|
List Info
Thread: Re: Issue in Certificate logon in XP
|
|
| Re: Issue in Certificate logon in XP |
 
United States |
2007-07-17 09:04:25 |
kamal krishna wrote:
> Hi,
> I slightly differ from Douglas assesments. C_Finalize
> is not called by winlogon process. It is called by
> IDAlly.exe when we login.
So are you saying that there are two processes calling
opensc_pkcs11.dll, the winlogin(via the IdAlly CSP)
and IdAlly.exe?
Is this some issue with DLLs vs Unix shared libs, and
the use of things like:
extern struct sc_context *context;
in src/pkcs11/sc_pkcs11.h
> I think we have to follow
> the number specified in the log entry of
> pkcs11-spy.dll.
>
> If you compare the C_OpenSession log of the Winlogon
> process occuring after C_Finalize called by IDAlly.exe
> and compare it corresponding log entry in the
> opensc-debug.log file, you can find that for this
> C_OpenSession function, it is not creating new pc/sc
> session as expected. But using old PC/SC session.
>
> opensc-pkcs#11 does not close all the pc/sc session,
> because not all the session opened by CSP are closed.
>>From the pkcs11-spy log, it is not closing session
1,
> 2.
>
> Can you please verify the log again and give your
> opinion.
>
> Regards,
> Kamal.
>
> --- "Douglas E. Engert" <deengert anl.gov> wrote:
>
>>
>> Corcoran David wrote:
>>> Hi,
>>>
>>> Is this an issue from the CSP -> OpenSC
PKCS#11
>> module ?
>>
>> Yes, looks like the CSP calls C_Finalize after the
>> the card is removed.
>> then when a card is inserted, it does not not call
>> C_Initialize
>> but calls C_OpenSession. I suspect the problem is
in
>> that handles
>> the call when a card is removed, not setting some
>> state variable to
>> indicate that C_Initialize needs to be called
again.
>>
>>
>>> We are in the process of making updates so it
>> might be a good time
>>> for us to address this (if it is not already)
>> Yes, good time. If you have any thing to test,
let
>> me know.
>>
>>> You should be able to work around this in a
shim
>> pkcs#11 module like
>> > pkcs11spy by abstracting C_OpenSession and
>> determining if the P11 module
>> > was already closed down and calling
C_Initialize
>> again before passing
>> > C_OpenSession through.
>>
>> I am trying to avoid having to write any
additional
>> shims or hacks,
>> especially if you are looking at the code.
>>
>> The current work around is for the user to try
>> again, but this may only work
>> if it is the same cad. (I have not tried using a
>> card for a different user.)
>>
>> We are still doing pilots, and PIV cards will not
be
>> generally available
>> until at least October. I hope by then hopefully
you
>> have a new version of IdAlly.
>>
>>
>>> Thanks,
>>> Dave
>>>
>>> On Jul 13, 2007, at 4:39 PM, Douglas E. Engert
>> wrote:
>>>> More info on this. I think it is an ID Ally
bug.
>>>>
>>>> Looking at spy and opensc debug logs, It
looks
>> like
>>>> the CSP is called when a card is removed
sounds
>> reasonable.
>>>> The Id Ally does C_Initialize,
C_GetSlotList,
>>>> a loop over the 8 slots for C_GetSlotInfo
>>>> then a C_Finalize.
>>>>
>>>> I then logged off and try to login again.
>>>>
>>>> Rather then another C_Initialize as would
be
>> expected
>>>> since C_Finalize was called last, Id Ally
does a
>> C_OpenSession.
>>>> The way I read PKCS#11 2.01 under
C_Finalize it
>> says:
>>>> "C_Finalize is called to indicate that
an
>> application is finished
>>>> with the Cryptoki library."
>>>> If IdAlly wants to use the library again,
it
>> should call C_Initialize.
>>>>
>>>> IdAlly tries some other thinks, and gets
back in
>> sync so the next
>>>> login works.
>>>>
>>>> But I would also think OpenSC should give
an
>> error if the C_OpenSession
>>>> is called and C_Initialize has not been
called.
>> But it is not clear if
>>>> Id Ally could get back in sync!
>>>>
>>>>
>>>> kamal krishna wrote:
>>>>> Hi,
>>>>> Today i tried certificate logon in XP
with PIV
>> card.
>>>>> As i told you before, first certificate
logon
>> after
>>>>> reboot succeeded. But the second logon
failed.
>>>>> I have attached the opensc log files
with this.
>> This
>>>>> log file contain entries for first
successful
>> logon
>>>>> and second failed logon.
>>>>> Please give your opinion.
>>>>> Regards,
>>>>> Kamal.
>>>>> --- "Douglas E. Engert"
<deengertanl.gov>
>> wrote:
>>>>>> kamal krishna wrote:
>>>>>>> Hi all,
>>>>>>> I tried certificate logon with
"Identity
>> Alliance
>>>>>> CSP"
>>>>>>> and opensc-pkcs11 module in XP
machine. The
>>>>>>> certificate logon works fine
for the first
>> time.
>>>>>> But
>>>>>>> if we logoff and again tries to
do certificate
>>>>>> logon,
>>>>>>> the logon fails second time.
>>>>>>>
>>>>>>> I want to confirm whether it is
a issue.
>>>>>> Works OK for me.
>>>>>>
>>>>>>> I analysed the opensc log
files. I think
>> following
>>>>>> is
>>>>>>> the reason for the error. In
XP, opensc-pkcs11
>>>>>> module
>>>>>>> maintains the pc/sc smartcard
connection
>> during
>>>>>> the
>>>>>>> first certificate logon. And it
uses the same
>>>>>> pc/sc
>>>>>>> connection for the second
certificate logon
>> also.
>>>>>> But
>>>>>>> since we removed and inserted
the card in the
>>>>>> middle
>>>>>>> for getting PIN prompt in
winlogon, we are
>> getting
>>>>>> the
>>>>>>> error.
>>>>>> Sounds like the card failed to do
an unlock()
>> at
>>>>>> some time
>>>>>> and so the pcsc connection might
still be
>> active.
>>>>>> What type/version of IdAlly,
OpenSC, card and
>> reader
>>>>>> are
>>>>>> you using?
>>>>>>
>>>>>> I am using IdAlly-1.0, SCB-0.8 (
>>>>>> PIV card and pcmcia GemPC card.
>>>>>>
>>>>>> Note scb-0.8 is based on
OpenSC-0.11.2 but the
>>>>>> version numbers in the
opensc-pkcs11.dll says
>>>>>> 0.11.1.
>>>>>>
>>>>>>
>>>>>>> Can any one please tell me
whether it is a
>> issue
>>>>>> and
>>>>>>> Is there any way to solve
this.
>>>>>>> Regards,
>>>>>>> Kamal.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>
____________________________________________________________
________________________
>>>>>>> Sick sense of humor? Visit
Yahoo! TV's Comedy
>> with an Edge to see
>>>>>>> what's on, when.
>> http://tv.yahoo.c
om/collections/222
>> _______________________________________________
>>>>>>> opensc-devel mailing list
>>>>>>> opensc-devellists.opensc-project.org
>>>>>>>
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel
>>>>>> --
>>>>>> Douglas E. Engert
<DEEngertanl.gov>
>>>>>> Argonne National Laboratory
>>>>>> 9700 South Cass Avenue
>>>>>> Argonne, Illinois 60439
>>>>>> (630) 252-5444
>>>>>>
>>>>>
>>>>>
>
____________________________________________________________
________________________
>>
> === message truncated ===
>
>
>
>
>
____________________________________________________________
________________________
> Get the Yahoo! toolbar and be alerted to new email
wherever you're surfing.
> http://new.toolbar.yahoo.com/toolbar/features/mail/i
ndex.php
>
>
--
Douglas E. Engert <DEEngertanl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|
|
| Re: Issue in Certificate logon in XP |
United States |
2007-07-18 11:15:14 |
Hi,
Yes, Two processes are calling opensc-pkcs11 module.
And C_Finalize is called by IdAlly.exe process.
Since Winlogon process is not calling C_Finalize and
closing all P11 session (P11 session 1, 2 are sill
opened), opensc-pkcs11 module keeps the pc/sc
connection established by sc_connect_card function.
I think we need to investigate more throughly on this
issue.
Regards,
Kamal.
--- "Douglas E. Engert" <deengertanl.gov> wrote:
>
>
> kamal krishna wrote:
> > Hi,
> > I slightly differ from Douglas assesments.
> C_Finalize
> > is not called by winlogon process. It is called
by
> > IDAlly.exe when we login.
>
> So are you saying that there are two processes
> calling
> opensc_pkcs11.dll, the winlogin(via the IdAlly CSP)
> and IdAlly.exe?
>
> Is this some issue with DLLs vs Unix shared libs,
> and
> the use of things like:
> extern struct sc_context *context;
> in src/pkcs11/sc_pkcs11.h
>
> > I think we have to follow
> > the number specified in the log entry of
> > pkcs11-spy.dll.
> >
> > If you compare the C_OpenSession log of the
> Winlogon
> > process occuring after C_Finalize called by
> IDAlly.exe
> > and compare it corresponding log entry in the
> > opensc-debug.log file, you can find that for this
> > C_OpenSession function, it is not creating new
> pc/sc
> > session as expected. But using old PC/SC session.
> >
> > opensc-pkcs#11 does not close all the pc/sc
> session,
> > because not all the session opened by CSP are
> closed.
> >>From the pkcs11-spy log, it is not closing
session
> 1,
> > 2.
> >
> > Can you please verify the log again and give your
> > opinion.
> >
> > Regards,
> > Kamal.
