On 3/25/2011 1:25 PM, Viktor TARASOV wrote:
> Le 25/03/2011 17:23, Douglas E. Engert a écrit :
>> Testing opensc-cardmod.dll r5270 on Vista, login to AD works with
>> two different cards to the same account. But certutil has a problem.
>> I see from:
>> certutil -store -user My
>>
>> Key Container = {01000000-0000-0000-0000-000000000000}
>>
>> So it looks like the serial number of the card is not being used,
>> just the ID of the cert which in the PIV case is 01.
>
> Please, try r5271 .
> Before this release, to get the card's serial number I was using
> card->serialnr.
> PIV card driver do not set this member.
> Now 'GET_SERIAL' ctl call is used.
Better.
Using one card on Unix opensc-tool reports the serial as:
Using reader with a card: Gemalto GemPC Twin 00 00
6B 8E 7A C9 1D D2 11 B2 B7 19 00 14 4F 1F 5E F4 k.z.........O.^.
On Vista with r5272 the key container is:
Key Container = {016B8E7A-C91D-D211-B2B7-1900144F1F5E}
which drops the last byte of the serial number.
The leading 01 is the cert ID.
On W7 with Microsoft driver:
Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105
The last 5fc105 is the cert ID, so Microsoft also dropped the last
byte of the serial number when creating the container!!
(They also revesed the first 4 bytes and the next 2 bytes
probable treating them as integers.)
Not using all of the serial number could lead to non unique
names, especially if the last byte is the least significant
byte and cards serial numbers are issued in order, and could be
considerd a bug in W7 and OpenSC.
Do we really need the GUID format? "{" and "}" and 4 "-" take up 6
characters that could be used for more serial number and ID.
If other cards have longer serial numbers or IDs for the certs,
that could still be an issue.
Yet with some auto-enroll certificates created by AD based
on Kerberos logins, the Key Container is much longer
so what is the limit?
Key Container =
467bef787de60d6a86789cd51bfea96c_7a521a94-3f14-498c-a936-f08e895c2d99
Simple container name: 53c7cb1b-8706-4813-89b4-c70beaba8d11
Provider = Microsoft Base Cryptographic Provider v1.0
>
>
>
>>
>> I can log in vista using two different cards, but running
>> certutil -store -user My
>>
>> when it promps to have the first card inserted I insert the second
>> instead, it tries to do a signature operations which fails, and
>> certuril types out the expected public key and what it found on
>> the card
>>
>> See attachment Vista output. (Some fields were edited with XXXXX.)
>>
>> Using the same two cards on Windows 7 with the Microsoft PIV
>> card driver the Key Container name is derived from the serial number
>> and the ID of the cert (5fc105) (In OpenSC I uses 01,02,03,04, Microsoft
>> used some fields from NIST 800-73 to assign IDs to the certs.)
>>
>> On W7:
>> certutil -store -user My
>>
>> ================ Certificate 17 ================
>> Serial Number: 1507cdb40000000feb0d
>> Issuer: CN=XXXXXXXX, DC=anl, DC=gov
>> NotBefore: 1/12/2011 3:51 PM
>> NotAfter: 1/12/2012 3:51 PM
>> Subject: CN=XXXXXX
>> Non-root Certificate
>> Template: PIVBetaI-SmartcardLogon, PIV Beta I - Smartcard Logon
>> Cert Hash(sha1): ce 9d df aa 6a 75 b5 67 7e ec e1 a7 9c 16 a8 f4 0b 9b 68 09
>> Key Container = c97a8e6b-d21d-b211-b719-00144f5fc105
>>
>>
>> When certutil asks for a card to be inserted, inserting the wrong card
>> gives in the details from the pop up window:
>>
>> "A smart card was detected but is not the
>> one required for the current operation. The
>> smart card you are using may be missing
>> required driver software or a required
>> certificate. Contact your system"
>>
>> This would indicate to me that the Key Container needs to be unique,
>> and the mods in r5720 are not including the serial number into the
>> ContainerID as the previous code used both.
>>
>>
>>
>> On 3/23/2011 2:50 PM, Douglas E. Engert wrote:
>>>
>>>
>>> On 3/23/2011 1:40 PM, Viktor TARASOV wrote:
>>>> Le 22/03/2011 20:11, Douglas E. Engert a écrit :
>>>>> Back from vacation. Cardmod based on svn r5244 works on Vista with PIV
>>>>> so the mods look OK.
>>>> Please, can you try r5270?
>>>
>>> I am not in the office today, I will try it tomorrow.
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> On 3/14/2011 7:56 AM, Douglas E. Engert wrote:
>>>>>>
>>>>>>
>>>>>> On 3/12/2011 1:40 PM, Viktor TARASOV wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> For container's GUID I propose to adopt the classic serialized form
>>>>>>> (ex.{3F2504E0-4F89-11D3-9A0C-0305E82C3301})
>>>>>>> used by Windows containers.
>>>>>>>
>>>>>>> In this patch there is also little simplification of the key research,
>>>>>>> and some minor remarks.
>>>>>>>
>>>>>>
>>>>>> (I am on vacation, so have not looked closely at the modification.
>>>>>> I cannot test anything until next week.)
>>>>>>
>>>>>> What I had tried to do was use the card serial number || ID of the key.
>>>>>> It looks like you are doing this.
>>>>>> The Windows 7 built in driver for the PIV card was doing something like
>>>>>> this.
>>>>>> I don't think the OpenSC containerID should match the W7 containerID
>>>>>> as there might be some confusion over which driver should be used.
>>>>>> (I could be wrong about this.)
>>>>>>
>>>>>>>
>>>>>>> Kind wishes,
>>>>>>> Viktor.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> opensc-devel mailing list
>>>>>>> opensc-devel@lists.opensc-project.org
>>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
>
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
