On 5/31/2011 3:22 AM, HOURY William wrote: > Hi Viktor, > > I just have tested with a Gemalto .NET card and the same certificate/keys and > I don't have the issue... > > I have also noticed a strange thing yesterday. > > I was using an Athena card with a Certificate "A" in my XP PC. The > certificate "A" was well propagated into the IE store. > > Then I put this card on another PC, I erase it and repersonalize it > completely with a certificate "B". > > I put this card back into my XP PC, and only the certificate "A" is in the IE > store. I delete all the certificates from my store, remove the card and > reinsert it, and again the certificate "A" is propagated ... > > I have of course checked that the certificate "B" (and only this one) was on > the card. > > I had to reboot to make it work correctly... > > Hope this helps to understand the issue
You may be seeing issues with the XP smart card support. XP tries to keep track of a card container, and best I can tell, it is based in serial number of the card. The login process will also keep a "context" open and it might be the same "context" is still valid for the second login. The "context" may be just internal, but could also include an OpenSC context which may be where the old certificate is cached. It would take a lot of debugging to track this down. With the low level debug in the minidriver, it shows P:nnn T:nnn for process and thread and the hScard=0xEA010001, hSCardCtx=0xCD010002. If they are the same for both login sessions, this might be what you are seeing. (The check_reader_status is testing if the hScard and hSCardCtx have changed, or the card status indicates the card has been removed and reinserted. to avoid situations like this.) Since you are using the same card, i.e. serial number has not changed, XP may be assuming it does not have to read the certificates from the card as it already has it. A USB trace could also help to see when the certificate is read off the card. The next question is how often will this situation arise, of a card having been used successfully, the machine not rebooted, and no other card used with the same reader, but the original card with a new certificate being used again? I bet unplugging the reader then reinserting it would have done the same as a reboot. This should have caused login to drop the "context". The ,hScard=0xEA010001, hSCardCtx=0xCD010002 As I said debugging this is time consumming and difficult. > > Thks > > William > > -----Message d'origine----- > De : Viktor Tarasov [mailto:viktor.tara...@gmail.com] > Envoyé : lundi 30 mai 2011 10:51 > À : HOURY William > Cc : 'Viktor Tarasov'; opensc-devel@lists.opensc-project.org > Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC > 12.1 > > Le 30/05/2011 10:20, HOURY William a écrit : >> Hi Viktor, >> >> It's not working either... >> >> I put the cardmod logs attached. It's very small ... > > > Have you possibility to test the same scenario with the minidriver of another > producer ? > > >> Thanks >> Will > > Kind regards, > Viktor. > > >> -----Message d'origine----- >> De : Viktor Tarasov [mailto:viktor.tara...@gmail.com] >> Envoyé : dimanche 29 mai 2011 17:50 >> À : Viktor TARASOV >> Cc : opensc-devel@lists.opensc-project.org; HOURY William >> Objet : Re: [opensc-devel] First Smartcard logon issue on XP SP3 with OpenSC >> 12.1 >> >> Hello William, >> >> Le 26/05/2011 20:38, Viktor TARASOV a écrit : >>> I'm also actually looking into this logs and it seems strange the after >>> releasing of context it starts to read the cardcf . >>> In any case the 'zero' cardcf can be disturbing for baseCSP. >> Another 'feature' is when the 'HANDLES CHANGED' event happens, the >> disassociate/associate card procedures pair called, >> and 'cardcf' content is cleaned but not re-initialized. That's where from >> there is 'zero' content. >> >> Could you please try the following test patch . >> With this patch the cardcf content is deduced from the 'last_update' >> attribute of the token info data, >> and not from the minidriver internal data. So that we'll avoid a 'zero' >> content of cardcf. >> >> Also the initialization of 'cardcf' content is moved from >> CardAcquireContext() to the associate_card() procedure . >> >> Kind regards, >> Viktor. >> >> ________________________________ >> >> >> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >> exclusif de ses destinataires. Il peut également être protégé par le secret >> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >> pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin >> ne pourra être recherchée quant au contenu de ce message. Bien que les >> meilleurs efforts soient faits pour maintenir cette transmission exempte de >> tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa >> responsabilité ne saurait être recherchée pour tout dommage résultant d'un >> virus transmis. >> >> This e-mail and the documents attached are confidential and intended solely >> for the addressee; it may also be privileged. If you receive this e-mail in >> error, please notify the sender immediately and destroy it. As its integrity >> cannot be secured on the Internet, the Atos Origin group liability cannot be >> triggered for the message content. Although the sender endeavours to >> maintain a computer virus-free network, the sender does not warrant that >> this transmission is virus-free and will not be liable for any damages >> resulting from any virus transmitted. > > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