> >
> > --- "Douglas E. Engert" <deengertanl.gov> wrote:
> >
> >>
> >> Corcoran David wrote:
> >>> Hi,
> >>>
> >>> Is this an issue from the CSP -> OpenSC
PKCS#11
> >> module ?
> >>
> >> Yes, looks like the CSP calls C_Finalize
after
> the
> >> the card is removed.
> >> then when a card is inserted, it does not not
> call
> >> C_Initialize
> >> but calls C_OpenSession. I suspect the problem
is
> in
> >> that handles
> >> the call when a card is removed, not setting
some
> >> state variable to
> >> indicate that C_Initialize needs to be called
> again.
> >>
> >>
> >>> We are in the process of making updates so
it
> >> might be a good time
> >>> for us to address this (if it is not
already)
> >> Yes, good time. If you have any thing to
test,
> let
> >> me know.
> >>
> >>> You should be able to work around this in
a shim
> >> pkcs#11 module like
> >> > pkcs11spy by abstracting C_OpenSession
and
> >> determining if the P11 module
> >> > was already closed down and calling
> C_Initialize
> >> again before passing
> >> > C_OpenSession through.
> >>
> >> I am trying to avoid having to write any
> additional
> >> shims or hacks,
> >> especially if you are looking at the code.
> >>
> >> The current work around is for the user to
try
> >> again, but this may only work
> >> if it is the same cad. (I have not tried using
a
> >> card for a different user.)
> >>
> >> We are still doing pilots, and PIV cards will
not
> be
> >> generally available
> >> until at least October. I hope by then
hopefully
> you
> >> have a new version of IdAlly.
> >>
> >>
> >>> Thanks,
> >>> Dave
> >>>
> >>> On Jul 13, 2007, at 4:39 PM, Douglas E.
Engert
> >> wrote:
> >>>> More info on this. I think it is an ID
Ally
> bug.
> >>>>
> >>>> Looking at spy and opensc debug logs,
It looks
> >> like
> >>>> the CSP is called when a card is
removed sounds
> >> reasonable.
> >>>> The Id Ally does C_Initialize,
C_GetSlotList,
> >>>> a loop over the 8 slots for
C_GetSlotInfo
> >>>> then a C_Finalize.
> >>>>
> >>>> I then logged off and try to login
again.
> >>>>
> >>>> Rather then another C_Initialize as
would be
> >> expected
> >>>> since C_Finalize was called last, Id
Ally does
> a
> >> C_OpenSession.
> >>>> The way I read PKCS#11 2.01 under
C_Finalize it
> >> says:
> >>>> "C_Finalize is called to indicate
that an
> >> application is finished
> >>>> with the Cryptoki library."
> >>>> If IdAlly wants to use the library
again, it
> >> should call C_Initialize.
> >>>>
> >>>> IdAlly tries some other thinks, and
gets back
> in
> >> sync so the next
> >>>> login works.
> >>>>
> >>>> But I would also think OpenSC should
give an
> >> error if the C_OpenSession
> >>>> is called and C_Initialize has not
been called.
> >> But it is not clear if
> >>>> Id Ally could get back in sync!
> >>>>
> >>>>
> >>>> kamal krishna wrote:
> >>>>> Hi,
> >>>>> Today i tried certificate logon in
XP with PIV
> >> card.
> >>>>> As i told you before, first
certificate logon
> >> after
> >>>>> reboot succeeded. But the second
logon failed.
> >>>>> I have attached the opensc log
files with
> this.
> >> This
> >>>>> log file contain entries for first
successful
> >> logon
> >>>>> and second failed logon.
> >>>>> Please give your opinion.
> >>>>> Regards,
> >>>>> Kamal.
> >>>>> --- "Douglas E. Engert"
<deengertanl.gov>
> >> wrote:
> >>>>>> kamal krishna wrote:
> >>>>>>> Hi all,
> >>>>>>> I tried certificate logon
with "Identity
> >> Alliance
> >>>>>> CSP"
> >>>>>>> and opensc-pkcs11 module
in XP machine. The
> >>>>>>> certificate logon works
fine for the first
> >> time.
> >>>>>> But
> >>>>>>> if we logoff and again
tries to do
> certificate
> >>>>>> logon,
> >>>>>>> the logon fails second
time.
> >>>>>>>
> >>>>>>> I want to confirm whether
it is a issue.
> >>>>>> Works OK for me.
> >>>>>>
> >>>>>>> I analysed the opensc log
files. I think
> >> following
> >>>>>> is
> >>>>>>> the reason for the error.
In XP,
> opensc-pkcs11
> >>>>>> module
> >>>>>>> maintains the pc/sc
smartcard connection
> >> during
> >>>>>> the
> >>>>>>> first certificate logon.
And it uses the
> same
> >>>>>> pc/sc
> >>>>>>> connection for the second
certificate logon
> >> also.
> >>>>>> But
> >>>>>>> since we removed and
inserted the card in
> the
>
=== message truncated ===
____________________________________________________________
________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|
|
[1-2]
|
|