Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to reset a smart card in CTK? #51

Open
frankmorgner opened this issue Jun 16, 2023 · 3 comments
Open

How to reset a smart card in CTK? #51

frankmorgner opened this issue Jun 16, 2023 · 3 comments

Comments

@frankmorgner
Copy link
Owner

I have verified a PIN in a smart card and I'd like to delete this internal state of the card. Unfortunately, the card doesn't support this with a dedicated command, which is why I'd like to reset the card (cold/warm reset as described in PC/SC, for example).
The CryptoTokenKit documentation doesn't seem to have an API for that.

Does anyone have an idea how to implement this?

Note, that if the smart card is not reset and does not support logout, then the card is permanently in an authenticated state so that related keys can be misused by any other CTK session or even via the PC/SC interface.
@ElMostafaIdrassi
Copy link
Contributor

IMO, the logic of CryptoTokenKit differs from PC/SC, in that it is up to the implementation to keep track of the state of the PIN verification internally, and then request it whenever needed by returning TKErrorCodeAuthenticationNeeded.

That being said, have you tried playing with TKSmartCard's beginSessionWithReply and endSession ? Maybe calling endSession triggers a reset of the card ?

@frankmorgner
Copy link
Owner Author

IMO, the logic of CryptoTokenKit differs from PC/SC, in that it is up to the implementation to keep track of the state of the PIN verification internally, and then request it whenever needed by returning TKErrorCodeAuthenticationNeeded.

Yes, it keeps track of the PIN verification (we set smartCard.sensitive = TRUE for this). However, imagine the session being deleted and the program stopped, then there are still tokens like the Yubikey which cannot delete the authentication state. Such tokens would be unlocked for any program that connects to the card (even via PC/SC) without PIN verification.

That being said, have you tried playing with TKSmartCard's beginSessionWithReply and endSession ? Maybe calling endSession triggers a reset of the card ?

Yes, in OpenSC we use beginSessionWithReply/endSession to lock the card, which does not reset the token.

@ElMostafaIdrassi
Copy link
Contributor

That is quite interesting. I wouldn't be surprised if the reset is yet another missing feature in the CryptoTokenKit framework.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frankmorgner @ElMostafaIdrassi