Hi,
Yes, Two processes are calling opensc-pkcs11 module.
And C_Finalize is called by IdAlly.exe process.
Since Winlogon process is not calling C_Finalize and
closing all P11 session (P11 session 1, 2 are sill
opened), opensc-pkcs11 module keeps the pc/sc
connection established by sc_connect_card function.
I think we need to investigate more throughly on this
issue.
Regards,
Kamal.
--- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
>
>
> kamal kumar wrote:
> > Hi,
> > I slightly differ from Douglas assesments.
> C_Finalize
> > is not called by winlogon process. It is called by
> > IDAlly.exe when we login.
>
> So are you saying that there are two processes
> calling
> opensc_pkcs11.dll, the winlogin(via the IdAlly CSP)
> and IdAlly.exe?
>
> Is this some issue with DLLs vs Unix shared libs,
> and
> the use of things like:
> extern struct sc_context *context;
> in src/pkcs11/sc_pkcs11.h
>
> > I think we have to follow
> > the number specified in the log entry of
> > pkcs11-spy.dll.
> >
> > If you compare the C_OpenSession log of the
> Winlogon
> > process occuring after C_Finalize called by
> IDAlly.exe
> > and compare it corresponding log entry in the
> > opensc-debug.log file, you can find that for this
> > C_OpenSession function, it is not creating new
> pc/sc
> > session as expected. But using old PC/SC session.
> >
> > opensc-pkcs#11 does not close all the pc/sc
> session,
> > because not all the session opened by CSP are
> closed.
> >>From the pkcs11-spy log, it is not closing session
> 1,
> > 2.
> >
> > Can you please verify the log again and give your
> > opinion.
> >
> > Regards,
> > Kamal.
> >
> > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
> >
> >>
> >> Corcoran David wrote:
> >>> Hi,
> >>>
> >>> Is this an issue from the CSP -> OpenSC PKCS#11
> >> module ?
> >>
> >> Yes, looks like the CSP calls C_Finalize after
> the
> >> the card is removed.
> >> then when a card is inserted, it does not not
> call
> >> C_Initialize
> >> but calls C_OpenSession. I suspect the problem is
> in
> >> that handles
> >> the call when a card is removed, not setting some
> >> state variable to
> >> indicate that C_Initialize needs to be called
> again.
> >>
> >>
> >>> We are in the process of making updates so it
> >> might be a good time
> >>> for us to address this (if it is not already)
> >> Yes, good time. If you have any thing to test,
> let
> >> me know.
> >>
> >>> You should be able to work around this in a shim
> >> pkcs#11 module like
> >> > pkcs11spy by abstracting C_OpenSession and
> >> determining if the P11 module
> >> > was already closed down and calling
> C_Initialize
> >> again before passing
> >> > C_OpenSession through.
> >>
> >> I am trying to avoid having to write any
> additional
> >> shims or hacks,
> >> especially if you are looking at the code.
> >>
> >> The current work around is for the user to try
> >> again, but this may only work
> >> if it is the same cad. (I have not tried using a
> >> card for a different user.)
> >>
> >> We are still doing pilots, and PIV cards will not
> be
> >> generally available
> >> until at least October. I hope by then hopefully
> you
> >> have a new version of IdAlly.
> >>
> >>
> >>> Thanks,
> >>> Dave
> >>>
> >>> On Jul 13, 2007, at 4:39 PM, Douglas E. Engert
> >> wrote:
> >>>> More info on this. I think it is an ID Ally
> bug.
> >>>>
> >>>> Looking at spy and opensc debug logs, It looks
> >> like
> >>>> the CSP is called when a card is removed sounds
> >> reasonable.
> >>>> The Id Ally does C_Initialize, C_GetSlotList,
> >>>> a loop over the 8 slots for C_GetSlotInfo
> >>>> then a C_Finalize.
> >>>>
> >>>> I then logged off and try to login again.
> >>>>
> >>>> Rather then another C_Initialize as would be
> >> expected
> >>>> since C_Finalize was called last, Id Ally does
> a
> >> C_OpenSession.
> >>>> The way I read PKCS#11 2.01 under C_Finalize it
> >> says:
> >>>> "C_Finalize is called to indicate that an
> >> application is finished
> >>>> with the Cryptoki library."
> >>>> If IdAlly wants to use the library again, it
> >> should call C_Initialize.
> >>>>
> >>>> IdAlly tries some other thinks, and gets back
> in
> >> sync so the next
> >>>> login works.
> >>>>
> >>>> But I would also think OpenSC should give an
> >> error if the C_OpenSession
> >>>> is called and C_Initialize has not been called.
> >> But it is not clear if
> >>>> Id Ally could get back in sync!
> >>>>
> >>>>
> >>>> kamal kumar wrote:
> >>>>> Hi,
> >>>>> Today i tried certificate logon in XP with PIV
> >> card.
> >>>>> As i told you before, first certificate logon
> >> after
> >>>>> reboot succeeded. But the second logon failed.
> >>>>> I have attached the opensc log files with
> this.
> >> This
> >>>>> log file contain entries for first successful
> >> logon
> >>>>> and second failed logon.
> >>>>> Please give your opinion.
> >>>>> Regards,
> >>>>> Kamal.
> >>>>> --- "Douglas E. Engert" <[EMAIL PROTECTED]>
> >> wrote:
> >>>>>> kamal kumar wrote:
> >>>>>>> Hi all,
> >>>>>>> I tried certificate logon with "Identity
> >> Alliance
> >>>>>> CSP"
> >>>>>>> and opensc-pkcs11 module in XP machine. The
> >>>>>>> certificate logon works fine for the first
> >> time.
> >>>>>> But
> >>>>>>> if we logoff and again tries to do
> certificate
> >>>>>> logon,
> >>>>>>> the logon fails second time.
> >>>>>>>
> >>>>>>> I want to confirm whether it is a issue.
> >>>>>> Works OK for me.
> >>>>>>
> >>>>>>> I analysed the opensc log files. I think
> >> following
> >>>>>> is
> >>>>>>> the reason for the error. In XP,
> opensc-pkcs11
> >>>>>> module
> >>>>>>> maintains the pc/sc smartcard connection
> >> during
> >>>>>> the
> >>>>>>> first certificate logon. And it uses the
> same
> >>>>>> pc/sc
> >>>>>>> connection for the second certificate logon
> >> also.
> >>>>>> But
> >>>>>>> since we removed and inserted the card in
> the
>
=== message truncated ===
____________________________________________________________________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
