Bug#814822: libpam-pkcs11: pam_pkcs11.so exit with error if on of multiple certificates

Wed, 28 Sep 2016 08:21:35 -0700 

On Mon, 15 Feb 2016 18:14:26 +0100 Gabriel Sailer <gabriel.sai...@gmx.net> 
wrote:

Package: libpam-pkcs11
Version: 0.6.8-4
Severity: normal

On my PKI Card are six certificates:

DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   be
DEBUG:pkcs11_lib.c:1577: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   df
DEBUG:pkcs11_lib.c:1577: Saving Certificate #3:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   3b
DEBUG:pkcs11_lib.c:1577: Saving Certificate #4:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   39
DEBUG:pkcs11_lib.c:1577: Saving Certificate #5:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   7b
DEBUG:pkcs11_lib.c:1577: Saving Certificate #6:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   62
DEBUG:pkcs11_lib.c:1612: Found 6 certificates in token

Some of them are for email en-/decryption and one is for authenticaten (see
below).
The some certificates are expired, but are needed to read older encrypted 
emails.
The Problem is now, that pam_pkcs11.c returned an error after validating then
first certificate with 'certificate has expired':

DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT
checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid:
certificate has expired
Error 2324: Certificate has expired
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail
DEBUG:mapper_mgr.c:148: Module mail is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest
DEBUG:mapper_mgr.c:148: Module digest is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn
DEBUG:mapper_mgr.c:148: Module cn is static: don't remove
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
Password:

I think this is an error. Invalid certificates should be removed from the
certificate array and the validation process should check the next certificate.


I hink this problem is solved with the latest version 0.6.9-1 of the package.
Please try this version and confirm if this bug is fixed or not.

Thanks

--
Dr. Ludovic Rousseau

Reply via email to