On Thu, Feb 04, 2010 at 10:01:43AM +0100, Andreas Jellinghaus wrote: > > chistian: you could post a "pkcs15-tool --dump" to show in detail > how the card looks like.
http://fluxcoil.net/files/openscdebug/pkcs15-tool_dump_ok That output is the same for working/nonworking opensc revision. Also the nonworking opensc-rev hands out my personalized cert when asking for id 46 with pkcs15-tool -r 46|openssl x509 -noout -subject 'pkcs11-tool -L'-outputs are also the same.. but my guess is the wrong cert is accessed by strongswan. > Usualy these cards have one certificate per RSA key. > (I didn't manualy decode the log files to check.) > so the new code is more correct than the old code: > slot 1 has two rsa private keys associated with it, > and it finds these two certificates to match those. > > slot 2 has one private key associated to me, and > one certificate is associated with it. > > so that looks fine. also the old code found two certificates > when looking for one with ID 46. that looks bad, the new > code finds only one, which seems correct. > > but, if the certificate was renewed, and the old certificate > was not overwritten, but simply a new certificate added with > the same CKA_ID (so it matches the same private key), then > the old code might have shown the correct result. This is a personoalization-procedure done for the cards here. > no idea if something like this is legal and how opensc should > behave in such situations. I hope peter and pierre can help > here. > but in both cases: the logs clearly show a signature is correclty > created. so I guess you have an application error here. Correct sig of the wrong cert i suspect.. > maybe old opensc was buggy, and strongswan implemented a workaround. > and now that opensc was fixed, the workaround no longer works? only > a theory. In the beginning also 'pkcs15-tool' spit out the other cert, we started to fix this with internal patches, later it was properly fixed in opensc-code. Lets see.. Christian _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
