Hi, I slightly differ from Douglas assesments. C_Finalize is not called by winlogon process. It is called by IDAlly.exe when we login. I think we have to follow the number specified in the log entry of pkcs11-spy.dll.
If you compare the C_OpenSession log of the Winlogon process occuring after C_Finalize called by IDAlly.exe and compare it corresponding log entry in the opensc-debug.log file, you can find that for this C_OpenSession function, it is not creating new pc/sc session as expected. But using old PC/SC session. opensc-pkcs#11 does not close all the pc/sc session, because not all the session opened by CSP are closed. >From the pkcs11-spy log, it is not closing session 1, 2. Can you please verify the log again and give your opinion. Regards, Kamal. --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > Corcoran David wrote: > > Hi, > > > > Is this an issue from the CSP -> OpenSC PKCS#11 > module ? > > Yes, looks like the CSP calls C_Finalize after the > the card is removed. > then when a card is inserted, it does not not call > C_Initialize > but calls C_OpenSession. I suspect the problem is in > that handles > the call when a card is removed, not setting some > state variable to > indicate that C_Initialize needs to be called again. > > > > We are in the process of making updates so it > might be a good time > > for us to address this (if it is not already) > > Yes, good time. If you have any thing to test, let > me know. > > > You should be able to work around this in a shim > pkcs#11 module like > > pkcs11spy by abstracting C_OpenSession and > determining if the P11 module > > was already closed down and calling C_Initialize > again before passing > > C_OpenSession through. > > I am trying to avoid having to write any additional > shims or hacks, > especially if you are looking at the code. > > The current work around is for the user to try > again, but this may only work > if it is the same cad. (I have not tried using a > card for a different user.) > > We are still doing pilots, and PIV cards will not be > generally available > until at least October. I hope by then hopefully you > have a new version of IdAlly. > > > > > > Thanks, > > Dave > > > > On Jul 13, 2007, at 4:39 PM, Douglas E. Engert > wrote: > > > >> More info on this. I think it is an ID Ally bug. > >> > >> Looking at spy and opensc debug logs, It looks > like > >> the CSP is called when a card is removed sounds > reasonable. > >> > >> The Id Ally does C_Initialize, C_GetSlotList, > >> a loop over the 8 slots for C_GetSlotInfo > >> then a C_Finalize. > >> > >> I then logged off and try to login again. > >> > >> Rather then another C_Initialize as would be > expected > >> since C_Finalize was called last, Id Ally does a > C_OpenSession. > >> > >> The way I read PKCS#11 2.01 under C_Finalize it > says: > >> "C_Finalize is called to indicate that an > application is finished > >> with the Cryptoki library." > >> If IdAlly wants to use the library again, it > should call C_Initialize. > >> > >> > >> IdAlly tries some other thinks, and gets back in > sync so the next > >> login works. > >> > >> But I would also think OpenSC should give an > error if the C_OpenSession > >> is called and C_Initialize has not been called. > But it is not clear if > >> Id Ally could get back in sync! > >> > >> > >> kamal kumar wrote: > >>> Hi, > >>> Today i tried certificate logon in XP with PIV > card. > >>> As i told you before, first certificate logon > after > >>> reboot succeeded. But the second logon failed. > >>> I have attached the opensc log files with this. > This > >>> log file contain entries for first successful > logon > >>> and second failed logon. > >>> Please give your opinion. > >>> Regards, > >>> Kamal. > >>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> > wrote: > >>>> > >>>> kamal kumar wrote: > >>>>> Hi all, > >>>>> I tried certificate logon with "Identity > Alliance > >>>> CSP" > >>>>> and opensc-pkcs11 module in XP machine. The > >>>>> certificate logon works fine for the first > time. > >>>> But > >>>>> if we logoff and again tries to do certificate > >>>> logon, > >>>>> the logon fails second time. > >>>>> > >>>>> I want to confirm whether it is a issue. > >>>> Works OK for me. > >>>> > >>>>> I analysed the opensc log files. I think > following > >>>> is > >>>>> the reason for the error. In XP, opensc-pkcs11 > >>>> module > >>>>> maintains the pc/sc smartcard connection > during > >>>> the > >>>>> first certificate logon. And it uses the same > >>>> pc/sc > >>>>> connection for the second certificate logon > also. > >>>> But > >>>>> since we removed and inserted the card in the > >>>> middle > >>>>> for getting PIN prompt in winlogon, we are > getting > >>>> the > >>>>> error. > >>>> Sounds like the card failed to do an unlock() > at > >>>> some time > >>>> and so the pcsc connection might still be > active. > >>>> What type/version of IdAlly, OpenSC, card and > reader > >>>> are > >>>> you using? > >>>> > >>>> I am using IdAlly-1.0, SCB-0.8 ( > >>>> PIV card and pcmcia GemPC card. > >>>> > >>>> Note scb-0.8 is based on OpenSC-0.11.2 but the > >>>> version numbers in the opensc-pkcs11.dll says > >>>> 0.11.1. > >>>> > >>>> > >>>>> Can any one please tell me whether it is a > issue > >>>> and > >>>>> Is there any way to solve this. > >>>>> Regards, > >>>>> Kamal. > >>>>> > >>>>> > >>>>> > >>>>> > >>> > ____________________________________________________________________________________ > > >>> > >>>>> Sick sense of humor? Visit Yahoo! TV's Comedy > with an Edge to see > >>>>> what's on, when. > http://tv.yahoo.com/collections/222 > >>>>> > _______________________________________________ > >>>>> opensc-devel mailing list > >>>>> [email protected] > >>>>> > >>> > http://www.opensc-project.org/mailman/listinfo/opensc-devel > >>>>> > >>>> -- > >>>> Douglas E. Engert <[EMAIL PROTECTED]> > >>>> Argonne National Laboratory > >>>> 9700 South Cass Avenue > >>>> Argonne, Illinois 60439 > >>>> (630) 252-5444 > >>>> > >>> > >>> > ____________________________________________________________________________________ > > === message truncated === ____________________________________________________________________________________ Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. http://new.toolbar.yahoo.com/toolbar/features/mail/index.php _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
