One bad PIN entry locks card

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

One bad PIN entry locks card

Ernie Kovak
Hello -

We're using NSS (JSS4 and NSS 3.20) with an OpenSC 0.16.0 module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries, of course, and we're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked. 

I've substituted an ActivClient module and found that it does not lock the card, so it seems like OpenSC is retrying with a bad PIN??

If that's true, is there a configuration item that I can set to suppress retries in this case?

Thanks!
Ernie

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: One bad PIN entry locks card

Martin Paljak-4
This seems like a malfunction, by no design should a software component re-try a PIN entry, especially if it fails at some stage. A debug log would be helpful.

On Sun, 9 Oct 2016 at 20:25 Ernie Kovak <[hidden email]> wrote:
Hello -

We're using NSS (JSS4 and NSS 3.20) with an OpenSC 0.16.0 module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries, of course, and we're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked. 

I've substituted an ActivClient module and found that it does not lock the card, so it seems like OpenSC is retrying with a bad PIN??

If that's true, is there a configuration item that I can set to suppress retries in this case?

Thanks!
Ernie
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: One bad PIN entry locks card

Douglas E Engert
In reply to this post by Ernie Kovak
As Martin said, a debug log would help.
In addition to setting the debug level  in opensc.conf, you may want to turn off any pin caching to see if your problem is related to that.
Or if you have a PIN pad reader, try it. That forces a pin pad request for every time a PIN is needed.

If possible can you try with OpenSC github master.

On 10/9/2016 12:24 PM, Ernie Kovak wrote:
Hello -

We're using NSS (JSS4 and NSS 3.20) with an OpenSC 0.16.0 module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries, of course, and we're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked. 

I've substituted an ActivClient module and found that it does not lock the card, so it seems like OpenSC is retrying with a bad PIN??

If that's true, is there a configuration item that I can set to suppress retries in this case?

Thanks!
Ernie


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: One bad PIN entry locks card

Ernie Kovak
In reply to this post by Ernie Kovak
PROBLEM SOLVED

Thanks, everyone! The problem turned out to be in our use of JSS. 

The JSS PK11Token login method takes a password callback handler. The handler has a getPasswordAgain method that's used for retries, and returning anything but null will result in a locked card. 

The handler should look something like this: 

    PasswordCallback pwcb = new PasswordCallback() { 
        @Override 
        public Password getPasswordFirstAttempt(PasswordCallbackInfo info) throws GiveUpException { 
            return new Password(pin.toCharArray()); 
        } 
        @Override 
        public Password getPasswordAgain(PasswordCallbackInfo info) throws GiveUpException { 
            return null; 
        } 
    }; 

This results in the expected IncorrectPasswordException when the PIN is bad.

Thanks again -
Ernie


On Mon, Oct 10, 2016 at 10:53 PM, Frank Morgner <[hidden email]> wrote:
Have you looked at the patches which add support for cac https://github.com/OpenSC/OpenSC/pull/841?

Am 9. Oktober 2016 19:24:13 MESZ, schrieb Ernie Kovak <[hidden email]>:
Hello -

We're using NSS (JSS4 and NSS 3.20) with an OpenSC 0.16.0 module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries, of course, and we're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked. 

I've substituted an ActivClient module and found that it does not lock the card, so it seems like OpenSC is retrying with a bad PIN??

If that's true, is there a configuration item that I can set to suppress retries in this case?

Thanks!
Ernie



Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

--
Frank Morgner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel