Le 27/05/2011 20:38, Douglas E. Engert a écrit : > Could be a problem with short serial numbers< 16 bytes. > > Looking at the KO trace, I see > line 157: serial number r=0 len1=8 len2=32 --- 00F159CC:16 > 0000 0C075480 51091619 08090A0B 0C0D0E0F > expanded to 16 bytes (with the additional 08090a0b... from the empty_cardid) > and then converted to printable as 32 bytes. > > See line 1943, as the file_cardid is 16 bytes. > > Line 193: return cardid --- 00F15AB8:26 > 0000 30433037 35343830 35313039 31363139 00000000 00000000 0000 > > It looks like the serial number for the card is 8 bytes > note the last bytes are all 0x00. > > The file_cardid is size 16 bytes, and in the associate_card code > at line 1943 copies in the empty_cardid, with 16 bytes. > > The code at lines 770 says it is returning the cardid, but it is really > returning the serial number! But it is not expanded with the 08090a0b... > from the empty_cardid. > > So we may have a problem with short serial numbers, > or the BaseCSP has a problem with a x00 in the cardid. > and why is the code at 770 not using the file_cardid that is expaned? > > My cards have 16 byte serial numbers so this has not an issue.
Agree, the actual implementation of the 'cardid' content, as it returned when reading 'cardid' file do not correspond to specification (in it's size, at least). If the real 'cardid' content would be returned, there would be no '00' bytes -- short serial is padded with the 'empty-serial' value. I'll do the necessary change. Kind regards, Viktor. > > > On 5/26/2011 1:38 PM, Viktor TARASOV wrote: >> Le 26/05/2011 20:14, Douglas E. Engert a écrit : >>> On 5/26/2011 10:02 AM, HOURY William wrote: >>>> The kb909520 was already installed and i'm not using roaming profile :(.... >>> OK. I installed OpenSC-12.1 on my XP box, made sure the certificate was not >>> registered >>> rebooted, and was able to login using a PIV card to AD. (But I don't think >>> this has anything to do with the different cards.) The cert does show up >>> in the cert store as expected. So I am not seeing your problem. No roaming >>> profiles either. >>> >>>> I have recompiled the minidriver and activated the debugs logs in case it >>>> brings some interesting info. I put them attached. >>>> >>> That should be helpful. As expected the code path is different. >>> In the OK case, these never change, as a single context can be used. >>> pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001 >>> >>> In the KO case, after reading the serial number, >>> at line 137 a CardDeleteContext is done, >>> and the Opens SC context is released. (I assume this means because it did >>> not find the cert in the cert store.) >>> >>> But at line 144, the same process and thread does a CardReadFile >>> and a new OpenSC context has to be done. The cardcf returned is then >>> all zero, indicating we may have missed something here. >>> >>> But it goes on, and does 2 sign operations against the card, then >>> at line 291 CardDeauthenticateuser and appears to be done. >>> >>> With your log file, was it set to be writable by everyone? >>> If not we could be missing some data in the log. >>> >>> Maybe someone else in OpenSC can see something? >> >> I'm also actually looking into this logs and it seems strange the after >> releasing of context it starts to read the cardcf . >> >> In any case the 'zero' cardcf can be disturbing for baseCSP. >> >> Actually the cardcf is emulated by rand() or get_challenge(). >> Probably it would be better to implement the 'hard' cardcf and to read it >> every time from the card. >> The same, probably, for the other minidriver/CSP specific files. >> >> As far as I know the cards of different producers have the minidriver >> dedicated files that are not covered by pkcs#15 descriptors. >> >> We can do it also like this or to implement it like the public 'DATA' >> objects. >> >> >> Kind regards, >> Viktor. >> >> >>>> Thanks for your help. >>>> >>>> William >>>> >>>> -----Message d'origine----- >>>> De : Douglas E. Engert [mailto:deeng...@anl.gov] >>>> Envoyé : jeudi 26 mai 2011 16:34 >>>> À : HOURY William >>>> Cc : opensc-devel@lists.opensc-project.org >>>> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with >>>> OpenSC 12.1 >>>> >>>> >>>> >>>> On 5/26/2011 3:07 AM, HOURY William wrote: >>>>> Is this a login to AD, or just to the XP machine locally? >>>>> ==> This is a login to AD >>>>> >>>>> It may have to do with the CA certificates. Did you add the CA cert >>>>> to the machine before hand? >>>>> ==> the machine is part of the domain, yes the CA cert is in the IE >>>>> store >>>>> >>>>> You say it is the first login after the card was "personalized". If you >>>>> use a working card on a machine that has never seen that card, does it >>>>> work? i.e. is this a card first time issue or an issue using a working >>>>> card on a new system? >>>>> ==> It is an issue using a working card on a new system >>>>> >>>>> You say you have to reboot. If you don't I assume it does not work >>>>> until you do. >>>>> ==> correct >>>>> >>>>> If you get a failure, but before rebooting, can you login using a password >>>>> and look at the certstore using certutil or Control Panel->Internet >>>>> Options->Content->Certificates >>>>> and see if the cert for the card is listed under personal? >>>>> ==> Yes the cert is there (valid& trusted) >>>>> >>>>> If you were to use the certutil or Control Panel->Internet >>>>> Options->Content->Certificates >>>>> and delete the certificate out of the Personal list (certutil calls >>>>> this"My") >>>>> can you login? What if you do the same, then reboot? >>>>> ==> if I remove the