-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pCardData->hScard is NULL! #536
Comments
If you use FireFox and use the opensc-pkcs11.dll as a security device, does the SSL login fail? On 8/30/2015 4:09 AM, ROZOH wrote:
Do you mean IE found a good certificate in the certificate store, but it can not fine the smartcard that should contain the matching key? Are you testing cards, and are updating the card(s) but not changing serial numbers, or not clearing out the certificate store? certutil.exe can be useful, as one of the options is to verify that the certificate matches the key on the card.
This could be a problem with the debug output where logprintf use 0x%08X to print the handle. On a 64 bit machine, may be 64bit pointer. What is windows x86? XP? W7 32bit? W8 32bit? Windows passes in the hScard handle used to contact PCSC. It may change the handle from time to time and the minidriver More of the mindriver log would help.
probably not. Google for CredentialUIBroker.exe
Douglas E. Engert [email protected] |
No, in these cases SSL Login is successful. Firefox uses pkcs11 dll for SSL.
Exactly.
No, There isn't any cache problem. I'm using one card. I reboot the system before a test so there isn't any cache problem.
certutil -scinfo command has a successfull result. keys matches with the card.
I have a question. Will fail CardReadFile or CardAuthenticatePin if hScard was 0 or NULL? Generally, SSL login failed if hScard was 0? |
Don't know. What I was saying about the logprintf used in the debug log is it is only printing 4 bytes of hScard. If your question is based on seeing pCardData->hScard = 0x00000000 in the log may be missleading because on a 64 bit machine I think hScard is actually 8 bytes. So it may not be zero at all. Do you have both the 64 bit and 32 bit versions on OpenSC installed on the 64 bit machine? I see on my W7, the certutil.exe run as 64 bit, but taskmanager shows both 32 and 64 bit versions running. If you don't have the 32 bit OpenSC, iexplore.exe *32 may never see the smartcard. |
Yes, there are 32 and 64 bits version of opensc in my system. |
Are you know that what namespace used in IE to working with certificates? is it "System.Security." or "Windows.Security."? |
Don't know the answer to your questions. Maybe other developers do? But these might be helpful. In regards to the title of this issue I suggested that the hScard may not be NULL, because the printf format for the handle is wrong. If you want to get other developers to answer your questions, use the Github history and blame feature on minidriver.c I no longer use the minidriver and have had a build environment since 2013. I have never run the minidriver on Windows 8. The last change I made to the minidriver was in 2011, This commit got the minidriver to work by using the handles passed to it and added the On 9/2/2015 12:38 AM, ROZOH wrote:
Douglas E. Engert [email protected] |
@vletoux Can you help me? |
I've added a specifc check to assert that hSCard is not NULL. I think it is a display issue. If certutil -scinfo display the certificate, that means that the minidriver is working perfectly. Whe you say "There is a mismatch between certificate and smart card in windows 8.1 in IE SSL. " you means to you got a certutil -scinfo warning about that. Correct ? Building a X509Certificate2 object means that you have basically a certificate WITHOUT its private key reference. That is normal that PrivateKey is null because it is build automatically only when using a P12 file. You have to initialze this member yourself with an instance of the class RSACryptoServiceProvider prov. Then in the CSPParameter, you have to provide the container name (the smart card slot) and the CSP name (with openSC "OpenSC"). I already made a comment in a previous issue about that. Vincent |
IE is not using dotnet (X509Certificate2) but rather directly CryptoAPI 1 (and 2 ?). => certutil -scinfo is the best tool to debug login / IE issues related to smart cards |
Is CredentialUIBroker.exe the program used to collect the PIN for the minidriver when the policy "collect the PIN on a secure desktop" is active ? |
I don't know about CredentialUIBroker.exe, this program displayed in minidriver logs. Do you know about it? |
@vletoux
Can you help me more in this solution? certutil -scinfo is successful in detect smart card and certificates. Are you have specific command for test? or related to IE issues? |
Can you add screenshot to your ticket ?
(I have to check the status of the buttons)
|
Are you see my before comment? messages and state of buttons specified. |
And you didn't answer [Whe you say "There is a mismatch between certificate and smart card in windows 8.1 in IE SSL. " you means to you got a certutil -scinfo warning about that. Correct ?] |
certutil -scinfo is successful in detect smart card and certificates. Are you mean specific result in command line? SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040 There is difference between "Exclude leaf cert" and "Full chain" values in 2 windows. last result line In windows 7 is: "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486)" |
You definitively have not a public key matching problem because you should have seen a message in certutil saying that the public key between the certificate and the smart card didn't match. It's hard to help you: Did you activate the "Prompt for credentials on the secure desktop" policy ? |
@vletoux Microsoft Windows Version 6.3.9600 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>certutil -scinfo Analyzing card in reader: SecCard Smart Card Reader 0 --------------===========================-------------- No AT_SIGNATURE key for reader: SecCard Smart Card Reader 0 Performing AT_KEYEXCHANGE public key matching test... Performing cert chain verification... SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Exclude leaf cert: The revocation function was unable to check revocation because the revocation server was offline.0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)Revocation check skipped -- server offline Done. |
The error shown highlighted means that your computer can't connect to the CRL / OCSP server to check if the certificate has been revoked. It is not a problem when using with IE. But are you using really OpenSC ? |
This line was bold by this site.
Yes, I'm using opensc version 12.0.2 . If minidriver of opensc don't introduce in registry file and don't install on system, certutil -scinfo won't work. |
The latest version is 15.0. I'm sure you'll understand that I won't be able to help you until you upgrade to the latest version. |
Ok I have a question, Are you think there is a problem in opensc version? opensc's minidriver version 15.0 doesn't relate to base csp? |
I did a lot of work in fixing potential issues |
Hi.
I have a fail login in IE SSL in windows 7 x64 and windows 8.1 x64. IE detects certificate but does not match with smart card attached.
I'm checking minidriver log file. There is two case that is vague for me.
Is there any affect from this process on fail SLL?
The text was updated successfully, but these errors were encountered: