Re: Issue in Certificate logon in XP

kamal krishna wrote:
> Hi,
> Yes, Two processes are calling opensc-pkcs11 module.
> And C_Finalize is called by IdAlly.exe process. 
> 
> Since Winlogon process is not calling C_Finalize 

But the Winlogin process calls the Id Ally CSP, that
calls the PKCS#11, correct?

> and
> closing all P11 session (P11 session 1, 2 are sill
> opened), opensc-pkcs11 module keeps the pc/sc
> connection established by sc_connect_card function.
> 
> I think we need to investigate more throughly on this
> issue.
> 
> Regards,
> Kamal.
> 
> 
> 
> 
> --- "Douglas E. Engert" <deengertanl.gov> wrote:
> 
>>
>> kamal krishna wrote:
>>> Hi,
>>> I slightly differ from Douglas assesments.
>> C_Finalize
>>> is not called by winlogon process. It is called
by
>>> IDAlly.exe when we login. 
>> So are you saying that there are two processes
>> calling
>> opensc_pkcs11.dll, the winlogin(via the IdAlly
CSP)
>> and IdAlly.exe?
>>
>> Is this some issue with DLLs vs Unix shared libs,
>> and
>> the use of things like:
>>    extern struct sc_context *context;
>> in src/pkcs11/sc_pkcs11.h
>>
>>> I think we have to follow
>>> the number specified in the log entry of
>>> pkcs11-spy.dll.
>>>
>>> If you compare the C_OpenSession log of the
>> Winlogon
>>> process occuring after C_Finalize called by
>> IDAlly.exe
>>> and compare it corresponding log entry in the
>>> opensc-debug.log file, you can find that for
this
>>> C_OpenSession function, it is not creating new
>> pc/sc
>>> session as expected. But using old PC/SC
session.
>>>
>>> opensc-pkcs#11 does not close all the pc/sc
>> session,
>>> because not all the session opened by CSP are
>> closed.
>>> >From the pkcs11-spy log, it is not closing
session
>> 1,
>>> 2.
>>>
>>> Can you please verify the log again and give
your
>>> opinion.
>>>
>>> Regards,
>>> Kamal.
>>>
>>> --- "Douglas E. Engert"
<deengertanl.gov> wrote:
>>>
>>>> Corcoran David wrote:
>>>>> Hi,
>>>>>
>>>>> Is this an issue from the CSP ->
OpenSC PKCS#11
>>>> module ? 
>>>>
>>>> Yes, looks like the CSP calls C_Finalize
after
>> the
>>>> the card is removed.
>>>> then when a card is inserted, it does not
not
>> call
>>>> C_Initialize
>>>> but calls C_OpenSession. I suspect the
problem is
>> in
>>>> that handles
>>>> the call when a card is removed, not
setting some
>>>> state variable to
>>>> indicate that C_Initialize needs to be
called
>> again.
>>>>
>>>>> We are in the process of making updates
so it
>>>> might be a good time
>>>>> for us to address this (if it is not
already)  
>>>> Yes, good time.   If you have any thing to
test,
>> let
>>>> me know.
>>>>
>>>>> You should be able to work around this
in a shim
>>>> pkcs#11 module like
>>>>  > pkcs11spy by abstracting
C_OpenSession and
>>>> determining if the P11 module
>>>>  > was already closed down and calling
>> C_Initialize
>>>> again before passing
>>>>  > C_OpenSession through.
>>>>
>>>> I am trying to avoid having to write any
>> additional
>>>> shims or hacks,
>>>> especially if you are looking at the code.
>>>>
>>>> The current work around is for the user to
try
>>>> again, but this may only work
>>>> if it is the same cad. (I have not tried