cert& logoff, I still cannot logon >>>>> If I remove the cert& reboot, I can logon >>>> What it sounds like, is the GINA opens the cert store and does not find >>>> the cert. >>>> When the other process reads the cert from the card, it adds the cert to >>>> the store >>>> but the GINA's cache version does not see it. So when the GINA is give >>>> control again >>>> the cert is not there. Only after reboot does the store get back in sync. >>>> >>>> This may or may not fix the problem, but see if it is on your system: >>>> http://support.microsoft.com/kb/909520 >>>> >>>> The user's personal store is in the user's profile, are you using roaming >>>> profiles? >>>> >>>> See these, as there are some issues. >>>> http://technet.microsoft.com/en-us/library/cc700806.aspx >>>> http://technet.microsoft.com/en-us/library/cc700823.aspx >>>> http://technet.microsoft.com/en-us/library/cc700848.aspx >>>> >>>> I don't have a good XP test system, it has too many other smart card >>>> software installed. >>>> >>>>> Is this only an XP problem? Do you have Vista or W7 to try this on? >>>>> ==> I don't have the issue with a 2008 Server; I don't have a vista >>>>> or W7 >>>>> >>>>> Thanks >>>>> >>>>> William >>>>> >>>>> -----Message d'origine----- >>>>> De : opensc-devel-boun...@lists.opensc-project.org >>>>> [mailto:opensc-devel-boun...@lists.opensc-project.org] De la part de >>>>> Douglas E. Engert >>>>> Envoyé : mercredi 25 mai 2011 18:00 >>>>> À : opensc-devel@lists.opensc-project.org >>>>> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with >>>>> OpenSC 12.1 >>>>> >>>>> >>>>> >>>>> On 5/25/2011 4:30 AM, HOURY William wrote: >>>>>> Hi all, >>>>>> >>>>>> I'm experiencing a strange issue when trying to perform a smartcard >>>>>> logon for the 1st time (just after the card perso) on a XP SP3 with >>>>>> OpenSC 12.1 and an Athena ASEPCOS Smartcard logon card. >>>>>> >>>>>> Scenario: >>>>>> - The card is personalized on another PC >>>>>> - The XP SP3 PC is started and is at the Gina level, OpenSC 12.1 is well >>>>>> installed and the minidriver well configured >>>>>> - When trying to logon with the just personalized card, I always get a >>>>>> "signature not valid" error in the event log >>>>>> - If I reboot the PC, I can perform my smartcard logon without any >>>>>> issue, and it will never fail again. >>>>> Is this a login to AD, or just to the XP machine locally? >>>>> >>>>> I suspect that it has something to do with the cert store, the first time >>>>> a card is used on a particular machine. >>>>> >>>>> It may have to do with the CA certificates. Did you add the CA cert >>>>> to the machine before hand? >>>>> >>>>> You say it is the first login after the card was "personalized". If you >>>>> use a working card on a machine that has never seen that card, >>>>> does it work? i.e. is this a card first time issue or an issue using >>>>> a working card on a new system? >>>>> >>>>> You say you have to reboot. If you don't I assume it does not work >>>>> until you do. >>>>> >>>>> If you get a failure, but before rebooting, can you login using a password >>>>> and look at the certstore using certutil or Control Panel->Internet >>>>> Options->Content->Certificates >>>>> and see if the cert for the card is listed under personal? >>>>> If not, then reboot, login with password and look again? >>>>> >>>>> If you were to use the certutil or Control Panel->Internet >>>>> Options->Content->Certificates >>>>> and delete the certificate out of the Personal list (certutil calls >>>>> this"My") >>>>> can you login? What if you do the same, then reboot? >>>>> >>>>> Is this only an XP problem? Do you have Vista or W7 to try this on? >>>>> >>>>>> I put attached 2 logs: one (opensc-debug-XPSP3-logonKO.log) when the >>>>>> smartcard logon is failing just after the card perso; and another one >>>>>> (opensc-debug-XPSP3-logonOK.log) when the smartcard logon works well >>>>>> just after the reboot of the PC. >>>>>> >>>>>> I can provide more info if needed. >>>>>> >>>>>> Thanks for your help, >>>>>> >>>>>> William >>>>>> ________________________________ >>>>>> >>>>>> >>>>>> Ce message et les pièces jointes sont confidentiels et réservés à >>>>>> l'usage exclusif de ses destinataires. Il peut également être protégé >>>>>> par le secret professionnel. Si vous recevez ce message par erreur, >>>>>> merci d'en avertir immédiatement l'expéditeur et de le détruire. >>>>>> L'intégrité du message ne pouvant être assurée sur Internet, la >>>>>> responsabilité du groupe Atos Origin ne pourra être recherchée quant au >>>>>> contenu de ce message. Bien que les meilleurs efforts soient faits pour >>>>>> maintenir cette transmission exempte de tout virus, l'expéditeur ne >>>>>> donne aucune garantie à cet égard et sa responsabilité ne saurait être >>>>>> recherchée pour tout dommage résultant d'un virus transmis. >>>>>> >>>>>> This e-mail and the documents attached are confidential and intended >>>>>> solely for the addressee; it may also be privileged. If you receive this >>>>>> e-mail in error, please notify the sender immediately and destroy it. As >>>>>> its integrity cannot be secured on the Internet, the Atos Origin group >>>>>> liability cannot be triggered for the message content. Although the >>>>>> sender endeavours to maintain a computer virus-free network, the sender >>>>>> does not warrant that this transmission is virus-free and will not be >>>>>> liable for any damages resulting from any virus transmitted. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> opensc-devel mailing list >>>>>> opensc-devel@lists.opensc-project.org >>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
