2

I installed OpenSC 0.18 and added the PKCS11 DLL as a security device provider in Firefox 61. I can "unlock" my smart card from the Security Devices dialog, and get prompted for the PIN as expected. But, when I visit a site that wants to use the card for authentication, I get prompted for a PIN before even being asked to select a certificate. Then, I get prompted many more times (5-10) before the login process completes. Visiting the same site from a Linux box (using coolkey drivers) results in a single PIN prompt.

I'm using the default config file for OpenSC, which I think means PIN caching should be enabled. I don't even know if this is a Firefox problem, OpenSC problem, or something specific to the site in question. How can I stop this excessive prompting?

Coderer
  • 1,700

2 Answers2

3

The multiple prompts for PINs may be caused by the PKCS11 module returning wrong information on the login state of the card. It could also be caused by the setting in the opensc.conf file for example disconnect=reset;

More information is needed. See Using-OpenSC on how to use PKCS#11 Spy and how to get an opensc-debug.log.

If this appears to be an OpenSC issue, continue the discusion be submitting an Issue at OpenSC Issues

Douglas Engert
  • 124
0

For posterity: my specific issue was caused by the site requesting a DS cert from the PIV applet, which always requests the PIN each time the DS cert is accessed. The long term solution would be for the site to request the ID cert rather than the DS One. The short term solution is to update opensc.conf to include the line force_card_driver = cac;. This means that OpenSC will use the CAC driver instead of the PIV driver.

Coderer
  • 1,700