Just an update: I am able to get the opensc-0.12.0 cardmod to work with login on Vista to login to our AD domain. This has required many changes, and there are still many issues...
The changes are large, and still not ready. The 3 changes I discussed on 1/19 are still in this patch. Martin is working on a different version of the "don't run sc_ctx_detect_reader" part of this patch. Martin, any idea when that will be ready? A CardRSADecrypt function was added as the Kerberos PKINIT protocol used by login. It needs to decrypt returned data. The handling of the bPinsFreshness was changed in the CardDeauthenticateEx routine. Without this change it appears the BaseCSP has a problem. I am not sure how this freshness is supposed to work, but the code in this spot did not look correct, and did not work without this change. The pkcs15 serial number is now used for the the card serial number. The wszGuid for the keys now uses a combination of the serial number and the pkcs15 cert object ID. Windows expects this to be unique, and stores it in the cert store as the KeyContainer. The microsoft documentation says the intent of the CardDeauthenticate function is to reset the card.... But this is not being done. The Windows login will load opensc-cardmod.dll and keep it active for the session. It will call CardAcquireContext multiple times passing in a new handle. The current code can not recognized that a card has been withdrawn and a new one inserted during login. A side effect is the debug_file from opensc.conf stays open! I think this is caused by the sc_context_create, connect, bind and reading of the certs are only done when CardAcquireContext is called. I could see CardAcquireContext, do what it does now, then call sc_pkcs15_unbind, sc_disconnect_card, sc_release_context. This would reset the card and also close the debug_file and allow for the card to be removed. Then when CardAuthenticatePin or CardAuthenticateEx are called, a new sc_context_create, sc_connect_card and sc_pkcs15_bind would be done and the cache would be refreshed with the any new info from a new card. When CardDeauthenticate or CardDeauthenticateEx are called the sc_pkcs15_unbind, sc_disconnect_card, sc_release_context would be done. Since winlogin is not run from a user environment, I copied the 12 OpenSC dlls to Windows\system32 and changed the registry entry for 80000001 from: c:\Program Files\opensc\bin\opensc-cardmod32.dll to opensc-cardmod32.dll There may be a better way, maybe using side by side assemblies, as if OpenSSL is included, it may want to load other dlls too. One ATR and ATRMask in the registry could be used with many opensc cards. -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
