On 1/28/2011 2:11 AM, francois.lebl...@cev-sa.com wrote: > hello, > > opensc-devel-boun...@lists.opensc-project.org a écrit sur 27/01/2011 > 23:36:42 : > >> [image supprimée] >> >> [opensc-devel] Using Cardmod mini-driver on Vista with Login to AD >> >> Douglas E. Engert >> >> A : >> >> OpenSC-devel >> >> 27/01/2011 23:38 >> >> Envoyé par : >> >> opensc-devel-boun...@lists.opensc-project.org >> >> Just an update: >> I am able to get the opensc-0.12.0 cardmod to work with login on Vista >> to login to our AD domain. This has required many changes, and there >> are still many issues... >> > > I've cardmod working on vista/7 not for login but with certutil -SCinfo
That is the easy part. With login, more then one CardContext is created for the same card, and kepts the context open during your session and fopr the next session. Another reason the registry can not be use to pass the handles. > >> The changes are large, and still not ready. The 3 changes I >> discussed on 1/19 are >> still in this patch. Martin is working on a different version of the > "don't >> run sc_ctx_detect_reader" part of this patch. >> > > 'sc_ctx_detect_reader' it's in this function that smartcard context and > handle > are set and use after by other pcsc functions. If this not called I'm > wondering > how can it work? > > >> Martin, any idea when that will be ready? The cardmod code will have to call sc_context_create, then call sc_ctx_detect_reader. >> >> A CardRSADecrypt function was added as the Kerberos PKINIT protocol used >> by login. It needs to decrypt returned data. >> > > Good information, can you provide code? Yes, I wanted to provide a working patch, and want to see what Martin does with the detect reader. > >> The handling of the bPinsFreshness was changed in the > CardDeauthenticateEx >> routine. Without this change it appears the BaseCSP has a problem. I am >> not sure how this freshness is supposed to work, but the code in this > spot >> did not look correct, and did not work without this change. >> > > It's working for me. It looked like a bug in that _VENDOR_SPECIFIC bPinsFreshness is only referenced once in CardDeauthenticateEx: CLEAR_PIN(vs->bPinsFreshness, ROLE_USER); It should be: vs->cardFiles.file_cardcf.bPinsFreshness &= ~PinId; CardDeauthenticateEx is called with a PIN_SET. > >> The pkcs15 serial number is now used for the the card serial number. >> > > Ok another great change, can you provide code too please? Yes see above. > >> The wszGuid for the keys now uses a combination of the serial number and > the >> pkcs15 cert object ID. Windows expects this to be unique, and stores it >> in the cert store as the KeyContainer. >> >> The microsoft documentation says the intent of the CardDeauthenticate >> function is to reset the card.... But this is not being done. >> >> The Windows login will load opensc-cardmod.dll and keep it active >> for the session. It will call CardAcquireContext multiple times >> passing in a new handle. The current code can not recognized that >> a card has been withdrawn and a new one inserted during login. >> >> A side effect is the debug_file from opensc.conf stays open! >> >> I think this is caused by the sc_context_create, connect, bind >> and reading of the certs are only done when CardAcquireContext is > called. >> I could see CardAcquireContext, do what it does now, then call >> sc_pkcs15_unbind, sc_disconnect_card, sc_release_context. This would >> reset the card and also close the debug_file and allow for the card to >> be removed. >> >> Then when CardAuthenticatePin or CardAuthenticateEx are called, a new >> sc_context_create, sc_connect_card and sc_pkcs15_bind would be done >> and the cache would be refreshed with the any new info from >> a new card. >> >> When CardDeauthenticate or CardDeauthenticateEx are called the >> sc_pkcs15_unbind, sc_disconnect_card, sc_release_context would be done. >> >> Since winlogin is not run from a user environment, I copied the 12 > OpenSC >> dlls to Windows\system32 and changed the registry entry for 80000001 > from: >> c:\Program Files\opensc\bin\opensc-cardmod32.dll >> to >> opensc-cardmod32.dll >> > > Martin installer take care installing dll in system. > The goal is to provide an unique dll opensc-cardmod32.dll without the need > of other dlls. Again It's a good information . > >> There may be a better way, maybe using side by side assemblies, as if >> OpenSSL is included, it may want to load other dlls too. >> >> One ATR and ATRMask in the registry could be used with many opensc >> cards. >> >> -- >> >> Douglas E. Engert<deeng...@anl.gov> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > Regards, > François. > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
