Hello, at the moment i patched the pkcs11_lib.c for the first problem. But i must look about side effects for this patch. For the other problems i must go deeper into the source code and do some more debuging. I will take a look at it in the next weeks. I hope i find a solution until march ..
Greetings Gebriel Am 17.02.2016 um 22:21 schrieb Ludovic Rousseau: > Le 15/02/2016 18:14, Gabriel Sailer a écrit : >> Package: libpam-pkcs11 >> Version: 0.6.8-4 >> Severity: normal >> >> On my PKI Card are six certificates: >> >> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: be >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #2: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: df >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #3: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 3b >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #4: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 39 >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #5: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 7b >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #6: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 62 >> DEBUG:pkcs11_lib.c:1612: Found 6 certificates in token >> >> Some of them are for email en-/decryption and one is for authenticaten (see >> below). >> The some certificates are expired, but are needed to read older encrypted >> emails. >> The Problem is now, that pam_pkcs11.c returned an error after validating then >> first certificate with 'certificate has expired': >> >> DEBUG:pam_pkcs11.c:551: verifying the certificate #1 >> verifying certificate >> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store >> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT >> checks >> DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks >> ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid: >> certificate has expired >> Error 2324: Certificate has expired >> DEBUG:mapper_mgr.c:213: unloading mapper module list >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail >> DEBUG:mapper_mgr.c:148: Module mail is static: don't remove >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject >> DEBUG:mapper_mgr.c:148: Module subject is static: don't remove >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest >> DEBUG:mapper_mgr.c:148: Module digest is static: don't remove >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn >> DEBUG:mapper_mgr.c:148: Module cn is static: don't remove >> DEBUG:pkcs11_lib.c:1443: logout user >> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session >> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates >> Password: >> >> I think this is an error. Invalid certificates should be removed from the >> certificate array and the validation process should check the next >> certificate. >> >> The second problem at this case is, that it seems not be possible to select >> the >> certificate with pattern matching on the 'object label' e.g.: >> >> Public Key Object; RSA 1024 bits >> label: gabriel.sailer ENC 22 >> ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> Usage: encrypt, verify, wrap >> Public Key Object; RSA 2048 bits >> label: gabriel.sailer AUT 10 >> ID: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >> Usage: encrypt, verify, wrap >> Public Key Object; RSA 2048 bits >> label: gabriel.sailer ENC 11 >> ID: cccccccccccccccccccccccccccccccccccccccc >> Usage: encrypt, verify, wrap >> Public Key Object; RSA 2048 bits >> label: gabriel.sailer ENC 21 >> ID: dddddddddddddddddddddddddddddddddddddddd >> Usage: encrypt, verify, wrap >> Public Key Object; RSA 1024 bits >> label: gabriel.sailer ENC 23 >> ID: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee >> Usage: encrypt, verify, wrap >> Public Key Object; RSA 2048 bits >> label: gabriel.sailer ENC 24 >> ID: ffffffffffffffffffffffffffffffffffffffff >> Usage: encrypt, verify, wrap >> Secret Key Object; unknown key algorithm 21 >> label: Challenge/Response 3DES Key 01 >> ID: 43524b3031 >> Usage: verify >> Certificate Object, type = X.509 cert >> label: gabriel.sailer ENC 22 >> ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> Certificate Object, type = X.509 cert >> label: gabriel.sailer AUT 10 >> ID: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb >> Certificate Object, type = X.509 cert >> label: gabriel.sailer ENC 11 >> ID: cccccccccccccccccccccccccccccccccccccccc >> Certificate Object, type = X.509 cert >> label: gabriel.sailer ENC 21 >> ID: dddddddddddddddddddddddddddddddddddddddd >> Certificate Object, type = X.509 cert >> label: gabriel.sailer ENC 23 >> ID: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee >> Certificate Object, type = X.509 cert >> label: gabriel.sailer ENC 24 >> ID: ffffffffffffffffffffffffffffffffffffffff >> >> A pattern match with the string '.* AUT 10$' could select the right >> certificate, also if there are more the on valid certificates are on the PKI >> card. >> >> There could be also a problem with the clr list, if they are only accessable >> via a user/password protected proxy server. This could be if a part of the >> company is outsourced and get an new domainname. >> May be it should be possible to allow ignoring crl *on there own risk*. > > Could you propose patches for these problems? > That would really speed up the resolution. > > The best would be to provide a Pull Request for > https://github.com/OpenSC/pam_pkcs11 > > Thanks >
