I'm using a Yubikey 4 with a certificate loaded in PIV slot 9a (PIV Authentication; OpenSC slot 0).
Inside Firefox 64, I am using the OpenSC PKCS#11 driver.
What I want to accomplish is to "unlock" this slot (I am not sure if unlock is the right word here) from, say, a shell script, by supplying my user PIN once. Afterwards, Firefox should be able to use this slot without prompting the user for the PIN (Firefox should see the slot as "logged in").
I hoped I could use something along the lines of pkcs11-tool -l --login-type user -L on the command line. This command in itself works, but it does not cause the slot to transition into a "logged in" state in Firefox. Firefox will still ask for the PIN the first time the website is opened.
Output of pkcs11-tool -l --login-type user -L:
Available slots: Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID token label : #redacted# token manufacturer : piv_II token model : PKCS#15 emulated token flags : login required, rng, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 0001112223334445 pin min/max : 4/8 Logging in to "#redacted#". Please enter User PIN:
$ opensc-tool -i OpenSC 0.19.0 [gcc 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)] Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
To me, the OpenSC configuration parameter "lock_login" seems to describe what I want:
By default, the OpenSC PKCS#11 module will not lock your card once you authenticate to the card via C_Login (Default: false). Thus the other users or other applications is not prevented from connecting to the card and perform crypto operations (which may be possible because you have already authenticated with the card).
I did not manually set any OpenSC configuration values. In my understanding, running the above pkcs11-tool command invokes C_Login -- but the slot is still not usable without PIN entry in Firefox.
Is this something that can be accomplished with OpenSC?
