Ticket #7 (assigned enhancement)
tokend caches certificates and does not detect updated certificates
| Reported by: | martin | Owned by: | martin |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | component1 | Version: | |
| Severity: | major | Keywords: | |
| Cc: |
Description
Case:
- You can update the certificates on Estonian eID cards if they expire.
- After the update keychain access still displays and safari also uses the OLD certificates not present on the card any more.
- It all starts to work if you delete /var/db/TokenCache/
- Looking at the files that reside in that directory:
com.apple.tokend.opensc:GemSAFE00c0001a495e0e68 com.apple.tokend.opensc:ID-kaartX0000995 com.apple.tokend.opensc:ID-kaartA1323605
- the cache filenames are derived from the UID generated by opensc.tokend
- generation of the uid is not mandatory
- This I propose this patch to opensc.tokend:
Index: OpenSCToken.cpp =================================================================== --- OpenSCToken.cpp (revision 93) +++ OpenSCToken.cpp (working copy) @@ -289,13 +289,6 @@ otdLog(" Default Score: %d\n", score); } - // Create a tokenUid - if (mScP15Card->label != NULL) - strlcpy(tokenUid, mScP15Card->label, TOKEND_MAX_UID); - if (mScP15Card->serial_number != NULL) - strlcpy(tokenUid + strlen(tokenUid), mScP15Card->serial_number, - TOKEND_MAX_UID - strlen(tokenUid)); - otdLog(" score = %d, tokenUid = \"%s\"\n", score, tokenUid); } } - This way the UID is generated by tokend framework itself and we probably don't get the problem.
- I assume the UID is either random or derived from actual certificates read from the card - uniq if certificate contents have changed
- we could also compute some checksum for the certs ourselves but that might be redundant.
Change History
Note: See
TracTickets for help on using
tickets.
