Le 25/03/2011 17:23, Douglas E. Engert a écrit : > Testing opensc-cardmod.dll r5270 on Vista, login to AD works with > two different cards to the same account. But certutil has a problem. > I see from: > certutil -store -user My > > Key Container = {01000000-0000-0000-0000-000000000000} > > So it looks like the serial number of the card is not being used, > just the ID of the cert which in the PIV case is 01.
Please, try r5271 . Before this release, to get the card's serial number I was using card->serialnr. PIV card driver do not set this member. Now 'GET_SERIAL' ctl call is used. > > I can log in vista using two different cards, but running > certutil -store -user My > > when it promps to have the first card inserted I insert the second > instead, it tries to do a signature operations which fails, and > certuril types out the expected public key and what it found on > the card > > See attachment Vista output. (Some fields were edited with XXXXX.) > > Using the same two cards on Windows 7 with the Microsoft PIV > card driver the Key Container name is derived from the serial number > and the ID of the cert (5fc105) (In OpenSC I uses 01,02,03,04, Microsoft > used some fields from NIST 800-73 to assign IDs to the certs.) > > On W7: > certutil -store -user My > > ================ Certificate 17 ================ > Serial Number: 1507cdb40000000feb0d > Issuer: CN=XXXXXXXX, DC=anl, DC=gov > NotBefore: 1/12/2011 3:51 PM > NotAfter: 1/12/2012 3:51 PM > Subject: CN=XXXXXX > Non-root Certificate > Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon > Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09 > Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105 > > > When certutil asks for a card to be inserted, inserting the wrong card > gives in the details from the pop up window: > > "A smart card was detected but is not the > one required for the current operation. The > smart card you are using may be missing > required driver software or a required > certificate. Contact your system" > > This would indicate to me that the Key Container needs to be unique, > and the mods in r5720 are not including the serial number into the > ContainerID as the previous code used both. > > > > On 3/23/2011 2:50 PM, Douglas E. Engert wrote: >> >> >> On 3/23/2011 1:40 PM, Viktor TARASOV wrote: >>> Le 22/03/2011 20:11, Douglas E. Engert a écrit : >>>> Back from vacation. Cardmod based on svn r5244 works on Vista with PIV >>>> so the mods look OK. >>> Please, can you try r5270? >> >> I am not in the office today, I will try it tomorrow. >> >> >>> >>> >>>> >>>> >>>> On 3/14/2011 7:56 AM, Douglas E. Engert wrote: >>>>> >>>>> >>>>> On 3/12/2011 1:40 PM, Viktor TARASOV wrote: >>>>>> Hi, >>>>>> >>>>>> For container's GUID I propose to adopt the classic serialized form >>>>>> (ex.{3F2504E0-4F89-11D3-9A0C-0305E82C3301}) >>>>>> used by Windows containers. >>>>>> >>>>>> In this patch there is also little simplification of the key research, >>>>>> and some minor remarks. >>>>>> >>>>> >>>>> (I am on vacation, so have not looked closely at the modification. >>>>> I cannot test anything until next week.) >>>>> >>>>> What I had tried to do was use the card serial number || ID of the key. >>>>> It looks like you are doing this. >>>>> The Windows 7 built in driver for the PIV card was doing something like >>>>> this. >>>>> I don't think the OpenSC containerID should match the W7 containerID >>>>> as there might be some confusion over which driver should be used. >>>>> (I could be wrong about this.) >>>>> >>>>>> >>>>>> Kind wishes, >>>>>> Viktor. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> opensc-devel mailing list >>>>>> opensc-devel@lists.opensc-project.org >>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>>>> >>>> >>> >>> >> > -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel