Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check PIN lockout status #455

Open
simo5 opened this issue Oct 24, 2024 · 0 comments · May be fixed by #457
Open

Check PIN lockout status #455

simo5 opened this issue Oct 24, 2024 · 0 comments · May be fixed by #457
Labels
enhancement New feature or request

Comments

@simo5
Copy link
Member

simo5 commented Oct 24, 2024

Describe the feature
The PKCS#11 specification allows a token to expose flags that indicate if the PIN authentication failure count is too high and might soon get locked.
pkcs11-provider should consult these flags on authentication and if the flag CKF_USER_PIN_FINAL_TRY is returned, refuse to attempt a login, and require the user to reset the counter by performing a manual unlock once via tools like pkcs11-tool.

Expected behavior
Never lockup a token by checking token flags before login.

Additional context
Might not work if tokens do not report the flags correctly.
There is also a TOCTOU problem if two threads concurrently try to login, but better than nothing.
@simo5 simo5 added the enhancement New feature or request label Oct 24, 2024
simo5 added a commit to simo5/pkcs11-provider that referenced this issue Oct 24, 2024
@simo5
Add code to prevent locking the token by mistake
12dfe29 
For tokens that properly report the status of the PIN authentication
counter via token flags, check them out and refuse to attempt login if
the token is on its last try.

A token should never be on its last try and finding this flags set is an
indication that someone may have hardocded an in correct pin in the
configuration or an URI. Proceeding would have a high chance of ending
up blocking the token.

Fixes: latchset#455

Signed-off-by: Simo Sorce <[email protected]>
@simo5 simo5 linked a pull request Oct 24, 2024 that will close this issue
Open
10 tasks
simo5 added a commit to simo5/pkcs11-provider that referenced this issue Oct 25, 2024
@simo5
Add code to prevent locking the token by mistake
f740d8d 
For tokens that properly report the status of the PIN authentication
counter via token flags, check them out and refuse to attempt login if
the token is on its last try.

A token should never be on its last try and finding this flags set is an
indication that someone may have hardocded an in correct pin in the
configuration or an URI. Proceeding would have a high chance of ending
up blocking the token.

Fixes: latchset#455

Signed-off-by: Simo Sorce <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add code to prevent locking the token by mistake simo5/pkcs11-provider
1 participant
@simo5