kamal kumar wrote: > Hi, > Yes, Two processes are calling opensc-pkcs11 module. > And C_Finalize is called by IdAlly.exe process. > > Since Winlogon process is not calling C_Finalize
But the Winlogin process calls the Id Ally CSP, that calls the PKCS#11, correct? > and > closing all P11 session (P11 session 1, 2 are sill > opened), opensc-pkcs11 module keeps the pc/sc > connection established by sc_connect_card function. > > I think we need to investigate more throughly on this > issue. > > Regards, > Kamal. > > > > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > >> >> kamal kumar wrote: >>> Hi, >>> I slightly differ from Douglas assesments. >> C_Finalize >>> is not called by winlogon process. It is called by >>> IDAlly.exe when we login. >> So are you saying that there are two processes >> calling >> opensc_pkcs11.dll, the winlogin(via the IdAlly CSP) >> and IdAlly.exe? >> >> Is this some issue with DLLs vs Unix shared libs, >> and >> the use of things like: >> extern struct sc_context *context; >> in src/pkcs11/sc_pkcs11.h >> >>> I think we have to follow >>> the number specified in the log entry of >>> pkcs11-spy.dll. >>> >>> If you compare the C_OpenSession log of the >> Winlogon >>> process occuring after C_Finalize called by >> IDAlly.exe >>> and compare it corresponding log entry in the >>> opensc-debug.log file, you can find that for this >>> C_OpenSession function, it is not creating new >> pc/sc >>> session as expected. But using old PC/SC session. >>> >>> opensc-pkcs#11 does not close all the pc/sc >> session, >>> because not all the session opened by CSP are >> closed. >>> >From the pkcs11-spy log, it is not closing session >> 1, >>> 2. >>> >>> Can you please verify the log again and give your >>> opinion. >>> >>> Regards, >>> Kamal. >>> >>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: >>> >>>> Corcoran David wrote: >>>>> Hi, >>>>> >>>>> Is this an issue from the CSP -> OpenSC PKCS#11 >>>> module ? >>>> >>>> Yes, looks like the CSP calls C_Finalize after >> the >>>> the card is removed. >>>> then when a card is inserted, it does not not >> call >>>> C_Initialize >>>> but calls C_OpenSession. I suspect the problem is >> in >>>> that handles >>>> the call when a card is removed, not setting some >>>> state variable to >>>> indicate that C_Initialize needs to be called >> again. >>>> >>>>> We are in the process of making updates so it >>>> might be a good time >>>>> for us to address this (if it is not already) >>>> Yes, good time. If you have any thing to test, >> let >>>> me know. >>>> >>>>> You should be able to work around this in a shim >>>> pkcs#11 module like >>>> > pkcs11spy by abstracting C_OpenSession and >>>> determining if the P11 module >>>> > was already closed down and calling >> C_Initialize >>>> again before passing >>>> > C_OpenSession through. >>>> >>>> I am trying to avoid having to write any >> additional >>>> shims or hacks, >>>> especially if you are looking at the code. >>>> >>>> The current work around is for the user to try >>>> again, but this may only work >>>> if it is the same cad. (I have not tried using a >>>> card for a different user.) >>>> >>>> We are still doing pilots, and PIV cards will not >> be >>>> generally available >>>> until at least October. I hope by then hopefully >> you >>>> have a new version of IdAlly. >>>> >>>> >>>>> Thanks, >>>>> Dave >>>>> >>>>> On Jul 13, 2007, at 4:39 PM, Douglas E. Engert >>>> wrote: >>>>>> More info on this. I think it is an ID Ally >> bug. >>>>>> Looking at spy and opensc debug logs, It looks >>>> like >>>>>> the CSP is called when a card is removed sounds >>>> reasonable. >>>>>> The Id Ally does C_Initialize, C_GetSlotList, >>>>>> a loop over the 8 slots for C_GetSlotInfo >>>>>> then a C_Finalize. >>>>>> >>>>>> I then logged off and try to login again. >>>>>> >>>>>> Rather then another C_Initialize as would be >>>> expected >>>>>> since C_Finalize was called last, Id Ally does >> a >>>> C_OpenSession. >>>>>> The way I read PKCS#11 2.01 under C_Finalize it >>>> says: >>>>>> "C_Finalize is called to indicate that an >>>> application is finished >>>>>> with the Cryptoki library." >>>>>> If IdAlly wants to use the library again, it >>>> should call C_Initialize. >>>>>> IdAlly tries some other thinks, and gets back >> in >>>> sync so the next >>>>>> login works. >>>>>> >>>>>> But I would also think OpenSC should give an >>>> error if the C_OpenSession >>>>>> is called and C_Initialize has not been called. >>>> But it is not clear if >>>>>> Id Ally could get back in sync! >>>>>> >>>>>> >>>>>> kamal kumar wrote: >>>>>>> Hi, >>>>>>> Today i tried certificate logon in XP with PIV >>>> card. >>>>>>> As i told you before, first certificate logon >>>> after >>>>>>> reboot succeeded. But the second logon failed. >>>>>>> I have attached the opensc log files with >> this. >>>> This >>>>>>> log file contain entries for first successful >>>> logon >>>>>>> and second failed logon. >>>>>>> Please give your opinion. >>>>>>> Regards, >>>>>>> Kamal. >>>>>>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> >>>> wrote: >>>>>>>> kamal kumar wrote: >>>>>>>>> Hi all, >>>>>>>>> I tried certificate logon with "Identity >>>> Alliance >>>>>>>> CSP" >>>>>>>>> and opensc-pkcs11 module in XP machine. The >>>>>>>>> certificate logon works fine for the first >>>> time. >>>>>>>> But >>>>>>>>> if we logoff and again tries to do >> certificate >>>>>>>> logon, >>>>>>>>> the logon fails second time. >>>>>>>>> >>>>>>>>> I want to confirm whether it is a issue. >>>>>>>> Works OK for me. >>>>>>>> >>>>>>>>> I analysed the opensc log files. I think >>>> following >>>>>>>> is >>>>>>>>> the reason for the error. In XP, >> opensc-pkcs11 >>>>>>>> module >>>>>>>>> maintains the pc/sc smartcard connection >>>> during >>>>>>>> the >>>>>>>>> first certificate logon. And it uses the >> same >>>>>>>> pc/sc >>>>>>>>> connection for the second certificate logon >>>> also. >>>>>>>> But >>>>>>>>> since we removed and inserted the card in >> the >> > === message truncated === > > > > > ____________________________________________________________________________________ > Need a vacation? Get great deals > to amazing places on Yahoo! Travel. > http://travel.yahoo.com/ > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
