cmssigner issues

Hi!

Just to track the issues I find... 

1. I have two certificates on token with the same name and I
get both
as DN and not friendly name.
My third email certificate do get friendly name.

../../bin/qcatool keystore list 51b1
Key  6a3d [Alon Bar-Lev <alonxor-t.com>]
Key  79ab [CN=Alon Bar-Lev, C=IL, O=Xor Technologies,
OU=Users]
Key  464b [CN=Alon Bar-Lev, C=IL, O=Xor Technologies,
OU=Users]

2. The notice that the DN is still incorrect... :(

3. Select identity should not show the system trust
store...

4. PIN prompt does not show the token/store name and the
requested key name.

5. There is no token prompt.

6. I expect that when there will be a token prompt we will
be able to
test the slot event detection... 

7. Ability to load CA certificates.

Alon.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Thursday 24 May 2007 12:13 pm, Alon Bar-Lev wrote:
> 1. I have two certificates on token with the same name
and I get both
> as DN and not friendly name.
> My third email certificate do get friendly name.
>
> ../../bin/qcatool keystore list 51b1
> Key  6a3d [Alon Bar-Lev <alonxor-t.com>]
> Key  79ab [CN=Alon Bar-Lev, C=IL, O=Xor Technologies,
OU=Users]
> Key  464b [CN=Alon Bar-Lev, C=IL, O=Xor Technologies,
OU=Users]

Hmm, what are the differences between those last 2 certs?

> 2. The notice that the DN is still incorrect... :(

How so?

> 6. I expect that when there will be a token prompt we
will be able to
> test the slot event detection... 

Btw, qcatool should auto-detect inserts during the token
prompt.  Can you try 
it?

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On 5/24/07, Justin Karneges <justin-psi2affinix.com> wrote:
> On Thursday 24 May 2007 12:13 pm, Alon Bar-Lev wrote:
> > 1. I have two certificates on token with the same
name and I get both
> > as DN and not friendly name.
> > My third email certificate do get friendly name.
> >
> > ../../bin/qcatool keystore list 51b1
> > Key  6a3d [Alon Bar-Lev <alonxor-t.com>]
> > Key  79ab [CN=Alon Bar-Lev, C=IL, O=Xor
Technologies, OU=Users]
> > Key  464b [CN=Alon Bar-Lev, C=IL, O=Xor
Technologies, OU=Users]
>
> Hmm, what are the differences between those last 2
certs?

Yes.
The EKU... 

>
> > 2. The notice that the DN is still incorrect...
:(
>
> How so?

[CN=Alon Bar-Lev, C=IL, O=Xor Technologies, OU=Users]
should be:
[CN=Alon Bar-Lev, OU=Users, O=Xor Technologies, C=IL]

> > 6. I expect that when there will be a token prompt
we will be able to
> > test the slot event detection... 
>
> Btw, qcatool should auto-detect inserts during the
token prompt.  Can you try
> it?

Oh... Didn't try this for long time.
I get no prompt and 100% CPU.
When I insert my token it do detect it...
Does it work for you correctly?

Alon.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Thursday 24 May 2007 1:16 pm, Alon Bar-Lev wrote:
> On 5/24/07, Justin Karneges <justin-psi2affinix.com> wrote:
> > On Thursday 24 May 2007 12:13 pm, Alon Bar-Lev
wrote:
> > > 1. I have two certificates on token with the
same name and I get both
> > > as DN and not friendly name.
> > > My third email certificate do get friendly
name.
> > >
> > > ../../bin/qcatool keystore list 51b1
> > > Key  6a3d [Alon Bar-Lev <alonxor-t.com>]
> > > Key  79ab [CN=Alon Bar-Lev, C=IL, O=Xor
Technologies, OU=Users]
> > > Key  464b [CN=Alon Bar-Lev, C=IL, O=Xor
Technologies, OU=Users]
> >
> > Hmm, what are the differences between those last 2
certs?
>
> Yes.
> The EKU... 

