Programmatically unlock PIV slot 9a with OpenSC for another application
I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).
Inside Firefox 64, I am using the OpenSC PKCS#11 driver.
What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").
I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L
on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.
Output of pkcs11-tool -l --login-type user -L
:
Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
token label : #redacted#
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0001112223334445
pin min/max : 4/8
Logging in to "#redacted#".
Please enter User PIN:
$ opensc-tool -i
OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:
By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).
I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.
Is this something that can be accomplished with OpenSC?
yubikey opensc
add a comment |
I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).
Inside Firefox 64, I am using the OpenSC PKCS#11 driver.
What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").
I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L
on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.
Output of pkcs11-tool -l --login-type user -L
:
Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
token label : #redacted#
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0001112223334445
pin min/max : 4/8
Logging in to "#redacted#".
Please enter User PIN:
$ opensc-tool -i
OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:
By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).
I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.
Is this something that can be accomplished with OpenSC?
yubikey opensc
add a comment |
I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).
Inside Firefox 64, I am using the OpenSC PKCS#11 driver.
What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").
I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L
on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.
Output of pkcs11-tool -l --login-type user -L
:
Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
token label : #redacted#
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0001112223334445
pin min/max : 4/8
Logging in to "#redacted#".
Please enter User PIN:
$ opensc-tool -i
OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:
By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).
I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.
Is this something that can be accomplished with OpenSC?
yubikey opensc
I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).
Inside Firefox 64, I am using the OpenSC PKCS#11 driver.
What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").
I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L
on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.
Output of pkcs11-tool -l --login-type user -L
:
Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
token label : #redacted#
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 0001112223334445
pin min/max : 4/8
Logging in to "#redacted#".
Please enter User PIN:
$ opensc-tool -i
OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:
By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).
I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.
Is this something that can be accomplished with OpenSC?
yubikey opensc
yubikey opensc
asked Dec 23 '18 at 16:59
AlexAlex
2316
2316
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.
Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)
FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.
Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387160%2fprogrammatically-unlock-piv-slot-9a-with-opensc-for-another-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.
Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)
FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.
Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)
add a comment |
You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.
Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)
FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.
Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)
add a comment |
You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.
Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)
FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.
Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)
You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.
Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)
FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.
Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)
answered Dec 24 '18 at 20:18
Douglas EngertDouglas Engert
514
514
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387160%2fprogrammatically-unlock-piv-slot-9a-with-opensc-for-another-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown