Testing opensc-cardmod.dll r5270 on Vista, login to AD works with
two different cards to the same account. But certutil has a problem.
I see from:
certutil -store -user My
Key Container = {01000000-0000-0000-0000-000000000000}
So it looks like the serial number of the card is not being used,
just the ID of the cert which in the PIV case is 01.
I can log in vista using two different cards, but running
certutil -store -user My
when it promps to have the first card inserted I insert the second
instead, it tries to do a signature operations which fails, and
certuril types out the expected public key and what it found on
the card
See attachment Vista output. (Some fields were edited with XXXXX.)
Using the same two cards on Windows 7 with the Microsoft PIV
card driver the Key Container name is derived from the serial number
and the ID of the cert (5fc105) (In OpenSC I uses 01,02,03,04, Microsoft
used some fields from NIST 800-73 to assign IDs to the certs.)
On W7:
certutil -store -user My
================ Certificate 17 ================
Serial Number: 1507cdb40000000feb0d
Issuer: CN=XXXXXXXX, DC=anl, DC=gov
NotBefore: 1/12/2011 3:51 PM
NotAfter: 1/12/2012 3:51 PM
Subject: CN=XXXXXX
Non-root Certificate
Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon
Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09
Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105
When certutil asks for a card to be inserted, inserting the wrong card
gives in the details from the pop up window:
"A smart card was detected but is not the
one required for the current operation. The
smart card you are using may be missing
required driver software or a required
certificate. Contact your system"
This would indicate to me that the Key Container needs to be unique,
and the mods in r5720 are not including the serial number into the
ContainerID as the previous code used both.
On 3/23/2011 2:50 PM, Douglas E. Engert wrote:
On 3/23/2011 1:40 PM, Viktor TARASOV wrote:
Le 22/03/2011 20:11, Douglas E. Engert a écrit :
Back from vacation. Cardmod based on svn r5244 works on Vista with PIV
so the mods look OK.
Please, can you try r5270?
I am not in the office today, I will try it tomorrow.
On 3/14/2011 7:56 AM, Douglas E. Engert wrote:
On 3/12/2011 1:40 PM, Viktor TARASOV wrote:
Hi,
For container's GUID I propose to adopt the classic serialized form
(ex.{3F2504E0-4F89-11D3-9A0C-0305E82C3301})
used by Windows containers.
In this patch there is also little simplification of the key research, and some
minor remarks.
(I am on vacation, so have not looked closely at the modification.
I cannot test anything until next week.)
What I had tried to do was use the card serial number || ID of the key.
It looks like you are doing this.
The Windows 7 built in driver for the PIV card was doing something like this.
I don't think the OpenSC containerID should match the W7 containerID
as there might be some confusion over which driver should be used.
(I could be wrong about this.)
Kind wishes,
Viktor.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
U:\>certutil -store -user My
My
================ Certificate 0 ================
Serial Number: 1507cdb40000000feb0d
Issuer: CN=XXXXX, DC=anl, DC=gov
NotBefore: 1/12/2011 3:51 PM
NotAfter: 1/12/2012 3:51 PM
Subject: CN=XXXXXXXX
Non-root Certificate
Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon
Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09
Key Container = {01000000-0000-0000-0000-000000000000}
Provider = Microsoft Base Smart Card Crypto Provider
Encryption test FAILED
================ Certificate 1 ================
Serial Number: 48e39492
Issuer: OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entr
ust, C=US
NotBefore: 8/9/2010 10:33 AM
NotAfter: 7/9/2013 11:03 AM
Subject: SERIALNUMBER=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Non-root Certificate
Cert Hash(sha1): 95 9c c8 4b 33 7e d9 f8 c9 ca 1a 06 61 7f 73 17 8e 84 85 50
Key Container = {04000000-0000-0000-0000-000000000000}
Provider = Microsoft Base Smart Card Crypto Provider
Private key is NOT exportable