Which usages?  Not all key usage types are diff'd.  Have a
look at the 
makeUniqueName function in src/qca_cert.cpp

> > > 2. The notice that the DN is still
incorrect... :(
> >
> > How so?
>
> [CN=Alon Bar-Lev, C=IL, O=Xor Technologies, OU=Users]
> should be:
> [CN=Alon Bar-Lev, OU=Users, O=Xor Technologies, C=IL]

Ah, I figured.  Yes qca-openssl still doesn't do the
ordering properly.

> > Btw, qcatool should auto-detect inserts during the
token prompt.  Can you
> > try it?
>
> Oh... Didn't try this for long time.
> I get no prompt and 100% CPU.
> When I insert my token it do detect it...

What procedure with qcatool did you use here?

And are you saying that you get no prompt at all, but when
you stick in the 
token then the operation continues forward and completes
successfully?  Does 
it at least output saying that the token was detected?

> Does it work for you correctly?

I've not tested it, since I can't get opensc working on my
development Linux 
machine.  I plan to test it on Windows the next time I do a
build over there.

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On 5/24/07, Justin Karneges <justin-psi2affinix.com> wrote:
> Which usages?  Not all key usage types are diff'd. 
Have a look at the
> makeUniqueName function in src/qca_cert.cpp

The same problem with X.500 name you have here.
You take oid and put it in enumeration...
I have application specific EKU, and I guess it is not
detected by
enumeration...
I guess the simplest solution here is if you end up with two
identical
strings, just add the certificate sha1 as hex string to the
name.

> > > Btw, qcatool should auto-detect inserts
during the token prompt.  Can you
> > > try it?
> >
> > Oh... Didn't try this for long time.
> > I get no prompt and 100% CPU.
> > When I insert my token it do detect it...
>
> What procedure with qcatool did you use here?
>
> And are you saying that you get no prompt at all, but
when you stick in the
> token then the operation continues forward and
completes successfully?  Does
> it at least output saying that the token was detected?

I insert my token and qca message sign smime.
I remove the token.
Press <Ctrl>D
I expect a message "Please insert XXXX"
But I get 100% CPU usage no prompt no status.
I insert the token.
I get prompt for PIN (expected)
and all continue OK.

Alon.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On 5/25/07, Alon Bar-Lev <alon.barlevgmail.com> wrote:
> But I get 100% CPU usage no prompt no status.

asker.waitForResponse ()
returns immediately with asker.accepted() true.

Alon.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Thursday 24 May 2007 2:10 pm, Alon Bar-Lev wrote:
> On 5/25/07, Alon Bar-Lev <alon.barlevgmail.com> wrote:
> > But I get 100% CPU usage no prompt no status.
>
> asker.waitForResponse ()
> returns immediately with asker.accepted() true.

The new code for keystore doesn't handle remove events
properly yet.  So I 
think what is happening is qcatool thinks the token is still
inserted, and so 
it auto-accepts endlessly.

Try: qcatool keystore exportref > foo.ref
Then remove the token and do: qcatool message sign smime
foo.ref

This I hope will work.

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On 5/25/07, Alon Bar-Lev <alon.barlevgmail.com> wrote:
> On 5/25/07, Alon Bar-Lev <alon.barlevgmail.com> wrote:
> > But I get 100% CPU usage no prompt no status.
>
> asker.waitForResponse ()
> returns immediately with asker.accepted() true.

I see you added monitor command, but it does not getting
ks_updated()
or ks_unavailable() when I insert/remove the token.

Although I see I call:
pkcs11KeyStoreListContext::doUpdatedpkcs11KeyStoreListContex
t::doUpdated()
which is basically emit updated ()

Alon.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On 5/25/07, Justin Karneges <justin-psi2affinix.com> wrote:
> Try: qcatool keystore exportref > foo.ref
> Then remove the token and do: qcatool message sign
smime foo.ref
>
> This I hope will work.

I do get prompted for token now... But I must press
<Enter> to
continue, it does not detect the token automatically.

