Quantcast

JSS/NSS locks my smart card after 1 bad pin entry

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

JSS/NSS locks my smart card after 1 bad pin entry

Ernie Kovak
Hello -

We're using JSS4 and NSS 3.24 with an OpenSC module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries. We're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked.

I've searched through NSS to see if there's PIN retry logic, but I didn't see anything, though I quickly got lost in the code so not sure. I'm a java dev...

Is anyone else running a configuration like this that's seeing this behavior? Is there a configuration item that might limit the retries?

Thanks!
Ernie
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JSS/NSS locks my smart card after 1 bad pin entry

Ernie Kovak
On Friday, October 7, 2016 at 7:56:29 PM UTC-6, Ernie Kovak wrote:

I replaced the OpenSC module with an ActivClient module (acpkcs211.dll) and that module does not lock the card. I've posted a query to the OpenSC forum asking about this.

However, ActivClient displays its own PIN prompt dialog, even though I supply a password callback. Does anyone know how to get around this?

Thanks!
Ernie
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JSS/NSS locks my smart card after 1 bad pin entry

Robert Relyea
In reply to this post by Ernie Kovak
On 10/07/2016 06:56 PM, Ernie Kovak wrote:
> Hello -
>
> We're using JSS4 and NSS 3.24 with an OpenSC module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries. We're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked.
What version of openSC are you using. OpenSC only recently got CAC
support added to it.

Have you tried coolkey?
>
> I've searched through NSS to see if there's PIN retry logic, but I didn't see anything, though I quickly got lost in the code so not sure. I'm a java dev...

NSS itself does not retry bad pins, but it does present the application
the opportunity to retry the pin. It has a flag so applications that
cache the pin can know to discard the cached pin on retry. It could be
an error in the JSS pin handler?
>
> Is anyone else running a configuration like this that's seeing this behavior? Is there a configuration item that might limit the retries?
>
> Thanks!
> Ernie


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JSS/NSS locks my smart card after 1 bad pin entry

Ernie Kovak
In reply to this post by Ernie Kovak
Thanks for the reply, Robert!

We're using OpenSC 0.16.0 and it's working well so far. The problem turned out to be exactly what you suggested.

The JSS PK11Token login method takes a password callback handler. The handler has a getPasswordAgain method that's used for retries, and returning anything but null will result in a locked card.

The handler should look something like this:

    PasswordCallback pwcb = new PasswordCallback() {
        @Override
        public Password getPasswordFirstAttempt(PasswordCallbackInfo info) throws GiveUpException {
            return new Password(pin.toCharArray());
        }
        @Override
        public Password getPasswordAgain(PasswordCallbackInfo info) throws GiveUpException {
            return null;
        }
    };
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: JSS/NSS locks my smart card after 1 bad pin entry

Ding Yangliang
In reply to this post by Ernie Kovak
Thank you so much. I am in the same situation exactly. return null is the key in getPasswordAgain(info). If you put a breakpoint here you can see it enters here to ask the password again.

I think, it will also work if we implement a logic of showing a dialog to ask the user the password again, but return null is the simpler approach.






在 2016年10月11日星期二 UTC+2下午9:11:18,Ernie Kovak写道:

> Thanks for the reply, Robert!
>
> We're using OpenSC 0.16.0 and it's working well so far. The problem turned out to be exactly what you suggested.
>
> The JSS PK11Token login method takes a password callback handler. The handler has a getPasswordAgain method that's used for retries, and returning anything but null will result in a locked card.
>
> The handler should look something like this:
>
>     PasswordCallback pwcb = new PasswordCallback() {
>         @Override
>         public Password getPasswordFirstAttempt(PasswordCallbackInfo info) throws GiveUpException {
>             return new Password(pin.toCharArray());
>         }
>         @Override
>         public Password getPasswordAgain(PasswordCallbackInfo info) throws GiveUpException {
>             return null;
>         }
>     };

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Loading...