Bug#814822: libpam-pkcs11: pam_pkcs11.so exit with error if on of multiple certificates

Wed, 17 Feb 2016 13:24:41 -0800 

Le 15/02/2016 18:14, Gabriel Sailer a écrit :

Package: libpam-pkcs11
Version: 0.6.8-4
Severity: normal

On my PKI Card are six certificates:

DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   be
DEBUG:pkcs11_lib.c:1577: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   df
DEBUG:pkcs11_lib.c:1577: Saving Certificate #3:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   3b
DEBUG:pkcs11_lib.c:1577: Saving Certificate #4:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   39
DEBUG:pkcs11_lib.c:1577: Saving Certificate #5:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   7b
DEBUG:pkcs11_lib.c:1577: Saving Certificate #6:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   62
DEBUG:pkcs11_lib.c:1612: Found 6 certificates in token

Some of them are for email en-/decryption and one is for authenticaten (see
below).
The some certificates are expired, but are needed to read older encrypted 
emails.
The Problem is now, that pam_pkcs11.c returned an error after validating then
first certificate with 'certificate has expired':

DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT
checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid:
certificate has expired
Error 2324: Certificate has expired
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail
DEBUG:mapper_mgr.c:148: Module mail is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest
DEBUG:mapper_mgr.c:148: Module digest is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn
DEBUG:mapper_mgr.c:148: Module cn is static: don't remove
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
Password:

I think this is an error. Invalid certificates should be removed from the
certificate array and the validation process should check the next certificate.

The second problem at this case is, that it seems not be possible to select the
certificate with pattern matching on the 'object label' e.g.:

Public Key Object; RSA 1024 bits
   label:      gabriel.sailer ENC 22
   ID:         aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
   Usage:      encrypt, verify, wrap
Public Key Object; RSA 2048 bits
   label:      gabriel.sailer AUT 10
   ID:         bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
   Usage:      encrypt, verify, wrap
Public Key Object; RSA 2048 bits
   label:      gabriel.sailer ENC 11
   ID:         cccccccccccccccccccccccccccccccccccccccc
   Usage:      encrypt, verify, wrap
Public Key Object; RSA 2048 bits
   label:      gabriel.sailer ENC 21
   ID:         dddddddddddddddddddddddddddddddddddddddd
   Usage:      encrypt, verify, wrap
Public Key Object; RSA 1024 bits
   label:      gabriel.sailer ENC 23
   ID:         eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
   Usage:      encrypt, verify, wrap
Public Key Object; RSA 2048 bits
   label:      gabriel.sailer ENC 24
   ID:         ffffffffffffffffffffffffffffffffffffffff
   Usage:      encrypt, verify, wrap
Secret Key Object; unknown key algorithm 21
   label:      Challenge/Response 3DES Key 01
   ID:         43524b3031
   Usage:      verify
Certificate Object, type = X.509 cert
   label:      gabriel.sailer ENC 22
   ID:         aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Certificate Object, type = X.509 cert
   label:      gabriel.sailer AUT 10
   ID:         bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Certificate Object, type = X.509 cert
   label:      gabriel.sailer ENC 11
   ID:         cccccccccccccccccccccccccccccccccccccccc
Certificate Object, type = X.509 cert
   label:      gabriel.sailer ENC 21
   ID:         dddddddddddddddddddddddddddddddddddddddd
Certificate Object, type = X.509 cert
   label:      gabriel.sailer ENC 23
   ID:         eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Certificate Object, type = X.509 cert
   label:      gabriel.sailer ENC 24
   ID:         ffffffffffffffffffffffffffffffffffffffff

A pattern match with the string '.* AUT 10$' could select the right
certificate, also if there are more the on valid certificates are on the PKI
card.

There could be also a problem with the clr list, if they are only accessable 
via a user/password protected proxy server. This could be if a part of the 
company is outsourced and get an new domainname.
May be it should be possible to allow ignoring crl *on there own risk*.


Could you propose patches for these problems?
That would really speed up the resolution.

The best would be to provide a Pull Request for 
https://github.com/OpenSC/pam_pkcs11

Thanks

--
Dr. Ludovic Rousseau

Reply via email to