search

frankmorgner / OpenSCToken

Use OpenSC in macOS CryptoTokenKit.
GNU General Public License v3.0
76 stars 14 forks source link

How to reset a smart card in CTK? #51

Open frankmorgner opened 1 year ago

frankmorgner commented 1 year ago

I have verified a PIN in a smart card and I'd like to delete this internal state of the card. Unfortunately, the card doesn't support this with a dedicated command, which is why I'd like to reset the card (cold/warm reset as described in PC/SC, for example). The CryptoTokenKit documentation doesn't seem to have an API for that.

Does anyone have an idea how to implement this?

Note, that if the smart card is not reset and does not support logout, then the card is permanently in an authenticated state so that related keys can be misused by any other CTK session or even via the PC/SC interface.

ElMostafaIdrassi commented 1 year ago

IMO, the logic of CryptoTokenKit differs from PC/SC, in that it is up to the implementation to keep track of the state of the PIN verification internally, and then request it whenever needed by returning TKErrorCodeAuthenticationNeeded.

That being said, have you tried playing with TKSmartCard's beginSessionWithReply and endSession ? Maybe calling endSession triggers a reset of the card ?

frankmorgner commented 1 year ago

IMO, the logic of CryptoTokenKit differs from PC/SC, in that it is up to the implementation to keep track of the state of the PIN verification internally, and then request it whenever needed by returning TKErrorCodeAuthenticationNeeded.

Yes, it keeps track of the PIN verification (we set smartCard.sensitive = TRUE for this). However, imagine the session being deleted and the program stopped, then there are still tokens like the Yubikey which cannot delete the authentication state. Such tokens would be unlocked for any program that connects to the card (even via PC/SC) without PIN verification.

That being said, have you tried playing with TKSmartCard's beginSessionWithReply and endSession ? Maybe calling endSession triggers a reset of the card ?

Yes, in OpenSC we use beginSessionWithReply/endSession to lock the card, which does not reset the token.

ElMostafaIdrassi commented 1 year ago

That is quite interesting. I wouldn't be surprised if the reset is yet another missing feature in the CryptoTokenKit framework.