On 1/20/2011 4:53 AM, Viktor TARASOV wrote: > Hello, > > sorry for the question out of the subject, but > > When using OpenSC minidriver (or any other), > does there any existing (or that could be implemented) > possibility to re-actualize the card content and to propagate the > eventual changes to the Windows key stores > without re-inserting the card?
That is be a function of the higher level code in Windows, and should be present. http://technet.microsoft.com/en-us/library/ff404300(WS.10).aspx Windows uses a container name derived from the serial number, and the keyid, (and maybe the type of card), and stored these in the certificate store. The current cardmod driver is using a constant serial number, 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 which will work for a single smartcard, but needs to be fixed to use the card's serial number. It is also using an index starting a 0 for the cert id. See below. From my previous CSP experiences, during login, the cert from the card is obtained, and used without having to be in the registry. It will be added in by login. The command: certutil -user -v -store My or to look at a specific cert, add the cert number to the command certutil -user -v -store My 17 can be used to look at your own certificates in the registry. If a cert is associated with a smart card you will be asked to insert the card, and prompted for a PIN. If the wrong card is inserted you wil be asked again. I have PIV cards that can be used on Windows 7 using the Microsoft driver. I can also use the same PIV card on Vista with the OpenSC cardmod driver, and compare the differences. The card serial number shows up the same, as it is derived from the PIV CHUID object that, that has a GUID in it. It looks like Microsoft and Opensc are doing the same thing. I need to check some more on this. The output on Windows 7 (with vim line numbers shown): 1 My 2 ================ Certificate 17 ================ 3 X509 Certificate: 4 Version: 3 5 Serial Number: 1507cdb40000000feb0d 136 CERT_MD5_HASH_PROP_ID(4): 137 b2 e0 24 ce 78 9c 67 70 ab 31 2c 7a 4c e5 01 76 138 139 Unknown Property(91): 140 06 00 00 00 00 00 00 00 05 00 00 00 02 00 00 00 ................ 141 10 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 ................ 142 00 00 00 00 .... 143 144 CERT_KEY_IDENTIFIER_PROP_ID(20): 145 56 75 70 c1 d7 9d 32 d0 18 8e f1 e0 4a 09 76 d7 a4 b2 78 e2 146 147 CERT_SHA1_HASH_PROP_ID(3): 148 ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09 149 150 CERT_KEY_PROV_INFO_PROP_ID(2): 151 Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105 152 Provider = Microsoft Base Smart Card Crypto Provider 153 ProviderType = 1 154 Flags = 0 155 KeySpec = 1 -- AT_KEYEXCHANGE (On Vista with cardmod, the above shows up as AT_SIGNATURE) This my be why login does not work! 156 157 Unknown Property(90): 158 01 00 00 00 .... 159 Smart Card Serial Number: 6b 8e 7a c9 1d d2 11 b2 b7 19 00 14 4f 1f 5e f4 160 PP_KEYSTORAGE = 1 161 CRYPT_SEC_DESCR -- 1 162 KP_PERMISSIONS = 0 172 Private key is NOT exportable 173 Encryption test passed 174 CertUtil: -store command completed successfully. Line (159) matches what is shown by OpenSC as serial number. Line (151) is the key Container number, and it looks like it is based on the serial number if treated as a GUID. But with bytes swapped, to little endian: c97a8e6b <-> c9 7a 8e 6b d21d <-> 1d d2 b211 <-> 11 b2 b719 <-> 19 b7 00144f == 00 14 4f 5fc105 != 1f 5e f4 But for the cert, the 5fc105 is from the NIST 800-73-3 part 1 table 2 as the PIV BER-TLV Tag. So Microsoft has combined part of the serial number and the tag to create a container. (It may not be unique as the last part of the GUID has been droped!) > > I imagine something like: > - card is used for windows logon and authentication (for ex. in IE); > - the on-card certificate is renewed/imported with some third application > that accesses directly the card; > Is it possible to make these changes available for the Windows applications > without card re-insertion ? I believe it is already there in the BaseCSP. Its just the cardmod driver has some bugs in the area of returning the correct response to find a specific certificate. P.S. Thanks for the question, having looked closer at the certutil -user -v -store My command I am off to try a patch for AT_KEYEXCHANGE with login! > > > On 20.01.2011 00:46, Douglas E. Engert wrote: >> Attached is a patch to the cardmod code to do the following: >> >> (1) Fix an uninitialized stricture by by using calloc >> in stead of malloc. With out this it was having problems >> with checking the status on the reader. >> >> (2) Implement a change that this should work for Brian Thomas >> that allows one to not detect the reader when creating >> the sc_context. This uses the >> SC_CONTEXT_PARAM_DONT_DETECT_READERS flag in the ctx_params >> >> (The more I think about this, this should be the default >> to not detect the readers during the sc_create_ctx, as >> a flag on opensc.conf could control this instead.) >> >> (2) Eliminate the storing of the SCARDCONTEXT and SCARDHANDLE >> in the registry. Instead, cardmod.c will store them >> in its VENDOR_SCPECIFIC structure, call sc_context_create >> with the SC_CONTEXT_PARAM_DONT_DETECT_READERS flag set >> in the ctx_params. It will then modify the ctx, >> and then call sc_ctx_detect_readers that will call the >> cardmod code in reader-pcsc.c that will use the SCARDCONTEXT >> and SCARDHANDLE. >> >> I can get this to work in Vista with certutil -SCinfo, but there >> is some issue as is says it can not open the key. I think this >> is an issue with using a 39 character key container name and a >> constant for a serial number. >> >> It does not work with login or runas. This may be the same issue >> with after reading the certificate, it is not registering the >> container so it can be used later. >> >> The patch is against 0.12.0. and was built on Ubuntu. >> >> I would hope Brian and François could look this over to see if it >> should be committed. >> >> >> >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
