On 1/28/2011 11:58 AM, Martin Paljak wrote: > Hello, > On Jan 28, 2011, at 12:36 AM, Douglas E. Engert wrote: >> The changes are large, and still not ready. The 3 changes I discussed on >> 1/19 are >> still in this patch. Martin is working on a different version of the "don't >> run sc_ctx_detect_reader" part of this patch. >> >> Martin, any idea when that will be ready? > The parts that remove sc_ctx_detect_reader calling when creating a context > should be OK with the patch I sent before. There was no feedback from Brian > but I assume it would work for him too. > Feel free to apply it if you need this or point out any deficiencies with > this approach.
OK, I will try you patch. I somehow missed it before, but still have the e-mail. > > Fixing/improving PC/SC driver and adding a different initialization method > for minidriver use (with an existing card handle and context handle) requires > more work for what I hope to find time sometime next week, but I'm not 100% > certain in it. >> The microsoft documentation says the intent of the CardDeauthenticate >> function is to reset the card.... But this is not being done. > > Compare to C_Logout() in OpenSC PKCS#11? I think so. That is the way I read it. sc-minidriver_specs_V7.docx says if the older CardDeauthenticate is NULL the BaseCSP would reset the card. But the newer CardDeaurhenticateEX is required. The cardmod code caches some data but does not check if the card has been removed. It should do this type of check at every operation or at least at some of them which may occur after some deley when the user could have removed the card. > >> The Windows login will load opensc-cardmod.dll and keep it active >> for the session. It will call CardAcquireContext multiple times >> passing in a new handle. The current code can not recognized that >> a card has been withdrawn and a new one inserted during login. >> >> A side effect is the debug_file from opensc.conf stays open! >> >> I think this is caused by the sc_context_create, connect, bind >> and reading of the certs are only done when CardAcquireContext is called. >> I could see CardAcquireContext, do what it does now, then call >> sc_pkcs15_unbind, sc_disconnect_card, sc_release_context. This would >> reset the card and also close the debug_file and allow for the card to >> be removed. >> >> Then when CardAuthenticatePin or CardAuthenticateEx are called, a new >> sc_context_create, sc_connect_card and sc_pkcs15_bind would be done >> and the cache would be refreshed with the any new info from >> a new card. >> >> When CardDeauthenticate or CardDeauthenticateEx are called the >> sc_pkcs15_unbind, sc_disconnect_card, sc_release_context would be done. >> >> Since winlogin is not run from a user environment, I copied the 12 OpenSC >> dlls to Windows\system32 and changed the registry entry for 80000001 from: >> c:\Program Files\opensc\bin\opensc-cardmod32.dll >> to >> opensc-cardmod32.dll >> >> There may be a better way, maybe using side by side assemblies, as if >> OpenSSL is included, it may want to load other dlls too. > A static dll is the recommended way by Microsoft and easiest to manage > (polluting system32 with random .dll-s is not nice, as noted by several > people) Yes. But how could we handle OpenSSL and its engine dlls like gosteay32.dll? I still need to test if login can use the dlls in C:\Program Files\opensc\bin or in a side-by-side assembly. > > >> One ATR and ATRMask in the registry could be used with many opensc >> cards. > How? With a very relaxed mask?Shouldn't the ATR length still match? Good point, I am not sure if the length is involved in the checks. I will have to try with a shorter and longer ATR. You also lose the card name feature (one ATR/mask pair matching several cards)? Yes, you loose the card name, but gain in easier install. This might be an option for the windows installer, for users who are only going to use OpenSC with one or two cards. The installer could have a generic ATR and mask that would cover all the OpenSC cards. The card name appears to come from the Registry Key Name, "DEE OPENSC" in the case below. I was testing with: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\DEE OPENSC] "ATR"=hex:3b,db,96,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ATRMask"=hex:ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00 "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" "DEECOMMENT"="Add 00 as atr to turn off" "dee.80000001"="C:\\Program Files\\opensc\\bin\\opensc-cardmod32.dll" "80000001"="opensc-cardmod32.dll" > > Cheers, > Martin -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