using a
>>>> card for a different user.)
>>>>
>>>> We are still doing pilots, and PIV cards
will not
>> be
>>>> generally available
>>>> until at least October. I hope by then
hopefully
>> you
>>>> have a new version of IdAlly.
>>>>
>>>>
>>>>> Thanks,
>>>>> Dave
>>>>>
>>>>> On Jul 13, 2007, at 4:39 PM, Douglas E.
Engert
>>>> wrote:
>>>>>> More info on this. I think it is an
ID Ally
>> bug.
>>>>>> Looking at spy and opensc debug
logs, It looks
>>>> like
>>>>>> the CSP is called when a card is
removed sounds
>>>> reasonable.
>>>>>> The Id Ally does  C_Initialize,
C_GetSlotList,
>>>>>> a loop over the 8 slots for
C_GetSlotInfo
>>>>>> then a C_Finalize.
>>>>>>
>>>>>> I then logged off and try to login
again.
>>>>>>
>>>>>> Rather then another C_Initialize as
would be
>>>> expected
>>>>>> since C_Finalize was called last, 
Id Ally does
>> a
>>>> C_OpenSession.
>>>>>> The way I read PKCS#11 2.01 under
C_Finalize it
>>>> says:
>>>>>> "C_Finalize is called to
indicate that an
>>>> application is finished
>>>>>> with the Cryptoki library."
>>>>>> If IdAlly wants to use the library
again, it
>>>> should call C_Initialize.
>>>>>> IdAlly tries some other thinks, and
gets back
>> in
>>>> sync so the next
>>>>>> login works.
>>>>>>
>>>>>> But I would also think OpenSC
should give an
>>>> error if the C_OpenSession
>>>>>> is called and C_Initialize has not
been called.
>>>> But it is not clear if
>>>>>> Id Ally could get back in sync!
>>>>>>
>>>>>>
>>>>>> kamal krishna wrote:
>>>>>>> Hi,
>>>>>>> Today i tried certificate logon
in XP with PIV
>>>> card.
>>>>>>> As i told you before, first
certificate logon
>>>> after
>>>>>>> reboot succeeded. But the
second logon failed.
>>>>>>> I have attached the opensc log
files with
>> this.
>>>> This
>>>>>>> log file contain entries for
first successful
>>>> logon
>>>>>>> and second failed logon.
>>>>>>> Please give your opinion.
>>>>>>> Regards,
>>>>>>> Kamal.
>>>>>>> --- "Douglas E.
Engert" <deengertanl.gov>
>>>> wrote:
>>>>>>>> kamal krishna wrote:
>>>>>>>>> Hi all,
>>>>>>>>> I tried certificate
logon with "Identity
>>>> Alliance
>>>>>>>> CSP"
>>>>>>>>> and opensc-pkcs11
module in XP machine. The
>>>>>>>>> certificate logon works
fine for the first
>>>> time.
>>>>>>>> But
>>>>>>>>> if we logoff and again
tries to do
>> certificate
>>>>>>>> logon,
>>>>>>>>> the logon fails second
time.
>>>>>>>>>
>>>>>>>>> I want to confirm
whether it is a issue.
>>>>>>>> Works OK for me.
>>>>>>>>
>>>>>>>>> I analysed the opensc
log files. I think
>>>> following
>>>>>>>> is
>>>>>>>>> the reason for the
error. In XP,
>> opensc-pkcs11
>>>>>>>> module
>>>>>>>>> maintains the pc/sc
smartcard connection
>>>> during
>>>>>>>> the
>>>>>>>>> first certificate
logon. And it uses the
>> same
>>>>>>>> pc/sc
>>>>>>>>> connection for the
second certificate logon
>>>> also.
>>>>>>>> But
>>>>>>>>> since we removed and
inserted the card in
>> the
>>
> === message truncated ===
> 
> 
> 
>        
>
____________________________________________________________
________________________
> Need a vacation? Get great deals
> to amazing places on Yahoo! Travel.
> http://travel.yahoo.com/

