Sunday, December 18. 2016
DNIe 3.0 is now supported by OpenSC
Finally the integration of DNIe 3.0 was committed and it is working successfully. Today Viktor Tarasov merged my final changes to force caching and increasing the number of re-tries if version 3.0 is detected. You can follow the whole process in the DNIe 3.0 bug and the final pull request.
The temporary solution for the CKA_ALWAYS_AUTHENTICATE problem commented in the previous entry is to cache both private keys (authentication and signature, the later is a non-repudiation key) and not label them with that attribute. The recommendation from OpenSC guys was to force caching and a large number of re-tries (use_pin_caching=true and pin_cache_counter=30000) inside DNIe initialization. Obviously this is a workaround for a weird implementation in the DNIe but the forced parameters make DNIe 3.0 work in any situation.
I think that all the people involved (Spanish people in the bug and OpenSC members) preferred the option of mixing the two possible solutions: the authentication key would work using the cache (like it is working now), but the non-repudiation/signature key would be marked as CKA_ALWAYS_AUTHENTICATE (the cache would not work for it except if it is explicitly enabled in the opensc.conf). Nevertheless this mixed solution needs a little change in the current pin cache implementation. It is not very important but affects to all the other drivers and the general behavior of the library. I am still interested in going to that solution but, for the moment, merging a working DNIe 3.0 was more urgent.
If you are worried about caching the pin of a non-repudiation key I can just comment the following:
The current implementation of the official driver works in the same way (there is a cache, a re-login and no CKA_ALWAYS_AUTHENTICATION is presented in any key).
The DNIe has an option (--enable-dnie-ui at configuration time) that shows a warning message before any use of the non-repudiation key. This warning is a non-standard replacement of the key attribute. I do not know how many distros include the option (but for example ubuntu seems to use it).
As I said, the mixed solution seems to be the most optimal and let us forget about the horrible warning and use the standard CKA_ALWAYS_AUTHENTICATE. Let's see what happens in the future. For the moment, what it is sure is that DNIe 3.0 will be available in the next OpenSC version.
Enjoy it!
Comments