kamal kumar wrote: > Hi, > I slightly differ from Douglas assesments. C_Finalize > is not called by winlogon process. It is called by > IDAlly.exe when we login.
So are you saying that there are two processes calling opensc_pkcs11.dll, the winlogin(via the IdAlly CSP) and IdAlly.exe? Is this some issue with DLLs vs Unix shared libs, and the use of things like: extern struct sc_context *context; in src/pkcs11/sc_pkcs11.h > I think we have to follow > the number specified in the log entry of > pkcs11-spy.dll. > > If you compare the C_OpenSession log of the Winlogon > process occuring after C_Finalize called by IDAlly.exe > and compare it corresponding log entry in the > opensc-debug.log file, you can find that for this > C_OpenSession function, it is not creating new pc/sc > session as expected. But using old PC/SC session. > > opensc-pkcs#11 does not close all the pc/sc session, > because not all the session opened by CSP are closed. >>From the pkcs11-spy log, it is not closing session 1, > 2. > > Can you please verify the log again and give your > opinion. > > Regards, > Kamal. > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > >> >> Corcoran David wrote: >>> Hi, >>> >>> Is this an issue from the CSP -> OpenSC PKCS#11 >> module ? >> >> Yes, looks like the CSP calls C_Finalize after the >> the card is removed. >> then when a card is inserted, it does not not call >> C_Initialize >> but calls C_OpenSession. I suspect the problem is in >> that handles >> the call when a card is removed, not setting some >> state variable to >> indicate that C_Initialize needs to be called again. >> >> >>> We are in the process of making updates so it >> might be a good time >>> for us to address this (if it is not already) >> Yes, good time. If you have any thing to test, let >> me know. >> >>> You should be able to work around this in a shim >> pkcs#11 module like >> > pkcs11spy by abstracting C_OpenSession and >> determining if the P11 module >> > was already closed down and calling C_Initialize >> again before passing >> > C_OpenSession through. >> >> I am trying to avoid having to write any additional >> shims or hacks, >> especially if you are looking at the code. >> >> The current work around is for the user to try >> again, but this may only work >> if it is the same cad. (I have not tried using a >> card for a different user.) >> >> We are still doing pilots, and PIV cards will not be >> generally available >> until at least October. I hope by then hopefully you >> have a new version of IdAlly. >> >> >>> Thanks, >>> Dave >>> >>> On Jul 13, 2007, at 4:39 PM, Douglas E. Engert >> wrote: >>>> More info on this. I think it is an ID Ally bug. >>>> >>>> Looking at spy and opensc debug logs, It looks >> like >>>> the CSP is called when a card is removed sounds >> reasonable. >>>> The Id Ally does C_Initialize, C_GetSlotList, >>>> a loop over the 8 slots for C_GetSlotInfo >>>> then a C_Finalize. >>>> >>>> I then logged off and try to login again. >>>> >>>> Rather then another C_Initialize as would be >> expected >>>> since C_Finalize was called last, Id Ally does a >> C_OpenSession. >>>> The way I read PKCS#11 2.01 under C_Finalize it >> says: >>>> "C_Finalize is called to indicate that an >> application is finished >>>> with the Cryptoki library." >>>> If IdAlly wants to use the library again, it >> should call C_Initialize. >>>> >>>> IdAlly tries some other thinks, and gets back in >> sync so the next >>>> login works. >>>> >>>> But I would also think OpenSC should give an >> error if the C_OpenSession >>>> is called and C_Initialize has not been called. >> But it is not clear if >>>> Id Ally could get back in sync! >>>> >>>> >>>> kamal kumar wrote: >>>>> Hi, >>>>> Today i tried certificate logon in XP with PIV >> card. >>>>> As i told you before, first certificate logon >> after >>>>> reboot succeeded. But the second logon failed. >>>>> I have attached the opensc log files with this. >> This >>>>> log file contain entries for first successful >> logon >>>>> and second failed logon. >>>>> Please give your opinion. >>>>> Regards, >>>>> Kamal. >>>>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> >> wrote: >>>>>> kamal kumar wrote: >>>>>>> Hi all, >>>>>>> I tried certificate logon with "Identity >> Alliance >>>>>> CSP" >>>>>>> and opensc-pkcs11 module in XP machine. The >>>>>>> certificate logon works fine for the first >> time. >>>>>> But >>>>>>> if we logoff and again tries to do certificate >>>>>> logon, >>>>>>> the logon fails second time. >>>>>>> >>>>>>> I want to confirm whether it is a issue. >>>>>> Works OK for me. >>>>>> >>>>>>> I analysed the opensc log files. I think >> following >>>>>> is >>>>>>> the reason for the error. In XP, opensc-pkcs11 >>>>>> module >>>>>>> maintains the pc/sc smartcard connection >> during >>>>>> the >>>>>>> first certificate logon. And it uses the same >>>>>> pc/sc >>>>>>> connection for the second certificate logon >> also. >>>>>> But >>>>>>> since we removed and inserted the card in the >>>>>> middle >>>>>>> for getting PIN prompt in winlogon, we are >> getting >>>>>> the >>>>>>> error. >>>>>> Sounds like the card failed to do an unlock() >> at >>>>>> some time >>>>>> and so the pcsc connection might still be >> active. >>>>>> What type/version of IdAlly, OpenSC, card and >> reader >>>>>> are >>>>>> you using? >>>>>> >>>>>> I am using IdAlly-1.0, SCB-0.8 ( >>>>>> PIV card and pcmcia GemPC card. >>>>>> >>>>>> Note scb-0.8 is based on OpenSC-0.11.2 but the >>>>>> version numbers in the opensc-pkcs11.dll says >>>>>> 0.11.1. >>>>>> >>>>>> >>>>>>> Can any one please tell me whether it is a >> issue >>>>>> and >>>>>>> Is there any way to solve this. >>>>>>> Regards, >>>>>>> Kamal. >>>>>>> >>>>>>> >>>>>>> >>>>>>> > ____________________________________________________________________________________ >>>>>>> Sick sense of humor? Visit Yahoo! TV's Comedy >> with an Edge to see >>>>>>> what's on, when. >> http://tv.yahoo.com/collections/222 >> _______________________________________________ >>>>>>> opensc-devel mailing list >>>>>>> [email protected] >>>>>>> > http://www.opensc-project.org/mailman/listinfo/opensc-devel >>>>>> -- >>>>>> Douglas E. Engert <[EMAIL PROTECTED]> >>>>>> Argonne National Laboratory >>>>>> 9700 South Cass Avenue >>>>>> Argonne, Illinois 60439 >>>>>> (630) 252-5444 >>>>>> >>>>> >>>>> > ____________________________________________________________________________________ >> > === message truncated === > > > > > ____________________________________________________________________________________ > Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. > http://new.toolbar.yahoo.com/toolbar/features/mail/index.php > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
