Context Navigation

← Previous Ticket
Back to Query
Next Ticket →

NB! This project is outdated and unmaintained, please refer to the OpenSC MacInstaller instead!

Ticket #7 (assigned enhancement)

Opened 5 years ago

Last modified 5 years ago

tokend caches certificates and does not detect updated certificates

Reported by:	martin	Owned by:	martin
Priority:	normal	Milestone:
Component:	component1	Version:
Severity:	major	Keywords:
Cc:

Description

Case:

You can update the certificates on Estonian eID cards if they expire.
After the update keychain access still displays and safari also uses the OLD certificates not present on the card any more.
It all starts to work if you delete /var/db/TokenCache/

Looking at the files that reside in that directory:

com.apple.tokend.opensc:GemSAFE00c0001a495e0e68
com.apple.tokend.opensc:ID-kaartX0000995
com.apple.tokend.opensc:ID-kaartA1323605

the cache filenames are derived from the UID generated by opensc.tokend
generation of the uid is not mandatory

This I propose this patch to opensc.tokend:

Index: OpenSCToken.cpp
===================================================================
--- OpenSCToken.cpp     (revision 93)
+++ OpenSCToken.cpp     (working copy)
@@ -289,13 +289,6 @@
                                                otdLog("  Default Score: %d\n", score);
                                        }
 
-                                       // Create a tokenUid
-                                       if (mScP15Card->label != NULL)
-                                               strlcpy(tokenUid, mScP15Card->label, TOKEND_MAX_UID);
-                                       if (mScP15Card->serial_number != NULL)
-                                               strlcpy(tokenUid + strlen(tokenUid), mScP15Card->serial_number,
-                                                       TOKEND_MAX_UID - strlen(tokenUid));
-
                                        otdLog("    score = %d, tokenUid = \"%s\"\n", score, tokenUid);
                                }
                        }

This way the UID is generated by tokend framework itself and we probably don't get the problem.
I assume the UID is either random or derived from actual certificates read from the card - uniq if certificate contents have changed
we could also compute some checksum for the certs ourselves but that might be redundant.

Change History

comment:1 Changed 5 years ago by martin

Owner changed from somebody to martin
Status changed from new to assigned

See http://www.army.mil/ako/info/guides/CACconfig/setup/page3.html for the similar problem description and solution.

The strategy of not calculating an UID at all works - though it might take slightly longer before a token becomes usable after insertion.

Note: See TracTickets for help on using tickets.

Download in other formats: