{5} Assigned, Active Tickets by Owner (Full Description) – SCA – Trac

#7

tokend caches certificates and does not detect updated certificates

component1

enhancement

major

02/06/07

Case:

You can update the certificates on Estonian eID cards if they expire.
After the update keychain access still displays and safari also uses the OLD certificates not present on the card any more.
It all starts to work if you delete /var/db/TokenCache/

Looking at the files that reside in that directory:

com.apple.tokend.opensc:GemSAFE00c0001a495e0e68
com.apple.tokend.opensc:ID-kaartX0000995
com.apple.tokend.opensc:ID-kaartA1323605

the cache filenames are derived from the UID generated by opensc.tokend
generation of the uid is not mandatory

This I propose this patch to opensc.tokend:

Index: OpenSCToken.cpp
===================================================================
--- OpenSCToken.cpp     (revision 93)
+++ OpenSCToken.cpp     (working copy)
@@ -289,13 +289,6 @@
                                                otdLog("  Default Score: %d\n", score);
                                        }
 
-                                       // Create a tokenUid
-                                       if (mScP15Card->label != NULL)
-                                               strlcpy(tokenUid, mScP15Card->label, TOKEND_MAX_UID);
-                                       if (mScP15Card->serial_number != NULL)
-                                               strlcpy(tokenUid + strlen(tokenUid), mScP15Card->serial_number,
-                                                       TOKEND_MAX_UID - strlen(tokenUid));
-
                                        otdLog("    score = %d, tokenUid = \"%s\"\n", score, tokenUid);
                                }
                        }

This way the UID is generated by tokend framework itself and we probably don't get the problem.
I assume the UID is either random or derived from actual certificates read from the card - uniq if certificate contents have changed
we could also compute some checksum for the certs ourselves but that might be redundant.

Context Navigation

{5} Assigned, Active Tickets by Owner (Full Description) (1 matches)

martin (1 match)

Download in other formats:

Ticket	Summary	Component	Type	Severity	Created
Description
#7	tokend caches certificates and does not detect updated certificates	component1	enhancement	major	02/06/07
Case: You can update the certificates on Estonian eID cards if they expire. After the update keychain access still displays and safari also uses the OLD certificates not present on the card any more. It all starts to work if you delete /var/db/TokenCache/ Looking at the files that reside in that directory: com.apple.tokend.opensc:GemSAFE00c0001a495e0e68 com.apple.tokend.opensc:ID-kaartX0000995 com.apple.tokend.opensc:ID-kaartA1323605 the cache filenames are derived from the UID generated by opensc.tokend generation of the uid is not mandatory This I propose this patch to opensc.tokend: Index: OpenSCToken.cpp =================================================================== --- OpenSCToken.cpp (revision 93) +++ OpenSCToken.cpp (working copy) @@ -289,13 +289,6 @@ otdLog(" Default Score: %d\n", score); } - // Create a tokenUid - if (mScP15Card->label != NULL) - strlcpy(tokenUid, mScP15Card->label, TOKEND_MAX_UID); - if (mScP15Card->serial_number != NULL) - strlcpy(tokenUid + strlen(tokenUid), mScP15Card->serial_number, - TOKEND_MAX_UID - strlen(tokenUid)); - otdLog(" score = %d, tokenUid = \"%s\"\n", score, tokenUid); } } This way the UID is generated by tokend framework itself and we probably don't get the problem. I assume the UID is either random or derived from actual certificates read from the card - uniq if certificate contents have changed we could also compute some checksum for the certs ourselves but that might be redundant.