... it was actually a violation of the policy....

[invidian]

I also found https://github.com/OpenSC/OpenSC/issues/1769, which says that actually the policies are not really readable nor part of the standard, so that seems like an actual bug fix then, as you're saying...

Still, the behavior is now worse if one fallbacks to pin_cache_ignore_user_consent = true, as pin is being re-used also when key is unplugged. Maybe this could be somehow addressed instead.

[alonbl]

OpenSC should be fixed to clear cache when session disconnects so that the settings will be effective during a single session.

[invidian]

Hmm, any suggestions how and where it should be reported. I still don't quite understand how opensc works, as it seemed stateless for me.

BTW, the following workaround can be used to force-kill the session on YubiKey disconnect:

$ cat /etc/udev/rules.d/80-yubikey-actions.rules
ACTION=="remove", ENV{ID_VENDOR}=="Yubico", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010|0111|0112|0113|0114|0115|0116|0401|0402|0403|0404|0405|0406|0407|0410", RUN+="usr/bin/killall gnupg-pkcs11-scd"

It's still less secure than previous version it seems. Perhaps some extra timer to periodically re-ask for PIN should be set.

[alonbl]

Hi, Please send debug log of gnupg-pkcs11-scd without the udev rule of course... so I can see the behavior of the provider. Thanks,

[invidian]

Hmm, odd. Now with just pin_cache_ignore_user_consent = true and no udev rule, everything seems to be working as expected. Perhaps a reboot was required for some reason after updates. I'll close it work now until I can reproduce it and gather logs. Thanks!