Re: [opensc-devel] Fail encryption on cardos card
Andreas Jellinghaus dungeon.inka.de> writes: > > > ah. what is that? is it open source? available for download somewhere? > we have the pkcscsp and csp11 sources but noone found time so far to get them > working and the result signed by microsoft :( > (ok, the signing should be easy, but I'm no windows developer so that is the > hard part for me.) > Sorry, base for my cps is pkcscsp from http://www.opensc-project.org/files/pkcscsp/orig/, not csp11 from http://csp11.labs.libre-entreprise.org/. Half year ago, I tried to work with csp11 but not successful, then I found pkcscsp, written c++ and now I use it in my CSP. > > no, we once thought about implementing a config file option to enable > split-key mode on cardos by default, but never got around it. there should > be a mail by me in the ML archive about all the changes necessary to implement > it, but not sure where it is, when it was posted or if it will work out. but > would be nice to give it a try, if you or anyone here has time on hand. > > Regards, Andreas > Maybe, when I provide support OpenSc for crypt and sign for all my cards, I will try to do it. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] AKIS card support
On Wednesday 18 July 2007 08:45:23 Gürer Özen wrote: > National ID is just one of the applications, just like qualified electronic > certificates [1] or another one for health services. Card and operating > system is generic. Some applications (cards issued by government agencies) > may limit user ACLs, but on empty cards you can initialize&erase as you > wish. ok, thanks. any idea when the cards will be on sale? is the documentation public? > > could you please create a wiki page with some details about the card? > > Sure, I'll prepare a page and send it to you. ok, thanks. you can also edit the wiki directly - once click register to create your own user, then you can login and edit the mail page to add the link to a new page and edit the new page. either way is fine with me. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Encryption with NetKey
Andreas Jellinghaus dungeon.inka.de> writes: > > you got it to work? great! I once got the binary on the web page to work, > but everytime I compiled it myself (and got it signed by microsoft), it didn't > work. did you compile it yourself? can you share the code? > Sorry, it is pkcscsp2. First I used csp11, but unsuccessful. Now I use pkcscsp2. > > sorry, I don't understand. what exactly are you trying to do? > if you want to encrypt, the csp can do it with normal cryptoapi or openssl. > if you want to decrypt or sign with asymetric: ask opensc/the card to do it. > can be done using the normal PKCS#11 operations, no big deal. > > opensc doesn't implement using public keys - there is not much use askign the > card to do that. so if you want to do operations with the public key, yes I > think the CSP should do that itself - either with windows crypto api > functions or with openssl. > I show, why I decide what I need generation of key pair from OpenSc on encryption. First I wrote order of CryptoApi commands, which needed for calling in Windows for encrypt, as written in MSDN. On CryptoApi command CryptGenKey, pkcscsp2 call C_GenerateKeyPair and fails. So I supposed, that problem in pkcscsp2. But why they try call C_GenerateKeyPair, if it not needed, I don't understand. Then I supposed what have I do to correct it, because I don't have enough experience in working with encryption. I need asymmetric encrypt throw standard Windows CSP, and decrypt throw OpenSc, it is possible? I just want hear, what I'm moving in right direction. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Cardos sign modifes
> any chance you can send a unified diff ("svn diff" or "diff -u" format) with
> these changes? that would be great.
I did't send, next time will use diff.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] AKIS card support
On Wednesday 18 July 2007 11:11:03 Andreas Jellinghaus wrote: > ok, thanks. any idea when the cards will be on sale? is the documentation > public? Card is sold to the public by http://www.plastkart.com You can contact them for orders. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Encryption with NetKey
On Wed, Jul 18, 2007 at 09:10:30AM +, Dmitry wrote: > I need asymmetric encrypt throw standard Windows CSP, and decrypt > throw OpenSc, it is possible? > > I just want hear, what I'm moving in right direction. Either you would use CryptoApi or OpenSC, but I don't see much point in using both? If you can use OpenSC in your application why not use only OpenSC? If you must use CryptoApi then OpenSC can't help. Are you sure CryptoApi doesn't offer a decryption function? //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Encryption with NetKey
Peter Stuge wrote: > On Wed, Jul 18, 2007 at 09:10:30AM +, Dmitry wrote: >> I need asymmetric encrypt throw standard Windows CSP, and decrypt >> throw OpenSc, it is possible? >> >> I just want hear, what I'm moving in right direction. > > Either you would use CryptoApi or OpenSC, but I don't see much point > in using both? > > If you can use OpenSC in your application why not use only OpenSC? > > If you must use CryptoApi then OpenSC can't help. I disagree... IdAlly has a CSP that can call PKCS#11/OpenSC and is usable for login... http://www.identityalliance.com/identity_ally.php The OpenSC project has some other CSP code but it need some work so you might be able to do both. > > Are you sure CryptoApi doesn't offer a decryption function? > > > //Peter > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Issue in Certificate logon in XP
Hi, Yes, Two processes are calling opensc-pkcs11 module. And C_Finalize is called by IdAlly.exe process. Since Winlogon process is not calling C_Finalize and closing all P11 session (P11 session 1, 2 are sill opened), opensc-pkcs11 module keeps the pc/sc connection established by sc_connect_card function. I think we need to investigate more throughly on this issue. Regards, Kamal. --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > kamal kumar wrote: > > Hi, > > I slightly differ from Douglas assesments. > C_Finalize > > is not called by winlogon process. It is called by > > IDAlly.exe when we login. > > So are you saying that there are two processes > calling > opensc_pkcs11.dll, the winlogin(via the IdAlly CSP) > and IdAlly.exe? > > Is this some issue with DLLs vs Unix shared libs, > and > the use of things like: >extern struct sc_context *context; > in src/pkcs11/sc_pkcs11.h > > > I think we have to follow > > the number specified in the log entry of > > pkcs11-spy.dll. > > > > If you compare the C_OpenSession log of the > Winlogon > > process occuring after C_Finalize called by > IDAlly.exe > > and compare it corresponding log entry in the > > opensc-debug.log file, you can find that for this > > C_OpenSession function, it is not creating new > pc/sc > > session as expected. But using old PC/SC session. > > > > opensc-pkcs#11 does not close all the pc/sc > session, > > because not all the session opened by CSP are > closed. > >>From the pkcs11-spy log, it is not closing session > 1, > > 2. > > > > Can you please verify the log again and give your > > opinion. > > > > Regards, > > Kamal. > > > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > >> > >> Corcoran David wrote: > >>> Hi, > >>> > >>> Is this an issue from the CSP -> OpenSC PKCS#11 > >> module ? > >> > >> Yes, looks like the CSP calls C_Finalize after > the > >> the card is removed. > >> then when a card is inserted, it does not not > call > >> C_Initialize > >> but calls C_OpenSession. I suspect the problem is > in > >> that handles > >> the call when a card is removed, not setting some > >> state variable to > >> indicate that C_Initialize needs to be called > again. > >> > >> > >>> We are in the process of making updates so it > >> might be a good time > >>> for us to address this (if it is not already) > >> Yes, good time. If you have any thing to test, > let > >> me know. > >> > >>> You should be able to work around this in a shim > >> pkcs#11 module like > >> > pkcs11spy by abstracting C_OpenSession and > >> determining if the P11 module > >> > was already closed down and calling > C_Initialize > >> again before passing > >> > C_OpenSession through. > >> > >> I am trying to avoid having to write any > additional > >> shims or hacks, > >> especially if you are looking at the code. > >> > >> The current work around is for the user to try > >> again, but this may only work > >> if it is the same cad. (I have not tried using a > >> card for a different user.) > >> > >> We are still doing pilots, and PIV cards will not > be > >> generally available > >> until at least October. I hope by then hopefully > you > >> have a new version of IdAlly. > >> > >> > >>> Thanks, > >>> Dave > >>> > >>> On Jul 13, 2007, at 4:39 PM, Douglas E. Engert > >> wrote: > More info on this. I think it is an ID Ally > bug. > > Looking at spy and opensc debug logs, It looks > >> like > the CSP is called when a card is removed sounds > >> reasonable. > The Id Ally does C_Initialize, C_GetSlotList, > a loop over the 8 slots for C_GetSlotInfo > then a C_Finalize. > > I then logged off and try to login again. > > Rather then another C_Initialize as would be > >> expected > since C_Finalize was called last, Id Ally does > a > >> C_OpenSession. > The way I read PKCS#11 2.01 under C_Finalize it > >> says: > "C_Finalize is called to indicate that an > >> application is finished > with the Cryptoki library." > If IdAlly wants to use the library again, it > >> should call C_Initialize. > > IdAlly tries some other thinks, and gets back > in > >> sync so the next > login works. > > But I would also think OpenSC should give an > >> error if the C_OpenSession > is called and C_Initialize has not been called. > >> But it is not clear if > Id Ally could get back in sync! > > > kamal kumar wrote: > > Hi, > > Today i tried certificate logon in XP with PIV > >> card. > > As i told you before, first certificate logon > >> after > > reboot succeeded. But the second logon failed. > > I have attached the opensc log files with > this. > >> This > > log file contain entries for first successful > >> logon > > and second failed logon. > > Please give your opinion. > > Regards, > > Kamal. > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> > >> wrote: > >> kamal kumar wrote: >
Re: [opensc-devel] Issue in Certificate logon in XP
kamal kumar wrote: > Hi, > Yes, Two processes are calling opensc-pkcs11 module. > And C_Finalize is called by IdAlly.exe process. > > Since Winlogon process is not calling C_Finalize But the Winlogin process calls the Id Ally CSP, that calls the PKCS#11, correct? > and > closing all P11 session (P11 session 1, 2 are sill > opened), opensc-pkcs11 module keeps the pc/sc > connection established by sc_connect_card function. > > I think we need to investigate more throughly on this > issue. > > Regards, > Kamal. > > > > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > >> >> kamal kumar wrote: >>> Hi, >>> I slightly differ from Douglas assesments. >> C_Finalize >>> is not called by winlogon process. It is called by >>> IDAlly.exe when we login. >> So are you saying that there are two processes >> calling >> opensc_pkcs11.dll, the winlogin(via the IdAlly CSP) >> and IdAlly.exe? >> >> Is this some issue with DLLs vs Unix shared libs, >> and >> the use of things like: >>extern struct sc_context *context; >> in src/pkcs11/sc_pkcs11.h >> >>> I think we have to follow >>> the number specified in the log entry of >>> pkcs11-spy.dll. >>> >>> If you compare the C_OpenSession log of the >> Winlogon >>> process occuring after C_Finalize called by >> IDAlly.exe >>> and compare it corresponding log entry in the >>> opensc-debug.log file, you can find that for this >>> C_OpenSession function, it is not creating new >> pc/sc >>> session as expected. But using old PC/SC session. >>> >>> opensc-pkcs#11 does not close all the pc/sc >> session, >>> because not all the session opened by CSP are >> closed. >>> >From the pkcs11-spy log, it is not closing session >> 1, >>> 2. >>> >>> Can you please verify the log again and give your >>> opinion. >>> >>> Regards, >>> Kamal. >>> >>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: >>> Corcoran David wrote: > Hi, > > Is this an issue from the CSP -> OpenSC PKCS#11 module ? Yes, looks like the CSP calls C_Finalize after >> the the card is removed. then