2

I installed OpenSC 0.18 and added the PKCS11 DLL as a security device provider in Firefox 61. I can "unlock" my smart card from the Security Devices dialog, and get prompted for the PIN as expected. But, when I visit a site that wants to use the card for authentication, I get prompted for a PIN before even being asked to select a certificate. Then, I get prompted many more times (5-10) before the login process completes. Visiting the same site from a Linux box (using coolkey drivers) results in a single PIN prompt.

I'm using the default config file for OpenSC, which I think means PIN caching should be enabled. I don't even know if this is a Firefox problem, OpenSC problem, or something specific to the site in question. How can I stop this excessive prompting?

Coderer
  • 1,578
  • 5
  • 19
  • 31
  • Please, clarify what smart card are you using (I assume it is PIV). You should be able to use the OpenSC also on the Linux box to verify that it is not the issue of windows -- I don't have any experience with using smart cards there. Using `pin_cache_ignore_user_consent` option might also solve your issues. – Jakuje Jul 30 '18 at 11:48
  • Thanks for following up, I should have updated this question when I solved the problem. [This question](https://github.com/OpenSC/OpenSC/issues/1436) has the details but the short version is, the ID is dual CAC/PIV, the site was configured to request the DS cert (not ID) from the PIV module, and the PIV applet always requires a PIN when using the DS cert. The site could fix this by requesting ID instead of DS. In the meantime, I fixed it by forcing the CAC driver, which doesn't force pin-per-use for DS access. – Coderer Jul 30 '18 at 13:36
  • Glad to hear you solved your problem. Please, fill an answer how you resolved your issue so others who might stumble upon that will know what to do. The dual cards are hard to deal with. – Jakuje Jul 30 '18 at 14:10

2 Answers2

3

The multiple prompts for PINs may be caused by the PKCS11 module returning wrong information on the login state of the card. It could also be caused by the setting in the opensc.conf file for example disconnect=reset;

More information is needed. See Using-OpenSC on how to use PKCS#11 Spy and how to get an opensc-debug.log.

If this appears to be an OpenSC issue, continue the discusion be submitting an Issue at OpenSC Issues

Douglas Engert
  • 99
  • 6
  • I will follow up with a detailed debug log on the project issue tracker; if it's an easy fix, I'll report back here. – Coderer Jul 23 '18 at 11:08
  • It was an easy fix, sort of. See the comment I just left on the question, but in my case the answer was "force use of the `cac` driver in the config file". – Coderer Jul 30 '18 at 13:36
0

For posterity: my specific issue was caused by the site requesting a DS cert from the PIV applet, which always requests the PIN each time the DS cert is accessed. The long term solution would be for the site to request the ID cert rather than the DS One. The short term solution is to update opensc.conf to include the line force_card_driver = cac;. This means that OpenSC will use the CAC driver instead of the PIV driver.

Coderer
  • 1,578
  • 5
  • 19
  • 31