rg wrote: > > Hi ! > > I am using OpenSC's pkcs11 module to, via a Mozilla plug-in, be able to sign > data using smart cards. > > Maybe someone that it is using this combination has experienced the same > problem. > > The strange thing happens when replacing smart cards. I wil try to explain: > > Possible scenario: > > - Available certificates are shown to user (I get a list of them via NSS > PK11_ListCerts) > -User selects a cert in smart card and signs with it. Everything ok so far > -User removes smart card from reader and replaces it with a different card > - Available certificates are shown to user > > -Problem:I still get the certificate of the first smart card. I suppose NSS > is caching certificate list because of performance ? Any way to get right > cert? i.e accessing the new smart card ?? > > -I change the code of the plug-in so NSS is shut down (NSS_Shutdown) & > reloaded (PR_Init + NSS_Init + dlopen nss3 & smime3) before showing > available certificates (an attempt to force a refresh.). We open a new (and > only one) browser. Then: > > - Available certificates are shown to user (nss reloaded) > -User selects a cert in smart card (do not sign anything) > -User removes smart card from reader and replaces it with a different card > - Available certificates are shown to user. (nss reloaded). New cert in > smart card shown properly > - User repeats removing and replacing card. Correct certificates are always > shown (note: no signing performed) > - Available certificates are shown to user (nss reloaded) > - User selects a cert in smart card and signs with it. Everything ok so far > - User removes smart card from reader and replaces it with a different card > - Available certificates are shown to user (nss reloaded) > - Problem: No cert from smart card is shown. From opensc's log: > > Pkcs11-global.c:37:C_Initialize: C_Initialize(): Cryptoki already > initialized > > Pkcs11-global.c:37:C_Initialize: C_Initialize(): Cryptoki already > initialized > > Any idea? Any workaround ?
A couple of possibilities come to mind; 1) when the card is changed, the PKCS11 module should stop honoring all old session values, and should treat the token as not logged in. If it's not doing that properly, and is treating the new token as already logged in, that might explain it. 2) a reference leak that occurs when signing, which would be a bug in PSM or NSS. I think the current nightly PSM builds have this fixed. Kai, can you confirm? > Cheers, > > /R -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