when a card is inserted, it does not not >> call C_Initialize but calls C_OpenSession. I suspect the problem is >> in that handles the call when a card is removed, not setting some state variable to indicate that C_Initialize needs to be called >> again. > We are in the process of making updates so it might be a good time > for us to address this (if it is not already) Yes, good time. If you have any thing to test, >> let me know. > You should be able to work around this in a shim pkcs#11 module like > pkcs11spy by abstracting C_OpenSession and determining if the P11 module > was already closed down and calling >> C_Initialize again before passing > C_OpenSession through. I am trying to avoid having to write any >> additional shims or hacks, especially if you are looking at the code. The current work around is for the user to try again, but this may only work if it is the same cad. (I have not tried using a card for a different user.) We are still doing pilots, and PIV cards will not >> be generally available until at least October. I hope by then hopefully >> you have a new version of IdAlly. > Thanks, > Dave > > On Jul 13, 2007, at 4:39 PM, Douglas E. Engert wrote: >> More info on this. I think it is an ID Ally >> bug. >> Looking at spy and opensc debug logs, It looks like >> the CSP is called when a card is removed sounds reasonable. >> The Id Ally does C_Initialize, C_GetSlotList, >> a loop over the 8 slots for C_GetSlotInfo >> then a C_Finalize. >> >> I then logged off and try to login again. >> >> Rather then another C_Initialize as would be expected >> since C_Finalize was called last, Id Ally does >> a C_OpenSession. >> The way I read PKCS#11 2.01 under C_Finalize it says: >> "C_Finalize is called to indicate that an application is finished >> with the Cryptoki library." >> If IdAlly wants to use the library again, it should call C_Initialize. >> IdAlly tries some other thinks, and gets back >> in sync so the next >> login works. >> >> But I would also think OpenSC should give an error if the C_OpenSession >> is called and C_Initialize has not been called. But it is not clear if >> Id Ally could get back in sync! >> >> >> kamal kumar wrote: >>> Hi, >>> Today i tried certificate logon in XP with PIV card. >>> As i told you before, first certificate logon after >>> reboot succeeded. But the second logon failed. >>> I have attached the opensc log files with >> this. This >>> log file contain entries for first successful logon >>> and second failed logon. >>> Please giv
Re: [opensc-devel] AKIS card support
On Wednesday 18 July 2007 08:45:23 Gürer Özen wrote: > Sure, I'll prepare a page and send it to you. thanks, I added an initial page with the information so far. https://www.opensc-project.org/opensc/wiki/TurkishEid also I changed our list of authors and credits https://www.opensc-project.org/opensc/wiki/AuthorsAndCredits and added you as Gürer Özen for TUBITAK / UEKAE is this correct? was anyone else involved? should we list TUBITAK or UEKAE or both as copyright holder (maybe full name, not only the abbreviation)? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Cardos sign modifes
Dmitry wrote:
> Some time ago I tests Cardos SC_CARD_TYPE_CARDOS_M4_3, with atr:
> 3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74
>
> Sign fails on final transmit of sign adpu. I analyzed adpu winscard.dll log
> of
> SmartTrustPersonal, which CSP sign correctly.
> And found that it use other way of sign throw adpu: 00 2A 80 86 ...
>
> So I modify OpenSc, and now it sign well.
>
> 1. Add new type: SC_CARD_TYPE_CARDOS_M4_3B
>
> 2. In static struct sc_atr_table cardos_atrs[] init as:
> //Old:
> { "3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74", NULL, NULL,
> SC_CARD_TYPE_CARDOS_M4_3, 0, NULL },
> //Modified:
> { "3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74", NULL, NULL,
> SC_CARD_TYPE_CARDOS_M4_3B, 0, NULL },
> /
>
> 3. In do_compute_signature modifies:
> //Old:
>sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A);
> //Modified:
> if(card->type == SC_CARD_TYPE_CARDOS_M4_3B)
> sc_format_apdu(card, &apdu, SC_APDU_CASE_4B, 0x2A, 0x80, 0x86);
> else
> sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A);
no, that's wrong and would have the "small" side-effect that
cardos v4.3b cards with the opensc profile won't work anymore.
