Re: [opensc-devel] Using Cardmod mini-driver on Vista with Login to AD

[Douglas E. Engert]

On 1/28/2011 8:51 AM, francois.lebl...@cev-sa.com wrote:
>>>>
>>>> [opensc-devel] Using Cardmod mini-driver on Vista with Login to AD
>>>>
>>>> Douglas E. Engert
>>>>
>>>> A :
>>>>
>>>> OpenSC-devel
>>>>
>>>> 27/01/2011 23:38
>>>>
>>>> Envoyé par :
>>>>
>>>> opensc-devel-boun...@lists.opensc-project.org
>>>>
>>>> Just an update:
>>>> I am able to get the opensc-0.12.0 cardmod to work with login on
> Vista
>>>> to login to our AD domain. This has required many changes, and there
>>>> are still many issues...
>>>>
>>>
>>> I've cardmod working on vista/7 not for login but with certutil
> -SCinfo
>>
>> That is the easy part. With login, more then one CardContext is
>> created for the same card, and kepts the context open during your
>> session and fopr the next session.  Another reason the registry
>> can not be use to pass the handles.
>
>
> The use of registry is temporaly, I don't see why the registry can be use
> in this
> case since the call to CardAcquireContext set the registry value an
> immediatly call
> sc_context_create witch call sc_ctx_detect_reader and the value are take
> and memorized
> on structure for future use. At least only one cardhandle can be use with
> a card so.

   (1) Its a race condition. login setups more then 1 context,
       and uses different handles for each. I could have IE and OutLook
       and other applications all using my card at the same time.

   (2) There could be write access violations if the calling user is not
       allowed to write HKLM/Software. (Using HKCU will not work for login
       as there is not current user.)

   (3) The code to fix this is only a few lines, and avoids these issues.

>
>>
>>>
>>>> The changes are large, and still not ready. The 3 changes I
>>>> discussed on 1/19 are
>>>> still in this patch. Martin is working on a different version of the
>>> "don't
>>>> run sc_ctx_detect_reader" part of this patch.
>>>>
>>>
>>> 'sc_ctx_detect_reader' it's in this function that smartcard context
> and
>>> handle
>>> are set and use after by other pcsc functions. If this not called I'm
>>> wondering
>>> how can it work?
>>>
>>>
>>>> Martin, any idea when that will be ready?
>>
>> The cardmod code will have to call sc_context_create, then
>>    call sc_ctx_detect_reader.
>
>
> It exactly what happen, cardmod call sc_context_create on
> CardAcquireContext
> and sc_context_create call sc_ctx_detect_reader, have you introduce a call
> sc_ctx_detect_reader in your code, if it is you call two time
> sc_ctx_detect_reader
> and it's why this don't work for you.

No. Its only called once. Martin has said he want to rewrite the code
that Brian was asking for. This is in the same area as needed for cardmod.
The patch I am using does it a different way.

>
>
>
>>
>>>>
>>>> A CardRSADecrypt function was added as the Kerberos PKINIT protocol
> used
>>>> by login. It needs to decrypt returned data.
>>>>
>>>
>>> Good information, can you provide code?
>>
>> Yes, I wanted to provide a working patch, and want to see what Martin
>> does with the detect reader.
>>
>>>
>>>> The handling of the bPinsFreshness was changed in the
>>> CardDeauthenticateEx
>>>> routine. Without this change it appears the BaseCSP has a problem. I
> am
>>>> not sure how this freshness is supposed to work, but the code in this
>>> spot
>>>> did not look correct, and did not work without this change.
>>>>
>>>
>>> It's working for me.
>>
>> It  looked like a bug in that _VENDOR_SPECIFIC bPinsFreshness is
>> only referenced once in CardDeauthenticateEx:
>> CLEAR_PIN(vs->bPinsFreshness, ROLE_USER);
>> It should be:
>> vs->cardFiles.file_cardcf.bPinsFreshness&= ~PinId;
>> CardDeauthenticateEx is called with a PIN_SET.
>
>
> more exactly CLEAR_PIN(vs->cardFiles.file_cardcf, PinId)

I don't think so. In the call to CardDeauthenticateEx PinId is defined
as a PIN_SET. If you you use CLEAR_PIN you are creating a PIN_SET
from a PIN_SET, and will clear the wrong bit, as the shift is done
an extra time.

#define     CREATE_PIN_SET(PinId)       (1 << PinId)
#define     CLEAR_PIN(PinSet, PinId)    PinSet &= ~CREATE_PIN_SET(PinId)

>
> I use windows 7 and it's working quite differently than windows XP or
> vista,
> it's certainly why code work on some computer and not on other...

Login will stress the code a lot more then certutil.

The card I am interesting is the PIV card. In Windows 7 Microsoft
provides a PIV minidriver, so I don't even need OpenSC on Window 7.
So I am testing on Vista.

This also means I can use the same card on W7 and on Vista (and XP)
and see what gets added to the cert store. This has been very
informative, as  to how the W7 driver uses the serial number and
key container name.

>
>
>>
>>>
>>>> The pkcs15 serial number is now used for the the card serial number.
>>>>
>>>
>>> Ok another great change, can you provide code too please?
>>

I am porting the patch from opensc-0.12.0 to svn. I will send you
a copy of it today.

>> Yes see above.
>>
>
> Regards,
> François
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

-- 

  Douglas E. Engert  <deeng...@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel