Programmatically unlock PIV slot 9a with OpenSC for another application












1















I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).



Inside Firefox 64, I am using the OpenSC PKCS#11 driver.



What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").



I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.



Output of pkcs11-tool -l --login-type user -L:




Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
token label : #redacted#
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0001112223334445
pin min/max : 4/8
Logging in to "#redacted#".
Please enter User PIN:



$ opensc-tool -i
OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)


To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:




By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).




I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.



Is this something that can be accomplished with OpenSC?










share|improve this question



























    1















    I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).



    Inside Firefox 64, I am using the OpenSC PKCS#11 driver.



    What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").



    I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.



    Output of pkcs11-tool -l --login-type user -L:




    Available slots:
    Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
    token label : #redacted#
    token manufacturer : piv_II
    token model : PKCS#15 emulated
    token flags : login required, rng, token initialized, PIN initialized
    hardware version : 0.0
    firmware version : 0.0
    serial num : 0001112223334445
    pin min/max : 4/8
    Logging in to "#redacted#".
    Please enter User PIN:



    $ opensc-tool -i
    OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
    Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)


    To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:




    By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).




    I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.



    Is this something that can be accomplished with OpenSC?










    share|improve this question

























      1












      1








      1








      I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).



      Inside Firefox 64, I am using the OpenSC PKCS#11 driver.



      What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").



      I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.



      Output of pkcs11-tool -l --login-type user -L:




      Available slots:
      Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
      token label : #redacted#
      token manufacturer : piv_II
      token model : PKCS#15 emulated
      token flags : login required, rng, token initialized, PIN initialized
      hardware version : 0.0
      firmware version : 0.0
      serial num : 0001112223334445
      pin min/max : 4/8
      Logging in to "#redacted#".
      Please enter User PIN:



      $ opensc-tool -i
      OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
      Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)


      To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:




      By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).




      I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.



      Is this something that can be accomplished with OpenSC?










      share|improve this question














      I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).



      Inside Firefox 64, I am using the OpenSC PKCS#11 driver.



      What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").



      I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.



      Output of pkcs11-tool -l --login-type user -L:




      Available slots:
      Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
      token label : #redacted#
      token manufacturer : piv_II
      token model : PKCS#15 emulated
      token flags : login required, rng, token initialized, PIN initialized
      hardware version : 0.0
      firmware version : 0.0
      serial num : 0001112223334445
      pin min/max : 4/8
      Logging in to "#redacted#".
      Please enter User PIN:



      $ opensc-tool -i
      OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
      Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)


      To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:




      By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).




      I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.



      Is this something that can be accomplished with OpenSC?







      yubikey opensc






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 23 '18 at 16:59









      AlexAlex

      2316




      2316






















          1 Answer
          1






          active

          oldest

          votes


















          0














          You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.



          Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)



          FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.



          Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387160%2fprogrammatically-unlock-piv-slot-9a-with-opensc-for-another-application%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.



            Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)



            FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.



            Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)






            share|improve this answer




























              0














              You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.



              Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)



              FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.



              Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)






              share|improve this answer


























                0












                0








                0







                You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.



                Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)



                FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.



                Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)






                share|improve this answer













                You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.



                Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)



                FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.



                Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 24 '18 at 20:18









                Douglas EngertDouglas Engert

                514




                514






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387160%2fprogrammatically-unlock-piv-slot-9a-with-opensc-for-another-application%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Plaza Victoria

                    Puebla de Zaragoza

                    Musa