Alon.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Thursday 24 May 2007 2:22 pm, Alon Bar-Lev wrote:
> On 5/25/07, Justin Karneges <justin-psi2affinix.com> wrote:
> > Try: qcatool keystore exportref > foo.ref
> > Then remove the token and do: qcatool message sign
smime foo.ref
> >
> > This I hope will work.
>
> I do get prompted for token now... But I must press
<Enter> to
> continue, it does not detect the token automatically.

If you start the monitor mode without the token inserted,
and then insert the 
token, is it detected?  If so, then the token prompt should
also work...

See if PassphrasePrompt::ks_available() is getting called.

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Have you got some time to test this?
It still does not work...

PassphrasePrompt::ks_available() is called twice on
initialization.
But not after I press <Ctrl>D in sign without token.
It takes 100% cpu (poll).

Alon.

On 5/25/07, Justin Karneges <justin-psi2affinix.com> wrote:
> On Thursday 24 May 2007 2:22 pm, Alon Bar-Lev wrote:
> > On 5/25/07, Justin Karneges <justin-psi2affinix.com> wrote:
> > > Try: qcatool keystore exportref > foo.ref
> > > Then remove the token and do: qcatool message
sign smime foo.ref
> > >
> > > This I hope will work.
> >
> > I do get prompted for token now... But I must
press <Enter> to
> > continue, it does not detect the token
automatically.
>
> If you start the monitor mode without the token
inserted, and then insert the
> token, is it detected?  If so, then the token prompt
should also work...
>
> See if PassphrasePrompt::ks_available() is getting
called.
>
> -Justin
> _______________________________________________
> delta mailing list
> deltalists.affinix.com
> http://lists.affinix.com/listinfo.cgi/delta-affinix.com
>
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Saturday 16 June 2007 11:38 am, Alon Bar-Lev wrote:
> Have you got some time to test this?
> It still does not work...
>
> PassphrasePrompt::ks_available() is called twice on
initialization.
> But not after I press <Ctrl>D in sign without
token. It takes 100% cpu
> (poll).

Okay I just submitted the finished keystore backend.  It is
completely 
untested.  I really wish my smart cards worked in Linux. :( 
Next time I have 
my Windows station working, I'll test..

The problem with the earlier unfinished code is that
removals were not 
detected.  Try the monitor mode, hopefully removals will
show.  Your 
remove -> ctrl-D trick should also work then, I hope.  I
added some logger 
lines to the keystore backend also, which might help.

-Justin

> On 5/25/07, Justin Karneges <justin-psi2affinix.com> wrote:
> > On Thursday 24 May 2007 2:22 pm, Alon Bar-Lev
wrote:
> > > On 5/25/07, Justin Karneges
<justin-psi2affinix.com> wrote:
> > > > Try: qcatool keystore exportref >
foo.ref
> > > > Then remove the token and do: qcatool
message sign smime foo.ref
> > > >
> > > > This I hope will work.
> > >
> > > I do get prompted for token now... But I must
press <Enter> to
> > > continue, it does not detect the token
automatically.
> >
> > If you start the monitor mode without the token
inserted, and then insert
> > the token, is it detected?  If so, then the token
prompt should also
> > work...
> >
> > See if PassphrasePrompt::ks_available() is getting
called.
> >
> > -Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Same state.
When I press <Ctrl>D I get infinite loop.
It seems like nothing is blocked during the TokenAsker, it
just
returns in stead of waiting for an event.
I do no see any of your debugging messages after
<Ctrl>D.

Alon.

