• Ray Strode's avatar
    libcacard: Lock NSS cert db when selecting an applet on an emulated card · 1223bc4c
    Ray Strode authored
    When a process in a guest uses an emulated smartcard, libcacard running
    on the host passes the PIN from the guest to the PK11_Authenticate NSS
    function. The first time PK11_Authenticate is called the passed in PIN
    is used to unlock the certificate database. Subsequent calls to
    PK11_Authenticate will transparently succeed, regardless of the passed in
    PIN. This is a convenience for applications provided by NSS.
    
    Of course, the guest may have many applications using the one emulated
    smart card all driven from the same host QEMU process.  That means if a
    user enters the right PIN in one program in the guest, and then enters the
    wrong PIN in another program in the guest, the wrong PIN will still
    successfully unlock the virtual smartcard.
    
    This commit forces the NSS certificate database to be locked anytime an
    applet is selected on an emulated smartcard by calling vcard_emul_logout.
    Signed-off-by: default avatarRay Strode <rstrode@redhat.com>
    Reviewed-By: default avatarRobert Relyea <rrelyea@redhat.com>
    Reviewed-By: default avatarAlon Levy <alevy@redhat.com>
    Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
    1223bc4c
vcard.c 7.22 KB