Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: Lock/Unlock a Smart Card Keychain causing problem...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Lock/Unlock a Smart Card Keychain causing problem...

On Oct 31, 2006, at 8:02 AM, Harsh Sangal wrote:

I can successfully unlock my Smart Card keychain using the "Keychain Access" utility. Upon clicking the lock icon, it asks for Smart card PIN and entering the valid pin unlocks the Smart Card keychain. But clicking the unlock icon does not cause the Smart Card keychain back to lock state. Debugging the underlying Smart Card tokend, I found that clicking the "lock" icon invokes tokend's verifyPIN(...) callback but clicking the "unlock" icon does not invoke tokend's unverifyPIN(...) callback. So clicking the "unlock" icon does not change the state of the Smart Card keychain and it remains in the "unlock" state. I have implemented both verifyPIN(...) / unverifyPIN(...) callback in tokend code. But the unverifyPIN(...) does not get called. I have written the tokend based upon the CAC/ BELPIC tokends sample code. Regarding other usage of tokend such as mail signing/encryption/decryption, SSL client authentication using Safari work well with my Smart Card tokend. I would appreciate if this can be answered,

I can't speak to the internal organization of your tokend, so I don't know what code (if any) is hooked up to your unverifyPIN function or method.

At the callback interface, a "general lock" translates to a call to your authenticate() callback with a mode of CSSM_DB_ACCESS_RESET. You may want to trace the code from there to see how it thinks it works.

Note that a "lock" operation in Keychain Access does *not* translate to an "unverify" on any particular PIN. A smart card can have multiple PINs, and a "general lock" is actually a card reset operation, rather than an operation on PINs. It instructs the card (via its tokend) to relinquish *all* locked (cached) access validations it may hold, effectively returning it to the authorization state it was in when first inserted. This does naturally include un-verifying all PINs, but depending on your card's nature may involve additional steps (such as forgetting that you've seen an authorized fingerprint on a built-in reader, etc.)

-- perry
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.

Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

 >Lock/Unlock a Smart Card Keychain causing problem... (From: "Harsh Sangal" <email@hidden>)

Visit the Apple Store online or at retail locations.

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.