I haven't re-read all log files and emails. but this is my general impression as summary: * your card is "strange", as several certificates have the same ID. * I guess the problem is: the old certificate was not deleted or hidden or whatever, so opensc has no reason to not show it. * now the application sees several certificates and delivers the wrong one to remote, thus authentication breaks.
so the solution is easy: change the app to not filter the right certificate with the "CKA_ID == 46" filter, which finds two certs, instead use some filter for CN, which is unique. should be only a couple of lines in the source, maybe it is already implemented (but I'm no expert here). of course there are more things that could be analyzed to verify this theory, but I doubt such data will create new insights. so I'm no expert on this topic, but I guess the code in opensc is good in general - while the improved version breaks your use case, it fixes other peoples use case. and while they had a real problem that was fixed, it looks to me like here you have a strange card and an application, and the issue is your card/application combo. so this is nothing opensc should fix per se. we could add ugly hacks to workaround that issue (e.g. a pkcs#11 module that lies and doesn't show all the certificates it has available), but I see little reason for that - it should be much, much, much easier to improve your application. > Doing 'ipsec listcards' in strongswan gives me different results > with working/nonworking opensc: > working one shows my name in subject, nonworking one shows > subject: 'C=DE, ND=1, CN=NKS 08 A 78205', both for id 46. only that one? or several? if only one is shown, that looks wrong, as the log files we have indicate that the "not_ok" version finds more than the "ok" version. so extra entries are fine. content replaced looks like a real bug - two certs are found, but the second is never looked at. (again, that would be an application bug I guess...) > So any other ideas how pkcs11 could again perform with the > old behaviour? you could write a filter module, that hides the unwanted certificates. but it would be much easier, if the applications looked for the right cert with a CN search, and not with an ID search. > Thanks for the idea.. guess if noone else here has an idea i > will approach strongswan list.. should be much easier than poking around opensc code, as in general opensc changes look fine to me, and seem to me other peoples real issues (where the problem doesn't seem to be a card/app combo). Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
