-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change to CAC/PIV II regression? #1458
Comments
What's the output of @Jakuje, can you confirm this problem? |
My apologies, I should have realized that, without
|
could you paste the output of |
https://gist.github.com/enckse/ccb04a38911b777d68f5586ad228aebf stdout was still:
|
It looks like this is a dual PIV/CAC card and there was something changed in the PIV driver detection with the merge of the fixes from fuzzing. The cards I have access (quite older pieces) are now detected as CACeven though there is supposed to be PIV endpoint (at least I think they were detected as PIV), which has a precedence for the recognition. This sounds like opposite issue Could you try to use |
Yes, I will do that and let you know what I find |
Do you have a opensc-debug.log from when it was working? Did you have any changes in the previous opensc.conf? |
@dengert - not currently but I could rollback and produce one. I made no changes to my config between this working and not working I was able to do some minor testing:
build errors appeared to be:
I can provide more specifics if/as needed later |
If you run |
If I |
If I checkout 8fe377e and |
I think he may need #1454 that was merged today. But I would still like to see a opensc-debug.log and the opensc.conf file when it did work as a CAC card. In the opensc-debug.log it looks like it thinks it is a PIV, and the SELECT AID is formated a little different. |
Could also be: 3e5a9a4 |
@dengert I can reproduce, I will try and get you debug logs from before/after tomorrow. just, again for reference, my
|
Compiled latest and it does appear fixed. @dengert you said you would still like logs, which I can provide. Do you want working before regression logs + regression logs + after fix of regression logs (3 logs)? |
Was the above with It looks like your card is a Dual CAC/PIV card, so either driver can be used. But they see different certs and maybe PINS. So the user has to tell OpenSC which driver they want to use. Without specifying which order to try So there may be a few things going on: There is some old code in card-piv.c dating back to 2006, that does not look correct, but has not |
The above gist was without specifying card driver when things were not working properly. Perhaps I am misreading but from what you are saying: my config did not change between when it was working a few days ago and when it stopped working after getting the latest build this morning (I have my config git controlled as well) which would, to me, imply that opensc changed how it dealt with my mostly empty config that I've posted previously. When I run everything is working, this is the report I get from
|
From what we have so far, 8fe377e introduced a problem, which was fixed by 3631b2d in #1454 The problem caused the PIV driver to not beable some objects for teh card. What was confusions was you referred to your card as a CAC card, which usually means you want to use the CAC driver and it was using the CAC driver in the past. But your card is a dual CAC/PIV. So it may have been working for you in the past using the PIV driver. Is this correct? I was under the impression that previously the CAC driver was being selected and somehow the many changes cause the PIV driver to be selected. It now sounds like nothing has changed in selection of drivers and PIV was selected all along and things are back to normal. |
Yes, as far as I'm aware it was using the PIV driver (it would be a dual PIV/CAC), stopped (my workaround was to tell it to use CAC), and then after the fix has started working without issue. Sorry if I caused any confusion previously (hopefully I don't introduce more). I mainly opened this ticket because I experienced the regression for more than "1 build" and more than "1 day" (I use nightly builds of opensc) and wanted to make sure that this was either a known change or that it had eyes on it if it was an issue. At this point: is there value in investigating this further? I will assist however I can if it should move forward, at the same point if we don't want to chase a solved problem, that is understandable as well. |
This issue can be closed. |
Thanks for the help everyone |
Problem Description
I'm using opensc-git (archlinux) which is going to be updated whenever there are commits. Between about August 10th (last working build) and August 22nd, I've noticed (what I consider to be) a regression. My CAC card now requires me to enumerate explicitly to use
card_drivers = cac;
in myopensc.conf
where-as before it did not. Before I changed this I noticed the prompt in firefox had switched from prompting about the PIN for my card's 'signature' (e.g. LAST.FIRST.M.ID...) to just a generic 'PIV_II' request. Firefox would prompt once and not proceed (no more prompts, no cert selection, etc.)Namely: Has a recent commit (last week or 2) prompted a change that would require me to enumerate the
cac
driver specifically?Info (for reference)
This is my config file, the
card_drivers
is obviously new, everything "just worked" before:Proposed Resolution
I was able to fix this by using
card_drivers = cac;
as mentioned aboveSteps to reproduce
I can reliably reproduce this, I don't know if this is CAC specific or not. If there is a change or any code changes that need to be tested, I am happy to test them (if this is an issue).
Logs
I can provide logs based on analysis of someone with more insight as to whether this is an actual regression or expected change in behavior
The text was updated successfully, but these errors were encountered: