PKCS15 framework influence PKCS11 interface

[msetina]

I have a card with 2 apps. One should be without login and one with login. First app is not login, second app should be used with login. First app has one token, the second has 2.
WIthout modifications, PKCS11 lists all tokens, but PKCS15 shows only the token in the first app ( #2986 ) . For browser users (nss ot firefox) the first token in second app is useful.
Currently I apply settings for PKCS15 framework that nss uses that disables the first app, but PKCS11 also hides token in first app. Is this realy needed? Should PKCS11 and PKCS15 be connected in this way.
The card driver is EOI.

[msetina]

Or maybe a better question: Could there be a way to provide info from driver or settings which app/token is for authentication and which for signing?
I know this card is strange because there is a token with PK and cert without PIN which is also the first token listed. If it were the second listed, the openSC functionality would work perfectly.

[dengert]

Have you looked at: https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.example.in#L214-L227 I have never used it, but it might allow changing the order of pins.

In addition:
OpenSC was originally written assuming a card had only one applet. And a reader could only have one card at a time. Since then there are cards with multiple applets, for example PIV applet and OpenPGP applet.

The OpenSC PKCS11 implementation can present every reader as a slot and virtual slots used when an applet has more then one PIN where each virtual slot is used to access objects protected by its PIN. (PKCS11 has the limitation of only defining CKU_SO, CKU_USER, and CKU_CONTEXT_SPECIFIC per token.)

Code was never added to allow OpenSC PKCS11 to treat each applet on a card as a separate token.

PKCS15 is at the card level (or applet level) opensc-tool --list-readers lists the readers on a system usually using PCSC and pkcs15-tool has options --reader, --list-applications(but only PKCS15 applications) and--aid` to use a specific applet.

To further isolate cards, tokens and applets, OpenSC can restrict which card driver(s) can be used via opensc.conf or env, so for env OPENSC_DRIVER=PIV-II or OPENSC_DRIVER=openpgp` could be set to select the which applet you want for a process.

p11kit can be used with OpenSC PKCS11 module selecting one applet and using some other PKCS11 module for a different applet on the card.

[msetina]

Thank you for your explanation. I was fishing for a solution.
With no setup in conf file for PKCS15 framework the PKCS11 programming interface can access any token on the card, but over NSS and in firefox which both interact with PKCS11 library, I see the first token in first app, which as mentioned is not the token I want in browser.
After applying PKCS15 framework which disables one app, browser sees the appropriate token, but the other app can not be accessed over PKCS11 interface.
I was wondering how does firefox and NSS use the PKCS11 library to get only the first token, but python in my case can see all tokens. If there was a setting in the conf file that would help nss and firefox get the app id to query for tokens.