On 6/19/07, Justin Karneges <justin-psi2affinix.com> wrote:
> On Saturday 16 June 2007 11:38 am, Alon Bar-Lev wrote:
> > Have you got some time to test this?
> > It still does not work...
> >
> > PassphrasePrompt::ks_available() is called twice
on initialization.
> > But not after I press <Ctrl>D in sign
without token. It takes 100% cpu
> > (poll).
>
> Okay I just submitted the finished keystore backend. 
It is completely
> untested.  I really wish my smart cards worked in
Linux. :(  Next time I have
> my Windows station working, I'll test..
>
> The problem with the earlier unfinished code is that
removals were not
> detected.  Try the monitor mode, hopefully removals
will show.  Your
> remove -> ctrl-D trick should also work then, I
hope.  I added some logger
> lines to the keystore backend also, which might help.
>
> -Justin
>
> > On 5/25/07, Justin Karneges <justin-psi2affinix.com> wrote:
> > > On Thursday 24 May 2007 2:22 pm, Alon Bar-Lev
wrote:
> > > > On 5/25/07, Justin Karneges
<justin-psi2affinix.com> wrote:
> > > > > Try: qcatool keystore exportref
> foo.ref
> > > > > Then remove the token and do:
qcatool message sign smime foo.ref
> > > > >
> > > > > This I hope will work.
> > > >
> > > > I do get prompted for token now... But I
must press <Enter> to
> > > > continue, it does not detect the token
automatically.
> > >
> > > If you start the monitor mode without the
token inserted, and then insert
> > > the token, is it detected?  If so, then the
token prompt should also
> > > work...
> > >
> > > See if PassphrasePrompt::ks_available() is
getting called.
> > >
> > > -Justin
> _______________________________________________
> delta mailing list
> deltalists.affinix.com
> http://lists.affinix.com/listinfo.cgi/delta-affinix.com
>
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Monday 18 June 2007 10:03 pm, Alon Bar-Lev wrote:
> Same state.
> When I press <Ctrl>D I get infinite loop.
> It seems like nothing is blocked during the TokenAsker,
it just
> returns in stead of waiting for an event.
> I do no see any of your debugging messages after
<Ctrl>D.

Okay it looks like updates/removals were still not being
notified.  It was a 
simple goof, and should be fixed now.  (without removal
notification, qcatool 
thinks the card is still inserted and keeps trying to
auto-accept the token 
prompt).

I tested it using the new qca-test provider, which performs
a series of "fake" 
keystore events.  The monitor mode finally looks correct,
and I can also do a 
bogus s/mime sign.  I've still not tested with a real card
yet though.

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Does not working...
Found the problem! With help fro your messages...

You call entryList without calling keyStores...
So you get the contents of the previous entry.

Currently entryList is implemented in a way that it does not
access
the token, you can call entryList as many times you need and
it will
work without any prompts and such.

When we implemented, I thought this was the right sequence.

Please advise.

Alon.


On 6/20/07, Justin Karneges <justin-psi2affinix.com> wrote:
> On Monday 18 June 2007 10:03 pm, Alon Bar-Lev wrote:
> > Same state.
> > When I press <Ctrl>D I get infinite loop.
> > It seems like nothing is blocked during the
TokenAsker, it just
> > returns in stead of waiting for an event.
> > I do no see any of your debugging messages after
<Ctrl>D.
>
> Okay it looks like updates/removals were still not
being notified.  It was a
> simple goof, and should be fixed now.  (without removal
notification, qcatool
> thinks the card is still inserted and keeps trying to
auto-accept the token
> prompt).
>
> I tested it using the new qca-test provider, which
performs a series of "fake"
> keystore events.  The monitor mode finally looks
correct, and I can also do a
> bogus s/mime sign.  I've still not tested with a real
card yet though.
>
> -Justin
> _______________________________________________
> delta mailing list
> deltalists.affinix.com
> http://lists.affinix.com/listinfo.cgi/delta-affinix.com
>
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On Tuesday 19 June 2007 10:32 pm, Alon Bar-Lev wrote:
> Does not working...
> Found the problem! With help fro your messages...
>
> You call entryList without calling keyStores...
> So you get the contents of the previous entry.
>
> Currently entryList is implemented in a way that it
does not access
> the token, you can call entryList as many times you
need and it will
> work without any prompts and such.
>
> When we implemented, I thought this was the right
sequence.
>
> Please advise.

keyStores() is called at the start, and then whenever
updated() is emitted.  
If the provider doesn't emit updated(), then QCA has no
reason to believe 
that any keystores have been added or removed.

When is entryList being called such that it gives the wrong
answer?  Is it 
after you've removed the token, or you've inserted a
different one?

