Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: Multiple PIN Handling/On-Access PIN in TokenD
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multiple PIN Handling/On-Access PIN in TokenD



On Tue, Oct 6, 2009 at 10:13 AM, Thomas Harning Jr.
<email@hidden> wrote:
> I'm working on writing a TokenD for a device with two applets on it.
> The share the same PIN, however there is an oddity that I'm trying to
> manage inside the TokenD.
>
> Applets A and B
>
> Select A, Verify PIN
>  Authenticated to A until reset (even if select B)
> Select B, Verify PIN
>  Authenticated to B until reset, or select anything else, including A
>
> I've tried using 2 PIN slots in the TokenD and assigning the relevant
> Records and KeyHandles to use slot 1 for applet A's items and slot 2
> for applet B's items... and it seems to "get it" when it needs to
> authenticate for using applet B's items the first time... however when
> it goes and checks for pinStatus the second time around after it had
> authenticated once to B, it looks for the pinStatus on slot 1... not
> the slot 2 that is assigned as the owner and the necessary ACL
> authorizer for decrypt/sign...
>
> Is there some other place that needs to be setup to deal with 2 PIN
> slots properly?
>
> the Token class adds the PWSubject and PromptPWSubject to its list of
> pin types for both slot 1 and 2.
>
> the Record and KeyHandle objects put the PinSubject entries for
> sign/decrypt to slot 1 and 2 for the right handles/etc...
>
> the Record and KeyHandle objects also return that the owner is the
> relevant PinSubject (this wasn't required to get the 1st authorization
> to use the right slot, but as added in an attempt to get it working
> for subsequent auth)
>
> I've also tried to use the PromptPWSubject, and that brings up a
> prompt box, but passes an empty PIN back for authentication...... not
> so useful.
>
> Is there anything else I need to do?  I've heard that Securityd does
> tons of caching.. but if requests for pinStatus multiple times for
> each authentication, so I'd expect that it should use the associated
> pin number when trying to authenticate for key usage...
Ping... Is there some documentation/examples that I do not know about?
 Any ideas from anybody on how to handle this?


--
Thomas Harning Jr.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.