The problem you have is not a cardos v4.3b problem but a
problem of the profile used (hipath most likely in your case)
and a "limitation" of cardos. A feature of cardos is that you
can't sign and decrypt with the same key so in case you need
a multiple purpose key, for example a authentication key, you
need to choose either a decryption or signing key and for
example sign with the decipher operation.
The APDU used for the signature generation in your case is
the PSO Decipher APDU as the hipath profile uses the decryption
operation for signing (well at least in some cases). As opensc uses
signing key for signature generation (IMHO not totally unreasonable)
your patch would make these keys unusable.
IMHO the right way to fix this would be to tell the profile
layer to use the decryption operation for signing and not to
modify the card driver.
>
>
>
> 4. Add constants:
>
> //Modified:
> #define SC_APDU_CASE_4B 0x34
> #define SC_APDU_B 0x20
> #define SC_APDU_CASE_4B_EXT SC_APDU_CASE_4_SHORT | SC_APDU_EXT |
> SC_APDU_B
sorry but I fail to see why this change should be necessary
Cheers,
Nils
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] strange behaviour with asn1.c
asn1_decode_entry() allocates (objlen - 1) bytes for SC_ASN1_UTF8STRING types with SC_ASN1_ALLOC flag, then calls the sc_asn1_decode_utf8string() function which then fails with BUFFER TOO SMALL cause it wants to end the string with an extra NULL. I guess, allocation size was supposed to be objlen + 1 ? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Encryption with NetKey
On Wednesday 18 July 2007 11:10:30 Dmitry wrote: > Andreas Jellinghaus dungeon.inka.de> writes: > > you got it to work? great! I once got the binary on the web page to > > work, but everytime I compiled it myself (and got it signed by > > microsoft), it didn't work. did you compile it yourself? can you share > > the code? > > Sorry, it is pkcscsp2. First I used csp11, but unsuccessful. Now I use > pkcscsp2. sorry, still confused. I know csp11 and pkcscsp, but what is pkcscsp2? google doesn't find it. is the source still open source? is it available for download somewhere? can I recompile it myself and ship it signed by microsoft with opensc? > I need asymmetric encrypt throw standard Windows CSP, and decrypt throw > OpenSc, it is possible? > > I just want hear, what I'm moving in right direction. I think yes. OpenSC is meant to offer only what the card offiers. All other function should be implemented by the host PC and use the operating system functions. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Encryption with NetKey
On Wed, Jul 18, 2007 at 10:43:21AM -0500, Douglas E. Engert wrote: > > If you can use OpenSC in your application why not use only OpenSC? > > > > If you must use CryptoApi then OpenSC can't help. > > I disagree... > IdAlly has a CSP that can call PKCS#11/OpenSC and is usable for > login... > http://www.identityalliance.com/identity_ally.php > > The OpenSC project has some other CSP code but it need some work Agreed completely. OpenSC can be used to supply the CryptoApi but I meant calling the OpenSC API directly. > so you might be able to do both. Technically sure but I don't see the point if CryptoApi is a requirement and it offers all neccessary functionality. If it doesn't however, directly calling OpenSC would be useful. But in that case, why not do away with CryptoApi completely? //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Issue in Certificate logon in XP
Yes, Winlogon process calls IDAlly CSP which calls opensc-pkcs11 module. --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > kamal kumar wrote: > > Hi, > > Yes, Two processes are calling opensc-pkcs11 > module. > > And C_Finalize is called by IdAlly.exe process. > > > > Since Winlogon process is not calling C_Finalize > > But the Winlogin process calls the Id Ally CSP, that > calls the PKCS#11, correct? > > > and > > closing all P11 session (P11 session 1, 2 are sill > > opened), opensc-pkcs11 module keeps the pc/sc > > connection established by sc_connect_card > function. > > > > I think we need to investigate more throughly on > this > > issue. > > > > Regards, > > Kamal. > > > > > > > > > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > >> > >> kamal kumar wrote: > >>> Hi, > >>> I slightly differ from Douglas assesments. > >> C_Finalize > >>> is not called by winlogon process. It is called > by > >>> IDAlly.exe when we login. > >> So are you saying that there are two processes > >> calling > >> opensc_pkcs11.dll, the winlogin(via the IdAlly > CSP) > >> and IdAlly.exe? > >> > >> Is this some issue with DLLs vs Unix shared libs, > >> and > >> the use of things like: > >>extern struct sc_context *context; > >> in src/pkcs11/sc_pkcs11.h > >> > >>> I think we have to follow > >>> the number specified in the log entry of > >>> pkcs11-spy.dll. > >>> > >>> If you compare the C_OpenSession log of the > >> Winlogon > >>> process occuring after C_Finalize called by > >> IDAlly.exe > >>> and compare it corresponding log entry in the > >>> opensc-debug.log file, you can find that for > this > >>> C_OpenSession function, it is not creating new > >> pc/sc > >>> session as expected. But using old PC/SC > session. > >>> > >>> opensc-pkcs#11 does not close all the pc/sc > >> session, > >>> because not all the session opened by CSP are > >> closed. > >>> >From the pkcs11-spy log, it is not closing > session > >> 1, > >>> 2. > >>> > >>> Can you please verify the log again and give > your > >>> opinion. > >>> > >>> Regards, > >>> Kamal. > >>> > >>> --- "Douglas E. Engert" <[EMAIL PROTECTED]> > wrote: > >>> > Corcoran David wrote: > > Hi, > > > > Is this an issue from the CSP -> OpenSC > PKCS#11 > module ? > > Yes, looks like the CSP calls C_Finalize after > >> the > the card is removed. > then when a card is inserted, it does not not > >> call > C_Initialize > but calls C_OpenSession. I suspect the problem > is > >> in > that handles > the call when a card is removed, not setting > some > state variable to > indicate that C_Initialize needs to be called > >> again. > > > We are in the process of making updates so it > might be a good time > > for us to address this (if it is not already) > > Yes, good time. If you have any thing to > test, > >> let > me know. > > > You should be able to work around this in a > shim > pkcs#11 module like > > pkcs11spy by abstracting C_OpenSession and > determining if the P11 module > > was already closed down and calling > >> C_Initialize > again before passing > > C_OpenSession through. > > I am trying to avoid having to write any > >> additional > shims or hacks, > especially if you are looking at the code. > > The current work around is for the user to try > again, but this may only work > if it is the same cad. (I have not tried using > a > card for a different user.) > > We are still doing pilots, and PIV cards will > not > >> be > generally available > until at least October. I hope by then > hopefully > >> you > have a new version of IdAlly. > > > > Thanks, > > Dave > > > > On Jul 13, 2007, at 4:39 PM, Douglas E. Engert > wrote: > >> More info on this. I think it is an ID Ally > >> bug. > >> Looking at spy and opensc debug logs, It > looks > like > >> the CSP is called when a card is removed > sounds > reasonable. > >> The Id Ally does C_Initialize, > C_GetSlotList, > >> a loop over the 8 slots for C_GetSlotInfo > >> then a C_Finalize. > >> > >> I then logged off and try to login again. > >> > >> Rather then another C_Initialize as would be > expected > >> since C_Finalize was called last, Id Ally > does > >> a > C_OpenSession. > >> The way I read PKCS#11 2.01 under C_Finalize > it > says: > >> "C_Finalize is called to indicate that an > application is finished > >> with the Cryptoki library." > >> If IdAlly wants to use the library again, it > should call C_Initialize. > >> IdAlly tries some other thinks, and gets back > >> in > sync so the next > >> login works. > >> > >> But I would also think OpenSC should give an > error if the C_OpenSession > >> is called and C_Initialize has
