The CKA_ALWAYS_AUTHENTICATE should enforce the private key is used only immediately after providing the user consent (PIN).
The attribute can be provided as any other object during writing or generating private key and should be visible for the user.
This login state should be tracked as part of the session, which carries already information if the session is in logged in state. This needs to set specific flag the Login was called and it needs to be reset when different function will be called.
The
CKA_ALWAYS_AUTHENTICATEshould enforce the private key is used only immediately after providing the user consent (PIN).The attribute can be provided as any other object during writing or generating private key and should be visible for the user.
This login state should be tracked as part of the session, which carries already information if the session is in logged in state. This needs to set specific flag the Login was called and it needs to be reset when different function will be called.