|
Case:
- You can update the certificates on Estonian eID cards if they expire.
- After the update keychain access still displays and safari also uses the OLD certificates not present on the card any more.
- It all starts to work if you delete /var/db/TokenCache/
- Looking at the files that reside in that directory:
com.apple.tokend.opensc:GemSAFE00c0001a495e0e68
com.apple.tokend.opensc:ID-kaartX0000995
com.apple.tokend.opensc:ID-kaartA1323605
- the cache filenames are derived from the UID generated by opensc.tokend
- generation of the uid is not mandatory
- This I propose this patch to opensc.tokend:
Index: OpenSCToken.cpp
===================================================================
--- OpenSCToken.cpp (revision 93)
+++ OpenSCToken.cpp (working copy)
@@ -289,13 +289,6 @@
otdLog(" Default Score: %d\n", score);
}
- // Create a tokenUid
- if (mScP15Card->label != NULL)
- strlcpy(tokenUid, mScP15Card->label, TOKEND_MAX_UID);
- if (mScP15Card->serial_number != NULL)
- strlcpy(tokenUid + strlen(tokenUid), mScP15Card->serial_number,
- TOKEND_MAX_UID - strlen(tokenUid));
-
otdLog(" score = %d, tokenUid = \"%s\"\n", score, tokenUid);
}
}
- This way the UID is generated by tokend framework itself and we probably don't get the problem.
- I assume the UID is either random or derived from actual certificates read from the card - uniq if certificate contents have changed
- we could also compute some checksum for the certs ourselves but that might be redundant.
|
