Peter, you know the tcos emulation best, any idea what is happening there?
Pierre, any idea how the new code will react to such strange situations?

christians tcos card has several certificates with the same ID -
at least with the old code. with the new one only one is found.
no idea why.

chistian: you could post a "pkcs15-tool --dump" to show in detail
how the card looks like.

and can you check if opensc behaves correctly. here is what I extracted from 
the log files:

--- debugopensc_ipsecstart_notok_anon   2010-02-04 09:20:23.000000000 +0100
+++ debugopensc_ipsecstart_ok_anon      2010-02-04 09:20:29.000000000 +0100

Allocated slot 0
Initialized token 'NetKey Card (PIN)'
C_FindObjectsInit(slot = 0)
C_FindObjectsInit(): CKA_CLASS = CKO_CERTIFICATE
C_FindObjectsInit: 0 matching objects

Allocated slot 1
Initialized token 'NetKey Card (NetKey PIN0)'
Adding private key 1 to PIN 2
Adding private key 2 to PIN 2
C_FindObjectsInit(slot = 1)
C_FindObjectsInit(): CKA_CLASS = CKO_CERTIFICATE
-Object 2: CKA_LABEL = Verschluesselungs Zertifikat 1
-Object 4: CKA_LABEL = Telesec Verschluesselungs Zertifikat
-Object 7: CKA_LABEL = Telesec Authentifizierungs Zertifikat
-C_FindObjectsInit: 3 matching objects
+Object 2: CKA_LABEL = Verschluesselungs Zertifikat 1
+Object 5: CKA_LABEL = Telesec Authentifizierungs Zertifikat
+C_FindObjectsInit: 2 matching objects
...
C_FindObjectsInit(): CKA_CLASS = CKO_CERTIFICATE
C_FindObjectsInit(): CKA_ID = 46
C_FindObjectsInit: Object 1/2 matches
-C_FindObjectsInit: Object 1/4 matches
-C_FindObjectsInit: 2 matching objects
+C_FindObjectsInit: 1 matching objects
...
C_FindObjectsInit: C_FindObjectsInit(slot = 1)
C_FindObjectsInit(): CKA_CLASS = CKO_PRIVATE_KEY
C_FindObjectsInit(): CKA_ID = 46

Allocated slot 2
Initialized token 'NetKey Card (NetKey PIN1)'
Adding private key 0 to PIN 3
CKA_LABEL = Signatur Zertifikat 1
-Object 4: CKA_LABEL = Telesec Signatur Zertifikat
-C_FindObjectsInit: 2 matching objects
+C_FindObjectsInit: 1 matching objects

Allocated slot 3
Initialized token 'NetKey Card (SigG PIN)'


Usualy these cards have one certificate per RSA key.
(I didn't manualy decode the log files to check.)

so the new code is more correct than the old code:
slot 1 has two rsa private keys associated with it,
and it finds these two certificates to match those.

slot 2 has one private key associated to me, and
one certificate is associated with it.

so that looks fine. also the old code found two certificates
when looking for one with ID 46. that looks bad, the new
code finds only one, which seems correct.

but, if the certificate was renewed, and the old certificate
was not overwritten, but simply a new certificate added with
the same CKA_ID (so it matches the same private key), then
the old code might have shown the correct result.

no idea if something like this is legal and how opensc should
behave in such situations. I hope peter and pierre can help
here.

but in both cases: the logs clearly show a signature is correclty
created. so I guess you have an application error here.

maybe old opensc was buggy, and strongswan implemented a workaround.
and now that opensc was fixed, the workaround no longer works? only
a theory.

but from these logs, I can't see anything wrong in what opensc does.
with a "pkcs15-tool --dump" or other checks, we could make sure
the correlation certificates to slows / rsa private keys is correct.

pkcs15_create_tokens: Found 5 authentication objects
pkcs15_create_pkcs11_objects: Found 4 private keys
pkcs15_create_pkcs11_objects: Found 0 public keys
pkcs15_create_pkcs11_objects: Found 0 private keys
pkcs15_create_pkcs11_objects: Found 0 public keys
pkcs15_create_pkcs11_objects: Found 6 certificates

on the other hand, this looks strange:
C_GetAttributeValue: Object 2: CKA_ID = <size inquiry>
C_GetAttributeValue: Object 2: CKA_LABEL = <size inquiry>
C_GetAttributeValue: Object 2: CKA_VALUE = <size inquiry>
C_GetAttributeValue: Object 2: CKA_ID = 46
C_GetAttributeValue: Object 2: CKA_LABEL = Verschluesselungs Zertifikat 1
C_GetAttributeValue: Object 2: CKA_VALUE = 
308205E0308204C8A003020102020302ED3D300D06092A864886F70D01010505
C_GetAttributeValue: Object 4: CKA_ID = <size inquiry>
C_GetAttributeValue: Object 4: CKA_LABEL = <size inquiry>
C_GetAttributeValue: Object 4: CKA_VALUE = <size inquiry>
C_GetAttributeValue: Object 4: CKA_ID = 46
C_GetAttributeValue: Object 4: CKA_LABEL = Telesec Verschluesselungs 
Zertifikat
C_GetAttributeValue: Object 4: CKA_VALUE = 
3082020E3082017AA003020102020400E1BD4D300A06062B2403030102050030

(Object 4 only found with old code). Two certificates with the same CKA_ID? 
was the certificate maybe renewed, and the old one not replaced,
but simply the new one was added?

Peter, you know the tcos emulation best, any idea what is happening there?
Pierre, any idea how the new code will react to such strange situations?

I don't know the fine-print of tcos driver/emulation or the details of
the code to match certificate/keys/slots so give up here. can you see
if there is something wrong?

Regards, Andreas
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to