1

I can open as many instances of IE7 as I want and I get prompted for a cert each time (but no PIN). However, if I close any of the instances of IE7, then on the next open I get the PIN prompt. So it seems to me that the IE7 program is doing something when it is closed to tell the smart card to "expire" the current PIN. I would like to find out what IE7 is doing to cause that to happen (when it closes) because I want my program to be able to do that too. Any ideas on how I could find that out?

Thanks!

Scott Stafford
  • 43,764
  • 28
  • 129
  • 177
adg
  • 552
  • 1
  • 6
  • 17

2 Answers2

3

Resetting the card will exipre the PIN. See this answer for more information.

Community
  • 1
  • 1
Adam Liss
  • 47,594
  • 12
  • 108
  • 150
  • Thanks Adam _ I appreciate the response. I will try to figure out if there is some way I can programatically reset the card, and that might solve my problem! – adg Nov 29 '09 at 23:50
  • Just to make sure we are using the same vocabulary, by "reset", you don't mean changing the PIN number do you? I definitely don't wnat to do that. I just want to make the card prompt for the PIN again. – adg Nov 29 '09 at 23:54
  • Right. Clearly you don't want to change the PIN; you just want to end the transaction so the card behaves as if you've just re-inserted it. Can you provide more details about the programming environment, language, and API you're using? You may also find helpful information on the OpenSC project site: http://www.opensc-project.org – Adam Liss Nov 30 '09 at 01:35
  • Adam, thanks for being so patient with me. The web pages are asp.net (mostly), c# on the server side and javascript on the client side. The card is a CAC. The middleware is ActivClient but I don't have their SDK, I've been playing around with CAPICOM. The browser is always IE7. I have javascript that clears the SSL Cache (causing the certificate dialog to reprompt) but I don't see anyway to cause the PIN dialog to reprompt. – adg Dec 01 '09 at 22:55
  • Funny, I think I'm about to run into the opposite problem: I'm building an embedded device that reads CACs using C, and I _want_ the PIN to be cached. Perhaps the discussion at http://www.eggheadcafe.com/software/aspnet/31611074/cryptacquirecertificatepr.aspx will start you in the right direction. Otherwise, the card should re-prompt for the PIN if you try to access the private key; you may be able to do this by asking it to sign or decrypt a throw-away piece of data. – Adam Liss Dec 02 '09 at 01:51
  • You know I actually thought of that! There is an option in the activClient software that toggles pin prompting on private key access which is how I became aware of it. But it would have to be client-side and I can't figure out which cert has been selected. On the server side, the request object tells me that. Re your "opposite" problem - if ActivClient can prevent the smartcard from prompting on private key access then I would guess that you probably can too. – adg Dec 02 '09 at 03:42
0

The PIN caching behavior you are observing might just be a middleware administration matter. See chapter 8 of the ActivClient Administrators guide. Pin caching can be session, or process based, among other criteria like intended key usage, timeouts, and whitelists.

There is a good chance that closing the keystore is not possible in regular javascript. That kind of operation might cross some security boundary.

Ajith Antony
  • 999
  • 6
  • 8