> 
> 

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Yes, Winlogon process calls IDAlly CSP which calls
opensc-pkcs11 module.
--- "Douglas E. Engert" <deengertanl.gov> wrote:

> 
> 
> kamal krishna wrote:
> > Hi,
> > Yes, Two processes are calling opensc-pkcs11
> module.
> > And C_Finalize is called by IdAlly.exe process. 
> > 
> > Since Winlogon process is not calling C_Finalize 
> 
> But the Winlogin process calls the Id Ally CSP, that
> calls the PKCS#11, correct?
> 
> > and
> > closing all P11 session (P11 session 1, 2 are
sill
> > opened), opensc-pkcs11 module keeps the pc/sc
> > connection established by sc_connect_card
> function.
> > 
> > I think we need to investigate more throughly on
> this
> > issue.
> > 
> > Regards,
> > Kamal.
> > 
> > 
> > 
> > 
> > --- "Douglas E. Engert" <deengertanl.gov> wrote:
> > 
> >>
> >> kamal krishna wrote:
> >>> Hi,
> >>> I slightly differ from Douglas
assesments.
> >> C_Finalize
> >>> is not called by winlogon process. It is
called
> by
> >>> IDAlly.exe when we login. 
> >> So are you saying that there are two
processes
> >> calling
> >> opensc_pkcs11.dll, the winlogin(via the
IdAlly
> CSP)
> >> and IdAlly.exe?
> >>
> >> Is this some issue with DLLs vs Unix shared
libs,
> >> and
> >> the use of things like:
> >>    extern struct sc_context *context;
> >> in src/pkcs11/sc_pkcs11.h
> >>
> >>> I think we have to follow
> >>> the number specified in the log entry of
> >>> pkcs11-spy.dll.
> >>>
> >>> If you compare the C_OpenSession log of
the
> >> Winlogon
> >>> process occuring after C_Finalize called
by
> >> IDAlly.exe
> >>> and compare it corresponding log entry in
the
> >>> opensc-debug.log file, you can find that
for
> this
> >>> C_OpenSession function, it is not creating
new
> >> pc/sc
> >>> session as expected. But using old PC/SC
> session.
> >>>
> >>> opensc-pkcs#11 does not close all the
pc/sc
> >> session,
> >>> because not all the session opened by CSP
are
> >> closed.
> >>> >From the pkcs11-spy log, it is not
closing
> session
> >> 1,
> >>> 2.
> >>>
> >>> Can you please verify the log again and
give
> your
> >>> opinion.
> >>>
> >>> Regards,
> >>> Kamal.
> >>>
> >>> --- "Douglas E. Engert"
<deengertanl.gov>
> wrote:
> >>>
> >>>> Corcoran David wrote:
> >>>>> Hi,
> >>>>>
> >>>>> Is this an issue from the CSP
-> OpenSC
> PKCS#11
> >>>> module ? 
> >>>>
> >>>> Yes, looks like the CSP calls
C_Finalize after
> >> the
> >>>> the card is removed.
> >>>> then when a card is inserted, it does
not not
> >> call
> >>>> C_Initialize
> >>>> but calls C_OpenSession. I suspect the
problem
> is
> >> in
> >>>> that handles
> >>>> the call when a card is removed, not
setting
> some
> >>>> state variable to
> >>>> indicate that C_Initialize needs to be
called
> >> again.
> >>>>
> >>>>> We are in the process of making
updates so it
> >>>> might be a good time
> >>>>> for us to address this (if it is
not already) 
> 
> >>>> Yes, good time.   If you have any
thing to
> test,
> >> let
> >>>> me know.
> >>>>
> >>>>> You should be able to work around
this in a
> shim
> >>>> pkcs#11 module like
> >>>>  > pkcs11spy by abstracting
C_OpenSession and
> >>>> determining if the P11 module
> >>>>  > was already closed down and
calling
> >> C_Initialize
> >>>> again before passing
> >>>>  > C_OpenSession through.
> >>>>
> >>>> I am trying to avoid having to write
any
> >> additional
> >>>> shims or hacks,
> >>>> especially if you are looking at the
code.
> >>>>
> >>>> The current work around is for the
user to try
> >>>> again, but this may only work
> >>>> if it is the same cad. (I have not
tried using
> a
> >>>> card for a different user.)
> >>>>
> >>>> We are still doing pilots, and PIV
cards will
> not
> >> be
> >>>> generally available
> >>>> until at least October. I hope by
then
> hopefully
> >> you
> >>>> have a new version of IdAlly.
> >>>>
> >>>>
> >>>>> Thanks,
> >>>>> Dave
> >>>>>
> >>>>> On Jul 13, 2007, at 4:39 PM,
Douglas E. Engert
> >>>> wrote:
> >>>>>> More info on this. I think it
is an ID Ally
> >> bug.
> >>>>>> Looking at spy and opensc
debug logs, It
> looks
> >>>> like
> >>>>>> the CSP is called when a card
is removed
> sounds
> >>>> reasonable.
> >>>>>> The Id Ally does 
C_Initialize,
> C_GetSlotList,
> >>>>>> a loop over the 8 slots for
C_GetSlotInfo
> >>>>>> then a C_Finalize.
> >>>>>>
> >>>>>> I then logged off and try to
login again.
> >>>>>>
> >>>>>> Rather then another
C_Initialize as would be
> >>>> expected
> >>>>>> since C_Finalize was called
last,  Id Ally
> does
> >> a
> >>>> C_OpenSession.
> >>>>>> The way I read PKCS#11 2.01
under C_Finalize
> it
> >>>> says:
> >>>>>> "C_Finalize is called to
indicate that an
> >>>> application is finished
> >>>>>> with the Cryptoki
library."
> >>>>>> If IdAlly wants to use the
library again, it
> >>>> should call C_Initialize.
> >>>>>> IdAlly tries some other
thinks, and gets back
> >> in
> >>>> sync so the next
> >>>>>> login works.
> >>>>>>
> >>>>>> But I would also think OpenSC
should give an
> >>>> error if the C_OpenSession
> >>>>>> is called and C_Initialize has
not been
> called.
> >>>> But it is not clear if
> >>>>>> Id Ally could get back in
sync!
> >>>>>>
> >>>>>>
> >>>>>> kamal krishna wrote:
> >>>>>>> Hi,
> >>>>>>> Today i tried certificate
logon in XP with
> PIV
> >>>> card.
> 
=== message truncated ===



     
____________________________________________________________
________________________
Shape Yahoo! in your own image.  Join our Network Research
Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.a
sp?a=7 


_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel