hello, opensc-devel-boun...@lists.opensc-project.org a écrit sur 27/01/2011 23:36:42 :
> [image supprimée] > > [opensc-devel] Using Cardmod mini-driver on Vista with Login to AD > > Douglas E. Engert > > A : > > OpenSC-devel > > 27/01/2011 23:38 > > Envoyé par : > > opensc-devel-boun...@lists.opensc-project.org > > Just an update: > I am able to get the opensc-0.12.0 cardmod to work with login on Vista > to login to our AD domain. This has required many changes, and there > are still many issues... > I've cardmod working on vista/7 not for login but with certutil -SCinfo > The changes are large, and still not ready. The 3 changes I > discussed on 1/19 are > still in this patch. Martin is working on a different version of the "don't > run sc_ctx_detect_reader" part of this patch. > 'sc_ctx_detect_reader' it's in this function that smartcard context and handle are set and use after by other pcsc functions. If this not called I'm wondering how can it work? > Martin, any idea when that will be ready? > > A CardRSADecrypt function was added as the Kerberos PKINIT protocol used > by login. It needs to decrypt returned data. > Good information, can you provide code? > The handling of the bPinsFreshness was changed in the CardDeauthenticateEx > routine. Without this change it appears the BaseCSP has a problem. I am > not sure how this freshness is supposed to work, but the code in this spot > did not look correct, and did not work without this change. > It's working for me. > The pkcs15 serial number is now used for the the card serial number. > Ok another great change, can you provide code too please? > The wszGuid for the keys now uses a combination of the serial number and the > pkcs15 cert object ID. Windows expects this to be unique, and stores it > in the cert store as the KeyContainer. > > The microsoft documentation says the intent of the CardDeauthenticate > function is to reset the card.... But this is not being done. > > The Windows login will load opensc-cardmod.dll and keep it active > for the session. It will call CardAcquireContext multiple times > passing in a new handle. The current code can not recognized that > a card has been withdrawn and a new one inserted during login. > > A side effect is the debug_file from opensc.conf stays open! > > I think this is caused by the sc_context_create, connect, bind > and reading of the certs are only done when CardAcquireContext is called. > I could see CardAcquireContext, do what it does now, then call > sc_pkcs15_unbind, sc_disconnect_card, sc_release_context. This would > reset the card and also close the debug_file and allow for the card to > be removed. > > Then when CardAuthenticatePin or CardAuthenticateEx are called, a new > sc_context_create, sc_connect_card and sc_pkcs15_bind would be done > and the cache would be refreshed with the any new info from > a new card. > > When CardDeauthenticate or CardDeauthenticateEx are called the > sc_pkcs15_unbind, sc_disconnect_card, sc_release_context would be done. > > Since winlogin is not run from a user environment, I copied the 12 OpenSC > dlls to Windows\system32 and changed the registry entry for 80000001 from: > c:\Program Files\opensc\bin\opensc-cardmod32.dll > to > opensc-cardmod32.dll > Martin installer take care installing dll in system. The goal is to provide an unique dll opensc-cardmod32.dll without the need of other dlls. Again It's a good information . > There may be a better way, maybe using side by side assemblies, as if > OpenSSL is included, it may want to load other dlls too. > > One ATR and ATRMask in the registry could be used with many opensc > cards. > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel Regards, François. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