Signature test passed
================ Certificate 2 ================
Serial Number: 48e39490
Issuer: OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entr
ust, C=US
NotBefore: 8/9/2010 10:33 AM
NotAfter: 7/9/2013 11:03 AM
Subject: XXXXXXXXXXXXXXXXX
Non-root Certificate
Cert Hash(sha1): 45 f3 bc 31 b1 69 45 67 68 e1 77 3b bd d1 88 59 8c 80 13 31
Key Container = {03000000-0000-0000-0000-000000000000}
Provider = Microsoft Base Smart Card Crypto Provider
Private key is NOT exportable
ERROR: Certificate public key does NOT match private key
================ Certificate 3 ================
Serial Number: 48e3948f
Issuer: OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entr
ust, C=US
NotBefore: 8/9/2010 10:33 AM
NotAfter: 7/9/2013 11:03 AM
Subject: XXXXXXX
Non-root Certificate
Cert Hash(sha1): 45 75 96 d6 39 d4 1c d7 32 c3 0e 5f 49 15 3f d5 88 6f 07 84
Key Container = {02000000-0000-0000-0000-000000000000}
Provider = Microsoft Base Smart Card Crypto Provider
Private key is NOT exportable
Signature test passed
================ Certificate 4 ================
Serial Number: 48e39491
Issuer: OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entr
ust, C=US
NotBefore: 8/9/2010 10:33 AM
NotAfter: 7/9/2013 11:03 AM
Subject: XXXXXX
Non-root Certificate
Cert Hash(sha1): 40 bb b3 cc b4 4f 52 3b 70 46 aa 5e 3e 6a 73 c8 39 2e 49 c8
Key Container = {01000000-0000-0000-0000-000000000000}
Provider = Microsoft Base Smart Card Crypto Provider
Private key is NOT exportable
Signature test passed
Running again, but inserting real card in place of first:
U:\>certutil -store -user My
My
================ Certificate 0 ================
Serial Number: 1507cdb40000000feb0d
Issuer: CN=XXXXX, DC=anl, DC=gov
NotBefore: 1/12/2011 3:51 PM
NotAfter: 1/12/2012 3:51 PM
Subject: CN=XXXXXXXX
Non-root Certificate
Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon
Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09
Key Container = {01000000-0000-0000-0000-000000000000}
Provider = Microsoft Base Smart Card Crypto Provider
Private key is NOT exportable
Certificate Public Key:
Version: 3
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 ca 91 d8 b8 9d 49 5f
0010 2c 50 5e c7 03 6b a5 7b 14 48 ed 5f 88 5c ab fb
0020 47 37 ce 1e c2 29 11 fa 29 eb 3a e8 b5 77 02 9a
0030 60 b7 e5 40 3c 92 0a e6 ea 05 82 9c 77 d6 65 99
0040 d5 43 43 52 ed a0 c4 44 d3 79 c4 33 34 43 ad d1
0050 ad e6 f8 30 a4 85 6c 48 88 25 7c 4a 89 7c 8d f2
0060 06 45 74 92 20 c8 ae 55 11 3d 97 31 10 76 0c b0
0070 d3 5f 4c 09 d3 bc 36 7c 44 c1 f1 f6 61 81 29 cf
0080 a8 3f 1a ba 4b 65 dc 13 6a f6 07 17 21 2a 9e 8a
0090 c5 b5 3b 02 e4 e6 94 da 6a 04 d2 85 82 e1 86 9d
00a0 51 68 95 86 28 a3 b1 dc a9 e3 80 f0 45 56 15 38
00b0 fc b8 dd 76 dc ab a5 a6 f8 69 28 54 33 cf d5 04
00c0 92 0e a9 79 87 41 e7 84 fa 57 61 62 fa 02 43 0e
00d0 29 95 7a d7 23 28 99 fb f7 c0 66 62 1f 88 95 30
00e0 7d f9 ca ac 2c e3 5a 00 06 d9 b3 90 70 57 31 56
00f0 71 1c 01 0f a9 66 04 96 b6 f4 b5 cb e1 d9 48 d7
0100 0c 36 4d d8 d6 e4 c7 18 e9 02 03 01 00 01
Key Id Hash(rfc-sha1): 07 81 00 49 27 f7 d7 c5 c3 a3 7c 7d fe 80 41 26 92 e0 31
df
Key Id Hash(sha1): 56 75 70 c1 d7 9d 32 d0 18 8e f1 e0 4a 09 76 d7 a4 b2 78 e2
Container Public Key:
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters: NULL
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 a8 07 a9 e0 79 4b 8b dd c0
0010 56 af 25 b3 ac 24 48 a5 e1 24 54 cc 1a c2 f5 cf
0020 ee 52 6b 9c ea c1 fb 97 d9 c7 5f d5 a3 51 0b dc
0030 22 25 a9 c0 ca 34 de e2 c3 9b ae dd e0 22 ed 16
0040 90 1f 30 64 9c 93 f3 73 b6 13 6a 01 15 b5 a3 69
0050 8a d5 d3 b9 21 51 ed a3 84 e2 26 4d 85 e2 f8 ff
0060 a9 ba 5c 8d f3 fd 50 cd d8 d2 58 22 13 58 22 d4
0070 0a 91 76 73 b8 dd f4 58 ac d4 8b 1a 23 c9 64 0f
0080 e9 e0 28 8c 3e 0e a9 02 03 01 00 01
Key Id Hash(rfc-sha1): bb 21 a1 59 21 61 f4 38 e6 e6 67 b0 a3 64 9f 0f ff ef d5
95
Key Id Hash(sha1): c3 6c eb 61 a9 3f 13 93 56 0c 5f 71 ad 96 08 3c af a4 60 77
ERROR: Certificate public key does NOT match stored keyset
Signature test FAILED
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
