Open frankmorgner opened 1 year ago
IMO, the logic of CryptoTokenKit differs from PC/SC, in that it is up to the implementation to keep track of the state of the PIN verification internally, and then request it whenever needed by returning TKErrorCodeAuthenticationNeeded
.
That being said, have you tried playing with TKSmartCard
's beginSessionWithReply
and endSession
? Maybe calling endSession
triggers a reset of the card ?
IMO, the logic of CryptoTokenKit differs from PC/SC, in that it is up to the implementation to keep track of the state of the PIN verification internally, and then request it whenever needed by returning
TKErrorCodeAuthenticationNeeded
.
Yes, it keeps track of the PIN verification (we set smartCard.sensitive = TRUE
for this). However, imagine the session being deleted and the program stopped, then there are still tokens like the Yubikey which cannot delete the authentication state. Such tokens would be unlocked for any program that connects to the card (even via PC/SC) without PIN verification.
That being said, have you tried playing with
TKSmartCard
'sbeginSessionWithReply
andendSession
? Maybe callingendSession
triggers a reset of the card ?
Yes, in OpenSC we use beginSessionWithReply
/endSession
to lock the card, which does not reset the token.
That is quite interesting. I wouldn't be surprised if the reset is yet another missing feature in the CryptoTokenKit framework.
I have verified a PIN in a smart card and I'd like to delete this internal state of the card. Unfortunately, the card doesn't support this with a dedicated command, which is why I'd like to reset the card (cold/warm reset as described in PC/SC, for example). The CryptoTokenKit documentation doesn't seem to have an API for that.
Does anyone have an idea how to implement this?
Note, that if the smart card is not reset and does not support logout, then the card is permanently in an authenticated state so that related keys can be misused by any other CTK session or even via the PC/SC interface.