Thank you very much for this answer. On 20.01.2011 17:51, Douglas E. Engert wrote: > On 1/20/2011 4:53 AM, Viktor TARASOV wrote: >> Hello, >> >> sorry for the question out of the subject, but >> >> When using OpenSC minidriver (or any other), >> does there any existing (or that could be implemented) >> possibility to re-actualize the card content and to propagate the >> eventual changes to the Windows key stores >> without re-inserting the card? > That is be a function of the higher level code in Windows, and > should be present. > > http://technet.microsoft.com/en-us/library/ff404300(WS.10).aspx > > Windows uses a container name derived from the serial number, > and the keyid, (and maybe the type of card), and stored these in the > certificate store. > > The current cardmod driver is using a constant serial number, > 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 which will work for a single > smartcard, but needs to be fixed to use the card's serial number. > It is also using an index starting a 0 for the cert id. > See below. > > From my previous CSP experiences, during login, the cert from the card > is obtained, and used without having to be in the registry. It will > be added in by login. > > The command: > certutil -user -v -store My > > or to look at a specific cert, add the cert number to the command > certutil -user -v -store My 17 > > can be used to look at your own certificates in the registry. > If a cert is associated with a smart card you will be asked to insert > the card, and prompted for a PIN. If the wrong card is inserted you wil > be asked again. > > I have PIV cards that can be used on Windows 7 using the Microsoft driver. > I can also use the same PIV card on Vista with the OpenSC cardmod driver, > and compare the differences. > > The card serial number shows up the same, as it is derived from > the PIV CHUID object that, that has a GUID in it. It looks like Microsoft > and Opensc are doing the same thing. I need to check some more on this. > > The output on Windows 7 (with vim line numbers shown): > 1 My > 2 ================ Certificate 17 ================ > 3 X509 Certificate: > 4 Version: 3 > 5 Serial Number: 1507cdb40000000feb0d > > 136 CERT_MD5_HASH_PROP_ID(4): > 137 b2 e0 24 ce 78 9c 67 70 ab 31 2c 7a 4c e5 01 76 > 138 > 139 Unknown Property(91): > 140 06 00 00 00 00 00 00 00 05 00 00 00 02 00 00 00 ................ > 141 10 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 ................ > 142 00 00 00 00 .... > 143 > 144 CERT_KEY_IDENTIFIER_PROP_ID(20): > 145 56 75 70 c1 d7 9d 32 d0 18 8e f1 e0 4a 09 76 d7 a4 b2 78 e2 > 146 > 147 CERT_SHA1_HASH_PROP_ID(3): > 148 ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09 > 149 > 150 CERT_KEY_PROV_INFO_PROP_ID(2): > 151 Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105 > 152 Provider = Microsoft Base Smart Card Crypto Provider > 153 ProviderType = 1 > 154 Flags = 0 > 155 KeySpec = 1 -- AT_KEYEXCHANGE > > (On Vista with cardmod, the above shows up as AT_SIGNATURE) > This my be why login does not work! > > > 156 > 157 Unknown Property(90): > 158 01 00 00 00 .... > 159 Smart Card Serial Number: 6b 8e 7a c9 1d d2 11 b2 b7 19 00 14 4f 1f 5e f4 > 160 PP_KEYSTORAGE = 1 > 161 CRYPT_SEC_DESCR -- 1 > 162 KP_PERMISSIONS = 0 > > 172 Private key is NOT exportable > 173 Encryption test passed > 174 CertUtil: -store command completed successfully. > > Line (159) matches what is shown by OpenSC as serial number. > Line (151) is the key Container number, and it looks like it is > based on the serial number if treated as a GUID. But with bytes swapped, > to little endian: > c97a8e6b<-> c9 7a 8e 6b > d21d<-> 1d d2 > b211<-> 11 b2 > b719<-> 19 b7 > 00144f == 00 14 4f > 5fc105 != 1f 5e f4 > > But for the cert, the 5fc105 is from the NIST 800-73-3 part 1 table 2 > as the PIV BER-TLV Tag. > So Microsoft has combined part of the serial number and the tag > to create a container. (It may not be unique as the last part of the > GUID has been droped!) > >> I imagine something like: >> - card is used for windows logon and authentication (for ex. in IE); >> - the on-card certificate is renewed/imported with some third application >> that accesses directly the card; >> Is it possible to make these changes available for the Windows applications >> without card re-insertion ? > I believe it is already there in the BaseCSP. Its just the cardmod driver > has some bugs in the area of returning the correct response to find a > specific certificate. > > > P.S. Thanks for the question, having looked closer at the > certutil -user -v -store My > command I am off to try a patch for AT_KEYEXCHANGE with login!
Thank you very much for the details. Kind wishes, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