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

OK.
It is working now!

For some strange reason I return cached tokens, so you would
have
gotten also the unavailable ones. I remember some discussion
regarding
this.... But at least this is working now.

BTW: You should allow the user to cancel prompt... Press
escape or
something if he does not wish to proceed.

Thanks!
Alon.

On 6/20/07, Justin Karneges <justin-psi2affinix.com> wrote:
> On Tuesday 19 June 2007 10:32 pm, Alon Bar-Lev wrote:
> > Does not working...
> > Found the problem! With help fro your messages...
> >
> > You call entryList without calling keyStores...
> > So you get the contents of the previous entry.
> >
> > Currently entryList is implemented in a way that
it does not access
> > the token, you can call entryList as many times
you need and it will
> > work without any prompts and such.
> >
> > When we implemented, I thought this was the right
sequence.
> >
> > Please advise.
>
> keyStores() is called at the start, and then whenever
updated() is emitted.
> If the provider doesn't emit updated(), then QCA has no
reason to believe
> that any keystores have been added or removed.
>
> When is entryList being called such that it gives the
wrong answer?  Is it
> after you've removed the token, or you've inserted a
different one?
>
> -Justin
> _______________________________________________
> delta mailing list
> deltalists.affinix.com
> http://lists.affinix.com/listinfo.cgi/delta-affinix.com
>
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Checked again cmssigner, it seem working great! Including
waiting for a token.

When I exit and return to the application I get a list of
keys I
selected in previous instance, but when I try to sign it
segfaults:

#0  0xb7eb1655 in QCA::KeyStoreEntry::keyBundle () from
/home/alonbl/my/Development/kde/qca/lib/libqca.so.2
#1  0x0806d392 in MainWin::do_sign ()
#2  0x08066b20 in MainWin::qt_metacall ()
#3  0xb74663e5 in QMetaObject::activate (sender=0x810e3d0,
from_signal_index=29, to_signal_index=30,
    argv=<value optimized out>) at
kernel/qobject.cpp:2940
#4  0xb7466673 in QMetaObject::activate (sender=0x810e3d0,
m=0xb7e0b3c4, from_local_signal_index=2,
    to_local_signal_index=3, argv=0xbfd05e1c) at
kernel/qobject.cpp:2992
#5  0xb7cb5333 in QAbstractButton::clicked (this=0x810e3d0,
_t1=false)
    at .moc/release-shared/moc_qabstractbutton.cpp:180
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Thanks for the report.  cmssigner also sometimes crashes for
me during sign, 
although I think it is for a different reason.  I'll try to
do some cleanup 
on it after beta7.

-Justin

On Saturday 30 June 2007 2:51 am, Alon Bar-Lev wrote:
> Checked again cmssigner, it seem working great!
Including waiting for a
> token.
>
> When I exit and return to the application I get a list
of keys I
> selected in previous instance, but when I try to sign
it segfaults:
>
> #0  0xb7eb1655 in QCA::KeyStoreEntry::keyBundle ()
from
> /home/alonbl/my/Development/kde/qca/lib/libqca.so.2
> #1  0x0806d392 in MainWin::do_sign ()
> #2  0x08066b20 in MainWin::qt_metacall ()
> #3  0xb74663e5 in QMetaObject::activate
(sender=0x810e3d0,
> from_signal_index=29, to_signal_index=30,
>     argv=<value optimized out>) at
kernel/qobject.cpp:2940
> #4  0xb7466673 in QMetaObject::activate
(sender=0x810e3d0,
> m=0xb7e0b3c4, from_local_signal_index=2,
>     to_local_signal_index=3, argv=0xbfd05e1c) at
kernel/qobject.cpp:2992
> #5  0xb7cb5333 in QAbstractButton::clicked
(this=0x810e3d0, _t1=false)
>     at .moc/release-shared/moc_qabstractbutton.cpp:180
> _______________________________________________
> delta mailing list
> deltalists.affinix.com
> http://lists.affinix.com/listinfo.cgi/delta-affinix.com
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com