On 3/28/2011 7:06 AM, Viktor TARASOV wrote:
> Le 25/03/2011 20:51, Douglas E. Engert a écrit :
>>
>>
>> On 3/25/2011 1:25 PM, Viktor TARASOV wrote:
>>> Le 25/03/2011 17:23, Douglas E. Engert a écrit :
>>>> Testing opensc-cardmod.dll r5270 on Vista, login to AD works with
>>>> two different cards to the same account. But certutil has a problem.
>>>> I see from:
>>>> certutil -store -user My
>>>>
>>>> Key Container = {01000000-0000-0000-0000-000000000000}
>>>>
>>>> So it looks like the serial number of the card is not being used,
>>>> just the ID of the cert which in the PIV case is 01.
>>>
>>> Please, try r5271 .
>>> Before this release, to get the card's serial number I was using
>>> card->serialnr.
>>> PIV card driver do not set this member.
>>> Now 'GET_SERIAL' ctl call is used.
>>
>> Better.
>>
>> Using one card on Unix opensc-tool reports the serial as:
>>
>> Using reader with a card: Gemalto GemPC Twin 00 00
>> 6B 8E 7A C9 1D D2 11 B2 B7 19 00 14 4F 1F 5E F4 k.z.........O.^.
>>
>> On Vista with r5272 the key container is:
>>
>> Key Container = {016B8E7A-C91D-D211-B2B7-1900144F1F5E}
>> which drops the last byte of the serial number.
>> The leading 01 is the cert ID.
>>
>> On W7 with Microsoft driver:
>> Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105
>>
>> The last 5fc105 is the cert ID, so Microsoft also dropped the last
>> byte of the serial number when creating the container!!
>> (They also revesed the first 4 bytes and the next 2 bytes
>> probable treating them as integers.)
>>
>> Not using all of the serial number could lead to non unique
>> names, especially if the last byte is the least significant
>> byte and cards serial numbers are issued in order, and could be
>> considerd a bug in W7 and OpenSC.
>
> Simple curiosity, have you already seen two serial numbers of 16 bytes long
> and that differs in one byte.
> 16 bytes vaguely suggests that it's also some GUID (random ?).
No I have not seen this. But it is possible, as there is no restriction
on the serial number of cards being created in order. It is not likely
but possible that two of these cards could be used on the same machine.
The PIV can end up using the FASC-N where the last few bytes are a
userid code that does appear to be issued in order. So it is possible.
>
>>
>> Do we really need the GUID format? "{" and "}" and 4 "-" take up 6
>> characters that could be used for more serial number and ID.
>
> Not really.
> I'm get used to this GUID format in the Windows world.
> and so it seemed to me quite natural to use it for the Windows containers.
The { - - - - } characters dont add any uniqueness, but do take 6 characters
of the 39. leaving only 32, to stuff a serial number and ID.
>
>> If other cards have longer serial numbers or IDs for the certs,
>> that could still be an issue.
> If you, or anyone else, think that canonical GUID format is not sufficient, I
> will roll it back.
We should try and handle all cases. Readability of the container number
is a minor and most users will never see it.
In my case, if you just drop the { and } from the string that would handle PIV:
32 for serial and 2 for the ID.
>
>
>>
>> Yet with some auto-enroll certificates created by AD based
>> on Kerberos logins, the Key Container is much longer
>> so what is the limit?
>>
>>
>> Key Container =
>> 467bef787de60d6a86789cd51bfea96c_7a521a94-3f14-498c-a936-f08e895c2d99
>> Simple container name: 53c7cb1b-8706-4813-89b4-c70beaba8d11
>> Provider = Microsoft Base Cryptographic Provider v1.0
>>
>>
>>>
>>>
>>>
>>>>
>>>> I can log in vista using two different cards, but running
>>>> certutil -store -user My
>>>>
>>>> when it promps to have the first card inserted I insert the second
>>>> instead, it tries to do a signature operations which fails, and
>>>> certuril types out the expected public key and what it found on
>>>> the card
>>>>
>>>> See attachment Vista output. (Some fields were edited with XXXXX.)
>>>>
>>>> Using the same two cards on Windows 7 with the Microsoft PIV
>>>> card driver the Key Container name is derived from the serial number
>>>> and the ID of the cert (5fc105) (In OpenSC I uses 01,02,03,04, Microsoft
>>>> used some fields from NIST 800-73 to assign IDs to the certs.)
>>>>
>>>> On W7:
>>>> certutil -store -user My
>>>>
>>>> ================ Certificate 17 ================
>>>> Serial Number: 1507cdb40000000feb0d
>>>> Issuer: CN=XXXXXXXX, DC=anl, DC=gov
>>>> NotBefore: 1/12/2011 3:51 PM
>>>> NotAfter: 1/12/2012 3:51 PM
>>>> Subject: CN=XXXXXX
>>>> Non-root Certificate
>>>> Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon
>>>> Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68
>>>> 09
>>>> Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105
>>>>
>>>>
>>>> When certutil asks for a card to be inserted, inserting the wrong card
>>>> gives in the details from the pop up window:
>>>>
>>>> "A smart card was detected but is not the
>>>> one required for the current operation. The
>>>> smart card you are using may be missing
>>>> required driver software or a required
>>>> certificate. Contact your system"
>>>>
>>>> This would indicate to me that the Key Container needs to be unique,
>>>> and the mods in r5720 are not including the serial number into the
>>>> ContainerID as the previous code used both.
>>>>
>>>>
>>>>
>>>> On 3/23/2011 2:50 PM, Douglas E. Engert wrote:
>>>>>
>>>>>
>>>>> On 3/23/2011 1:40 PM, Viktor TARASOV wrote:
>>>>>> Le 22/03/2011 20:11, Douglas E. Engert a écrit :
>>>>>>> Back from vacation. Cardmod based on svn r5244 works on Vista with PIV
>>>>>>> so the mods look OK.
>>>>>> Please, can you try r5270?
>>>>>
>>>>> I am not in the office today, I will try it tomorrow.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 3/14/2011 7:56 AM, Douglas E. Engert wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 3/12/2011 1:40 PM, Viktor TARASOV wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> For container's GUID I propose to adopt the classic serialized form
>>>>>>>>> (ex.{3F2504E0-4F89-11D3-9A0C-0305E82C3301})
>>>>>>>>> used by Windows containers.
>>>>>>>>>
>>>>>>>>> In this patch there is also little simplification of the key
>>>>>>>>> research, and some minor remarks.
>>>>>>>>>
>>>>>>>>
>>>>>>>> (I am on vacation, so have not looked closely at the modification.
>>>>>>>> I cannot test anything until next week.)
>>>>>>>>
>>>>>>>> What I had tried to do was use the card serial number || ID of the key.
>>>>>>>> It looks like you are doing this.
>>>>>>>> The Windows 7 built in driver for the PIV card was doing something
>>>>>>>> like this.
>>>>>>>> I don't think the OpenSC containerID should match the W7 containerID
>>>>>>>> as there might be some confusion over which driver should be used.
>>>>>>>> (I could be wrong about this.)
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Kind wishes,
>>>>>>>>> Viktor.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> opensc-devel mailing list
>>>>>>>>> opensc-devel@lists.opensc-project.org
>>>>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
