On 5/10/2011 8:38 AM, HOURY William wrote:
> Dear all,
>
> I’m trying to use the minidriver delivered with OpenSC 12.1 RC1 in order to
> perform Smartcard logon on a XP or 2008 PC. So far, it’s not fully successful.
>
> I have personalized my card using the following commands:
> - pkcs15-init -C -T
> - pkcs15-init -P --auth-id 01
> - pkcs15-init -X c:\logoncertificate.der -f DER
> - pkcs15-init -S c:\logonuserkey.pem --auth-id 01
>
> When I perform a pkcs15-tool -D, I get this:
>
> " PKCS#15 Card [OpenSC Card]:
> Version : 0
> Serial number : 0C07548051221F22
> Manufacturer ID: OpenSC Project
> Last update : 20110510092550Z
> Flags : EID compliant
>
> PIN [Security Officer PIN]
> Object Flags : [0x3], private, modifiable
> ID : ff
> Flags : [0x92], local, initialized, soPin
> Length : min_len:4, max_len:16, stored_len:8
> Pad char : 0x00
> Reference : 2
> Type : ascii-numeric
> Path : 3f005015
>
> PIN []
> Object Flags : [0x3], private, modifiable
> ID : 01
> Flags : [0x12], local, initialized
> Length : min_len:4, max_len:16, stored_len:8
> Pad char : 0x00
> Reference : 4
> Type : ascii-numeric
> Path : 3f005015
>
> Private RSA Key [Private Key]
> Object Flags : [0x3], private, modifiable
> Usage : [0x4], sign
> Access Flags : [0x0]
> ModLength : 1024
> Key ref : 0 (0x0)
> Native : yes
> Path : 3f0050150100
> Auth ID : 01
> ID : f9e3108ba923338ad5c03c3e7c29c9a1483a4fb7
> GUID : {f9e3108b-a923-338a-d5c0-3c3e7c29c9a1}
>
> Public RSA Key [Public Key]
> Object Flags : [0x2], modifiable
> Usage : [0x4], sign
> Access Flags : [0x0]
> ModLength : 1024
> Key ref : 0
> Native : no
> Path : 3f0050153003
> ID : f9e3108ba923338ad5c03c3e7c29c9a1483a4fb7
>
> X.509 Certificate [Certificate]
> Object Flags : [0x2], modifiable
> Authority : no
> Path : 3f0050153104
> ID : f9e3108ba923338ad5c03c3e7c29c9a1483a4fb7
> GUID : {f9e3108b-a923-338a-d5c0-3c3e7c29c9a1}
> Encoded serial : 02 0A 6173874100000000005C"
>
> I have added this in the registry to make my card recognized:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\ASEPCOS
> Smartcard logon]
> "ATR"=hex:3b,d6,18,00,81,b1,80,7d,1f,03,80,51,00,61,10,30,8f
> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
> "80000001"="opensc-minidriver.dll"
>
> If I perform a "certutil -scinfo" or a SSL connection using IE, everything
> works fine, the certificate is well propagated into the IE store& the
> signature is successful. But if I try to perform a smartcard logon, I get the
> following error in the event log:
> "An error occurred while decrypting a message: Bad Data".
The windows smart card login requires the machine be joined
to AD, the user be in AD, and the certificate have the
scLogin extension, and the otherName:msUPN:principal
>
> I get the same error on XP or 2008 (both 32 bits). Of course, the same
> certificate& keys works fine with a different card& minidriver.
You load the same private key and certificate on to 2 different cards.
Do you use both cards on the same machine?
During login there is a lookup of ATR -> Minidriver, to read the certificates,
and get the containerID then later there is a lookup in the cert store of the
containerID to get the minidiriver to use.
If both minidrivers are gernerating the same containerID there could be an issue
of mixing up drivers.
certutil -v -user My
is similar to the IE or Control Panel Iinternet Options Personal certificates.
See if there are two sets of entries for the same certificate.
Can you try and delete all the entries that match the certificate you are
trying,
then try the OpenSC card again.
The minidriver has some debugging capabilities that might help.
A network trace of the Kerberos PKINIT packets used during login
might show something. (Wireshark works well on Windows.)
>
> I have also tried to configure the card using the "onepin" option but the
> results are the same. I have also tried the latest release from the nightly
> builds.
>
> Thanks for your help, I can provide some logs if needed.
>
> Regards,
>
> William
> ________________________________
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne
> pourra être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout virus,
> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its integrity
> cannot be secured on the Internet, the Atos Origin group liability cannot be
> triggered for the message content. Although the sender endeavours to maintain
> a computer virus-free network, the sender does not warrant that this
> transmission is virus-free and will not be liable for any damages resulting
> from any virus transmitted.
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
