Peter, you know the tcos emulation best, any idea what is happening there? Pierre, any idea how the new code will react to such strange situations?
christians tcos card has several certificates with the same ID - at least with the old code. with the new one only one is found. no idea why. chistian: you could post a "pkcs15-tool --dump" to show in detail how the card looks like. and can you check if opensc behaves correctly. here is what I extracted from the log files: --- debugopensc_ipsecstart_notok_anon 2010-02-04 09:20:23.000000000 +0100 +++ debugopensc_ipsecstart_ok_anon 2010-02-04 09:20:29.000000000 +0100 Allocated slot 0 Initialized token 'NetKey Card (PIN)' C_FindObjectsInit(slot = 0) C_FindObjectsInit(): CKA_CLASS = CKO_CERTIFICATE C_FindObjectsInit: 0 matching objects Allocated slot 1 Initialized token 'NetKey Card (NetKey PIN0)' Adding private key 1 to PIN 2 Adding private key 2 to PIN 2 C_FindObjectsInit(slot = 1) C_FindObjectsInit(): CKA_CLASS = CKO_CERTIFICATE -Object 2: CKA_LABEL = Verschluesselungs Zertifikat 1 -Object 4: CKA_LABEL = Telesec Verschluesselungs Zertifikat -Object 7: CKA_LABEL = Telesec Authentifizierungs Zertifikat -C_FindObjectsInit: 3 matching objects +Object 2: CKA_LABEL = Verschluesselungs Zertifikat 1 +Object 5: CKA_LABEL = Telesec Authentifizierungs Zertifikat +C_FindObjectsInit: 2 matching objects ... C_FindObjectsInit(): CKA_CLASS = CKO_CERTIFICATE C_FindObjectsInit(): CKA_ID = 46 C_FindObjectsInit: Object 1/2 matches -C_FindObjectsInit: Object 1/4 matches -C_FindObjectsInit: 2 matching objects +C_FindObjectsInit: 1 matching objects ... C_FindObjectsInit: C_FindObjectsInit(slot = 1) C_FindObjectsInit(): CKA_CLASS = CKO_PRIVATE_KEY C_FindObjectsInit(): CKA_ID = 46 Allocated slot 2 Initialized token 'NetKey Card (NetKey PIN1)' Adding private key 0 to PIN 3 CKA_LABEL = Signatur Zertifikat 1 -Object 4: CKA_LABEL = Telesec Signatur Zertifikat -C_FindObjectsInit: 2 matching objects +C_FindObjectsInit: 1 matching objects Allocated slot 3 Initialized token 'NetKey Card (SigG PIN)' Usualy these cards have one certificate per RSA key. (I didn't manualy decode the log files to check.) so the new code is more correct than the old code: slot 1 has two rsa private keys associated with it, and it finds these two certificates to match those. slot 2 has one private key associated to me, and one certificate is associated with it. so that looks fine. also the old code found two certificates when looking for one with ID 46. that looks bad, the new code finds only one, which seems correct. but, if the certificate was renewed, and the old certificate was not overwritten, but simply a new certificate added with the same CKA_ID (so it matches the same private key), then the old code might have shown the correct result. no idea if something like this is legal and how opensc should behave in such situations. I hope peter and pierre can help here. but in both cases: the logs clearly show a signature is correclty created. so I guess you have an application error here. maybe old opensc was buggy, and strongswan implemented a workaround. and now that opensc was fixed, the workaround no longer works? only a theory. but from these logs, I can't see anything wrong in what opensc does. with a "pkcs15-tool --dump" or other checks, we could make sure the correlation certificates to slows / rsa private keys is correct. pkcs15_create_tokens: Found 5 authentication objects pkcs15_create_pkcs11_objects: Found 4 private keys pkcs15_create_pkcs11_objects: Found 0 public keys pkcs15_create_pkcs11_objects: Found 0 private keys pkcs15_create_pkcs11_objects: Found 0 public keys pkcs15_create_pkcs11_objects: Found 6 certificates on the other hand, this looks strange: C_GetAttributeValue: Object 2: CKA_ID = <size inquiry> C_GetAttributeValue: Object 2: CKA_LABEL = <size inquiry> C_GetAttributeValue: Object 2: CKA_VALUE = <size inquiry> C_GetAttributeValue: Object 2: CKA_ID = 46 C_GetAttributeValue: Object 2: CKA_LABEL = Verschluesselungs Zertifikat 1 C_GetAttributeValue: Object 2: CKA_VALUE = 308205E0308204C8A003020102020302ED3D300D06092A864886F70D01010505 C_GetAttributeValue: Object 4: CKA_ID = <size inquiry> C_GetAttributeValue: Object 4: CKA_LABEL = <size inquiry> C_GetAttributeValue: Object 4: CKA_VALUE = <size inquiry> C_GetAttributeValue: Object 4: CKA_ID = 46 C_GetAttributeValue: Object 4: CKA_LABEL = Telesec Verschluesselungs Zertifikat C_GetAttributeValue: Object 4: CKA_VALUE = 3082020E3082017AA003020102020400E1BD4D300A06062B2403030102050030 (Object 4 only found with old code). Two certificates with the same CKA_ID? was the certificate maybe renewed, and the old one not replaced, but simply the new one was added? Peter, you know the tcos emulation best, any idea what is happening there? Pierre, any idea how the new code will react to such strange situations? I don't know the fine-print of tcos driver/emulation or the details of the code to match certificate/keys/slots so give up here. can you see if there is something wrong? Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
