Csdrhrt

I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).

Inside Firefox 64, I am using the OpenSC PKCS#11 driver.

What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").

I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.

Output of pkcs11-tool -l --login-type user -L:

Available slots:

Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID

  token label        : #redacted#

  token manufacturer : piv_II

  token model        : PKCS#15 emulated

  token flags        : login required, rng, token initialized, PIN initialized

  hardware version   : 0.0

  firmware version   : 0.0

  serial num         : 0001112223334445

  pin min/max        : 4/8

Logging in to "#redacted#".

Please enter User PIN:

$ opensc-tool -i

OpenSC 0.19.0 [gcc  4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]

Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)

To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:

By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).

I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.

Is this something that can be accomplished with OpenSC?

You can "use_pin_caching = true;" so OpenSC will cache the pin when an application starts and use it again if needed.

Most Yubico devices did not correctly implement the handling of a "Select AID" command to select an applet on the card and the NIST specifications says the PIV applet will be the default applet on power up. These causes problems on trying to hold login state when multiple applications try and use the token. (Look for "card_issues" in card-piv.c in OpenSC source.)

FireFox does what most applications do - assume a login is needed the first time. So using a script to verify the PIN will not help.

Also look at "card_drivers = PIV-II;" to avoid another application running a "Select AID" for a card you do not have, which can also lose the login state. (card_issues = CI_OTHER_AID_LOSE_STATE)