Is force_login supposed to prompt user to re-enter their PIN? #535

totszwai · 2024-06-21T18:56:18Z

https://github.com/OpenSC/libp11/blob/master/src/eng_back.c#L211

Looking at the code, if force_login is set, and they are already logged in, it just returns true.

Shouldn't we force it to log out first if force_login is enabled?

+	if (ctx->force_login && slot_logged_in(ctx, slot))
+        	PKCS11_logout(slot);
+
 	if (!(ctx->force_login || tok->loginRequired) || slot_logged_in(ctx, slot))
 		return 1;

The text was updated successfully, but these errors were encountered:

olszomal · 2024-11-12T14:43:34Z

According to the PKCS #11 Cryptographic Token Interface Base Specification Version 3.0, the CK_TOKEN_INFO structure includes the CKF_LOGIN_REQUIRED flag, which is set to True if there are cryptographic operations that require the user to be logged in.

However, some tokens do not have the CKF_LOGIN_REQUIRED flag set. In these cases, providing the token PIN via the PIN command fails, while entering it interactively when prompted by the engine works correctly.

The FORCE_LOGIN command can enforce a login to the token when the CKF_LOGIN_REQUIRED flag is not set.

In my opinion, enforcing a logout is unnecessary in this case. I recommend closing this issue.

mtrojnar added the question label Jun 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is force_login supposed to prompt user to re-enter their PIN? #535

Is force_login supposed to prompt user to re-enter their PIN? #535

totszwai commented Jun 21, 2024

olszomal commented Nov 12, 2024

Is force_login supposed to prompt user to re-enter their PIN? #535

Is force_login supposed to prompt user to re-enter their PIN? #535

Comments

totszwai commented Jun 21, 2024

olszomal commented Nov 12, 2024