[Tokend-Dev] Multiple PIN Handling/On-Access PIN in TokenD

Thomas Harning Jr. thomas.harning at trustbearer.com
Thu Nov 19 21:29:05 PST 2009


On Tue, Oct 6, 2009 at 10:13 AM, Thomas Harning Jr.
<thomas.harning at trustbearer.com> wrote:
> I'm working on writing a TokenD for a device with two applets on it.
> The share the same PIN, however there is an oddity that I'm trying to
> manage inside the TokenD.
>
> Applets A and B
>
> Select A, Verify PIN
>  Authenticated to A until reset (even if select B)
> Select B, Verify PIN
>  Authenticated to B until reset, or select anything else, including A
>
> I've tried using 2 PIN slots in the TokenD and assigning the relevant
> Records and KeyHandles to use slot 1 for applet A's items and slot 2
> for applet B's items... and it seems to "get it" when it needs to
> authenticate for using applet B's items the first time... however when
> it goes and checks for pinStatus the second time around after it had
> authenticated once to B, it looks for the pinStatus on slot 1... not
> the slot 2 that is assigned as the owner and the necessary ACL
> authorizer for decrypt/sign...
>
> Is there some other place that needs to be setup to deal with 2 PIN
> slots properly?
>
> the Token class adds the PWSubject and PromptPWSubject to its list of
> pin types for both slot 1 and 2.
>
> the Record and KeyHandle objects put the PinSubject entries for
> sign/decrypt to slot 1 and 2 for the right handles/etc...
>
> the Record and KeyHandle objects also return that the owner is the
> relevant PinSubject (this wasn't required to get the 1st authorization
> to use the right slot, but as added in an attempt to get it working
> for subsequent auth)
>
> I've also tried to use the PromptPWSubject, and that brings up a
> prompt box, but passes an empty PIN back for authentication...... not
> so useful.
>
> Is there anything else I need to do?  I've heard that Securityd does
> tons of caching.. but if requests for pinStatus multiple times for
> each authentication, so I'd expect that it should use the associated
> pin number when trying to authenticate for key usage...
Ping... Is there some documentation/examples that I do not know about?
 Any ideas from anybody on how to handle this?


-- 
Thomas Harning Jr.


More information about the Tokend-Dev mailing list