Automatically verify cached pin and retry general auth on sw = 6982

[qpernil]

[qpernil]

Different approach to problems with always-auth keys - automatically verify cached pin and retry general-authenticate

[qpernil]

The trouble with this approach is that it is in the library, and hence affects all usage, not just piv-tool

[mouse07410]

I like this approach very much, as it returns the decision whether to (re-)authenticate, back to where it belongs - to the token itself.

[qpernil]

I think this is probably the wrong approach after all, even if it happens to be very convenient and slots into the code very smoothly. It would essentially negate the intention with always-auth keys, with no way for the application to choose behaviour.

[mouse07410]

It is the right approach of the user wants his app to behave this way. So, using cached PIN or not should be a configurable option.

[qpernil]

I think it is more in line with pkcs#11 that the application chooses what to do, after all there is support in pkcs11 to to it well from the application, either using the flag to preeemptively prompt, or to just automatically re-verify a pin it keeps in memory, or alternatively to base the behaviour on the return codes (and hope that different pkcs11 modules give the 'right' error code)