Le 25/03/2011 17:23, Douglas E. Engert a écrit :
> Testing opensc-cardmod.dll r5270 on Vista, login to AD works with
> two different cards to the same account. But certutil has a problem.
> I see from:
> certutil -store -user My
>
> Key Container = {01000000-0000-0000-0000-000000000000}
>
> So it looks like the serial number of the card is not being used,
> just the ID of the cert which in the PIV case is 01.
Please, try r5271 .
Before this release, to get the card's serial number I was using card->serialnr.
PIV card driver do not set this member.
Now 'GET_SERIAL' ctl call is used.
>
> I can log in vista using two different cards, but running
> certutil -store -user My
>
> when it promps to have the first card inserted I insert the second
> instead, it tries to do a signature operations which fails, and
> certuril types out the expected public key and what it found on
> the card
>
> See attachment Vista output. (Some fields were edited with XXXXX.)
>
> Using the same two cards on Windows 7 with the Microsoft PIV
> card driver the Key Container name is derived from the serial number
> and the ID of the cert (5fc105) (In OpenSC I uses 01,02,03,04, Microsoft
> used some fields from NIST 800-73 to assign IDs to the certs.)
>
> On W7:
> certutil -store -user My
>
> ================ Certificate 17 ================
> Serial Number: 1507cdb40000000feb0d
> Issuer: CN=XXXXXXXX, DC=anl, DC=gov
> NotBefore: 1/12/2011 3:51 PM
> NotAfter: 1/12/2012 3:51 PM
> Subject: CN=XXXXXX
> Non-root Certificate
> Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon
> Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09
> Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105
>
>
> When certutil asks for a card to be inserted, inserting the wrong card
> gives in the details from the pop up window:
>
> "A smart card was detected but is not the
> one required for the current operation. The
> smart card you are using may be missing
> required driver software or a required
> certificate. Contact your system"
>
> This would indicate to me that the Key Container needs to be unique,
> and the mods in r5720 are not including the serial number into the
> ContainerID as the previous code used both.
>
>
>
> On 3/23/2011 2:50 PM, Douglas E. Engert wrote:
>>
>>
>> On 3/23/2011 1:40 PM, Viktor TARASOV wrote:
>>> Le 22/03/2011 20:11, Douglas E. Engert a écrit :
>>>> Back from vacation. Cardmod based on svn r5244 works on Vista with PIV
>>>> so the mods look OK.
>>> Please, can you try r5270?
>>
>> I am not in the office today, I will try it tomorrow.
>>
>>
>>>
>>>
>>>>
>>>>
>>>> On 3/14/2011 7:56 AM, Douglas E. Engert wrote:
>>>>>
>>>>>
>>>>> On 3/12/2011 1:40 PM, Viktor TARASOV wrote:
>>>>>> Hi,
>>>>>>
>>>>>> For container's GUID I propose to adopt the classic serialized form
>>>>>> (ex.{3F2504E0-4F89-11D3-9A0C-0305E82C3301})
>>>>>> used by Windows containers.
>>>>>>
>>>>>> In this patch there is also little simplification of the key research,
>>>>>> and some minor remarks.
>>>>>>
>>>>>
>>>>> (I am on vacation, so have not looked closely at the modification.
>>>>> I cannot test anything until next week.)
>>>>>
>>>>> What I had tried to do was use the card serial number || ID of the key.
>>>>> It looks like you are doing this.
>>>>> The Windows 7 built in driver for the PIV card was doing something like
>>>>> this.
>>>>> I don't think the OpenSC containerID should match the W7 containerID
>>>>> as there might be some confusion over which driver should be used.
>>>>> (I could be wrong about this.)
>>>>>
>>>>>>
>>>>>> Kind wishes,
>>>>>> Viktor.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> opensc-devel mailing list
>>>>>> opensc-devel@lists.opensc-project.org
>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>
>>>>
>>>
>>>
>>
>
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
