Package: libpam-pkcs11 Version: 0.6.8-4 Severity: normal On my PKI Card are six certificates:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: be DEBUG:pkcs11_lib.c:1577: Saving Certificate #2: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: df DEBUG:pkcs11_lib.c:1577: Saving Certificate #3: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 3b DEBUG:pkcs11_lib.c:1577: Saving Certificate #4: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 39 DEBUG:pkcs11_lib.c:1577: Saving Certificate #5: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 7b DEBUG:pkcs11_lib.c:1577: Saving Certificate #6: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 62 DEBUG:pkcs11_lib.c:1612: Found 6 certificates in token Some of them are for email en-/decryption and one is for authenticaten (see below). The some certificates are expired, but are needed to read older encrypted emails. The Problem is now, that pam_pkcs11.c returned an error after validating then first certificate with 'certificate has expired': DEBUG:pam_pkcs11.c:551: verifying the certificate #1 verifying certificate DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid: certificate has expired Error 2324: Certificate has expired DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail DEBUG:mapper_mgr.c:148: Module mail is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject DEBUG:mapper_mgr.c:148: Module subject is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest DEBUG:mapper_mgr.c:148: Module digest is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn DEBUG:mapper_mgr.c:148: Module cn is static: don't remove DEBUG:pkcs11_lib.c:1443: logout user DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1456: releasing keys and certificates Password: I think this is an error. Invalid certificates should be removed from the certificate array and the validation process should check the next certificate. The second problem at this case is, that it seems not be possible to select the certificate with pattern matching on the 'object label' e.g.: Public Key Object; RSA 1024 bits label: gabriel.sailer ENC 22 ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Usage: encrypt, verify, wrap Public Key Object; RSA 2048 bits label: gabriel.sailer AUT 10 ID: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb Usage: encrypt, verify, wrap Public Key Object; RSA 2048 bits label: gabriel.sailer ENC 11 ID: cccccccccccccccccccccccccccccccccccccccc Usage: encrypt, verify, wrap Public Key Object; RSA 2048 bits label: gabriel.sailer ENC 21 ID: dddddddddddddddddddddddddddddddddddddddd Usage: encrypt, verify, wrap Public Key Object; RSA 1024 bits label: gabriel.sailer ENC 23 ID: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee Usage: encrypt, verify, wrap Public Key Object; RSA 2048 bits label: gabriel.sailer ENC 24 ID: ffffffffffffffffffffffffffffffffffffffff Usage: encrypt, verify, wrap Secret Key Object; unknown key algorithm 21 label: Challenge/Response 3DES Key 01 ID: 43524b3031 Usage: verify Certificate Object, type = X.509 cert label: gabriel.sailer ENC 22 ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Certificate Object, type = X.509 cert label: gabriel.sailer AUT 10 ID: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb Certificate Object, type = X.509 cert label: gabriel.sailer ENC 11 ID: cccccccccccccccccccccccccccccccccccccccc Certificate Object, type = X.509 cert label: gabriel.sailer ENC 21 ID: dddddddddddddddddddddddddddddddddddddddd Certificate Object, type = X.509 cert label: gabriel.sailer ENC 23 ID: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee Certificate Object, type = X.509 cert label: gabriel.sailer ENC 24 ID: ffffffffffffffffffffffffffffffffffffffff A pattern match with the string '.* AUT 10$' could select the right certificate, also if there are more the on valid certificates are on the PKI card. There could be also a problem with the clr list, if they are only accessable via a user/password protected proxy server. This could be if a part of the company is outsourced and get an new domainname. May be it should be possible to allow ignoring crl *on there own risk*. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-pkcs11 depends on: ii libc6 2.19-18+deb8u2 ii libcurl3 7.38.0-4+deb8u3 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2 ii libpam0g 1.1.8-3.1+deb8u1+b1 ii libpcsclite1 1.8.13-1 ii libssl1.0.0 1.0.1k-3+deb8u2 libpam-pkcs11 recommends no packages. libpam-pkcs11 suggests no packages. -- no debconf information
