CertPropSvc installs certificates that have been on smart card previously and have been removed now.

[ROZOH]

Hi,
I have an smart card with 2 certificates. By following the bellow scenario, I see the certificates that there isn't on the smart card now.
Scenario:

• Attach the smart card. certprop adds certificates to cert store (personal).
• Delete certificates via an pkcs11 application and Import new certs.
• Delete personal store. Detach and attach smart card again.
• Old certificates are displayed in cert store.

It seems cache file is not updated. How can I disable cache in minidriver for a temporary test?

Also, I'm make two smart card by same serial number for a test. The scenario occurred for theme.

• Attach first. It's certificates installed in cert store.
• Detach first, Delete store.
• Attach second smart card. certificates of first displayed in personal store.

So, This is a cache problem. How can I resolve it?

[dengert]

On 8/19/2015 1:56 AM, ROZOH wrote:

Hi,
I have an smart card with 2 certificates. By following the bellow scenario, I see the certificates that there isn't on the smart card now.
Scenario:

• Attach the smart card. certprop adds certificates to cert store (personal).
• Delete certificates via an pkcs11 application and Import new certs.
• Delete personal store. Detach and attach smart card again.
• Old certificates are displayed in cert store.

Could be the certs are not actually deleted. Doing some tests with pkcs11-tool on unix system
would show this. A spy or opensc debug log would also help.

Does the personal store actually get deleted?
Can you try the card with the "deleted certificates" on a different machine that never had
the "deleted certificates"? This could differentiate between a cache problem or a pkcs11 delete problem.

It seems cache file is not updated. How can I disable cache in minidriver for a temporary test?

Which cache?
Look at the opensc.conf file in the framework pkcs15 { section, see if it is on or not.
It should be off, but two cards actalis and infocamere appear to turn it on!
Grep for use_file_cache.

On Windows it defaults to USERPROFILE\eid-cache See ctx.c

Also, I'm make two smart card by same serial number for a test. The scenario occurred for theme.

• Attach first. It's certificates installed in cert store.
• Detach first, Delete store.
• Attach second smart card. certificates of first displayed in personal store.

So, This is a cache problem. How can I resolve it?

—
Reply to this email directly or view it on GitHub #524.

Douglas E. Engert [email protected]

[ROZOH]

Can you try the card with the "deleted certificates" on a different machine that never had
the "deleted certificates"? This could differentiate between a cache problem or a pkcs11 delete problem.

certificates actually deleted. If I move the smart card to another machine or reboot the system, deleted certificates there are not displayed in pkcs11 and personal store too, so I concluded it is possible a cache problem in minidriver.
opensc log files show delete operation is ok.

[dengert]

Are there any files under %USERPROFILE\eid-cache?
(That is one type of cache controlled by the opensc.conf.)

If you delete the certificates, remove the card, then logoff and log back on,
does that fix the problem?
You said a reboot drops the cache.

(The Windows login processes may keep the minidriver loaded and cache the results.
logoff should then drop the cache.)

Deleting certificates is not a normal user operation and the PKCS#11 code and
the minidriver (and Microsoft code) do not talk to each other, so any change made via PKCS#11 is not
reflected in any cache that the minidriver (or Microsoft code) may be keeping.

You may want to look at these:

https://technet.microsoft.com/en-us/library/Ff404288(v=WS.10).aspx

https://technet.microsoft.com/en-us/library/ff404287(v=ws.10).aspx

CertPropEnabled

On 8/19/2015 1:55 PM, ROZOH wrote:

Can you try the card with the "deleted certificates" on a different machine that never had
the "deleted certificates"? This could differentiate between a cache problem or a pkcs11 delete problem.

certificates actually deleted. If I move the smart card to another machine or reboot the system, deleted certificates there are not displayed in pkcs11 and personal store too, so I concluded it is
possible a cache problem in minidriver.
opensc log files show delete operation is ok.

—
Reply to this email directly or view it on GitHub #524 (comment).

Douglas E. Engert [email protected]

[frankmorgner]

OpenSC's internal caching in %USERPROFILE\eid-cache is not activated by default so this is a bug in one of the Windows layers on top of the OpenSC minidriver.

As @dengert pointed out, it's possible that the way you are using the tools is not expected by Microsoft.

If you still think this should (and can) be solved within OpenSC please re-open the issue and provide a log file.

[martinpaljak]

Also, having cards (or certificates) with identical serials is asking for trouble and unwanted side-effects.

[annu0412]

Same is happening with me, when i am using GIDS applet, Windows cache old certificate or sometime just stuck with one certificate even if delete it manually from cert manager.
I have checked opensc caching is not enabled.