Corcoran David wrote: > Hi, > > Is this an issue from the CSP -> OpenSC PKCS#11 module ?
Yes, looks like the CSP calls C_Finalize after the the card is removed. then when a card is inserted, it does not not call C_Initialize but calls C_OpenSession. I suspect the problem is in that handles the call when a card is removed, not setting some state variable to indicate that C_Initialize needs to be called again. > We are in the process of making updates so it might be a good time > for us to address this (if it is not already) Yes, good time. If you have any thing to test, let me know. > You should be able to work around this in a shim pkcs#11 module like > pkcs11spy by abstracting C_OpenSession and determining if the P11 module > was already closed down and calling C_Initialize again before passing > C_OpenSession through. I am trying to avoid having to write any additional shims or hacks, especially if you are looking at the code. The current work around is for the user to try again, but this may only work if it is the same cad. (I have not tried using a card for a different user.) We are still doing pilots, and PIV cards will not be generally available until at least October. I hope by then hopefully you have a new version of IdAlly. > > Thanks, > Dave > > On Jul 13, 2007, at 4:39 PM, Douglas E. Engert wrote: > >> More info on this. I think it is an ID Ally bug. >> >> Looking at spy and opensc debug logs, It looks like >> the CSP is called when a card is removed sounds reasonable. >> >> The Id Ally does C_Initialize, C_GetSlotList, >> a loop over the 8 slots for C_GetSlotInfo >> then a C_Finalize. >> >> I then logged off and try to login again. >> >> Rather then another C_Initialize as would be expected >> since C_Finalize was called last, Id Ally does a C_OpenSession. >> >> The way I read PKCS#11 2.01 under C_Finalize it says: >> "C_Finalize is called to indicate that an application is finished >> with the Cryptoki library." >> If IdAlly wants to use the library again, it should call C_Initialize. >> >> >> IdAlly tries some other thinks, and gets back in sync so the next >> login works. >> >> But I would also think OpenSC should give an error if the C_OpenSession >> is called and C_Initialize has not been called. But it is not clear if >> Id Ally could get back in sync! >> >> >> kamal kumar wrote: >>> Hi, >>> Today i tried certificate logon in XP with PIV card. >>> As i told you before, first certificate logon after >>> reboot succeeded. But the second logon failed. >>> I have attached the opensc log files with this. This >>> log file contain entries for first successful logon >>> and second failed logon. >>> Please give your opinion. >>> Regards, >>> Kamal. >>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: >>>> >>>> kamal kumar wrote: >>>>> Hi all, >>>>> I tried certificate logon with "Identity Alliance >>>> CSP" >>>>> and opensc-pkcs11 module in XP machine. The >>>>> certificate logon works fine for the first time. >>>> But >>>>> if we logoff and again tries to do certificate >>>> logon, >>>>> the logon fails second time. >>>>> >>>>> I want to confirm whether it is a issue. >>>> Works OK for me. >>>> >>>>> I analysed the opensc log files. I think following >>>> is >>>>> the reason for the error. In XP, opensc-pkcs11 >>>> module >>>>> maintains the pc/sc smartcard connection during >>>> the >>>>> first certificate logon. And it uses the same >>>> pc/sc >>>>> connection for the second certificate logon also. >>>> But >>>>> since we removed and inserted the card in the >>>> middle >>>>> for getting PIN prompt in winlogon, we are getting >>>> the >>>>> error. >>>> Sounds like the card failed to do an unlock() at >>>> some time >>>> and so the pcsc connection might still be active. >>>> What type/version of IdAlly, OpenSC, card and reader >>>> are >>>> you using? >>>> >>>> I am using IdAlly-1.0, SCB-0.8 ( >>>> PIV card and pcmcia GemPC card. >>>> >>>> Note scb-0.8 is based on OpenSC-0.11.2 but the >>>> version numbers in the opensc-pkcs11.dll says >>>> 0.11.1. >>>> >>>> >>>>> Can any one please tell me whether it is a issue >>>> and >>>>> Is there any way to solve this. >>>>> Regards, >>>>> Kamal. >>>>> >>>>> >>>>> >>>>> >>> ____________________________________________________________________________________ >>> >>> >>>>> Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see >>>>> what's on, when. http://tv.yahoo.com/collections/222 >>>>> _______________________________________________ >>>>> opensc-devel mailing list >>>>> [email protected] >>>>> >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>>>> >>>> -- >>>> Douglas E. Engert <[EMAIL PROTECTED]> >>>> Argonne National Laboratory >>>> 9700 South Cass Avenue >>>> Argonne, Illinois 60439 >>>> (630) 252-5444 >>>> >>> >>> ____________________________________________________________________________________ >>> >>> >>> Get the Yahoo! toolbar and be alerted to new email wherever you're >>> surfing. >>> http://new.toolbar.yahoo.com/toolbar/features/mail/index.php >> >> -- >> Douglas E. Engert <[EMAIL PROTECTED]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
