With the latest version this problem is solved. Thank you very mutch
Gabriel Sailer Am 28.09.2016 um 17:18 schrieb Ludovic Rousseau: > On Mon, 15 Feb 2016 18:14:26 +0100 Gabriel Sailer <gabriel.sai...@gmx.net> > wrote: >> Package: libpam-pkcs11 >> Version: 0.6.8-4 >> Severity: normal >> >> On my PKI Card are six certificates: >> >> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: be >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #2: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: df >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #3: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 3b >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #4: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 39 >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #5: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 7b >> DEBUG:pkcs11_lib.c:1577: Saving Certificate #6: >> DEBUG:pkcs11_lib.c:1579: - type: 00 >> DEBUG:pkcs11_lib.c:1580: - id: 62 >> DEBUG:pkcs11_lib.c:1612: Found 6 certificates in token >> >> Some of them are for email en-/decryption and one is for authenticaten (see >> below). >> The some certificates are expired, but are needed to read older encrypted >> emails. >> The Problem is now, that pam_pkcs11.c returned an error after validating then >> first certificate with 'certificate has expired': >> >> DEBUG:pam_pkcs11.c:551: verifying the certificate #1 >> verifying certificate >> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store >> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT >> checks >> DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks >> ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid: >> certificate has expired >> Error 2324: Certificate has expired >> DEBUG:mapper_mgr.c:213: unloading mapper module list >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail >> DEBUG:mapper_mgr.c:148: Module mail is static: don't remove >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject >> DEBUG:mapper_mgr.c:148: Module subject is static: don't remove >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest >> DEBUG:mapper_mgr.c:148: Module digest is static: don't remove >> DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn >> DEBUG:mapper_mgr.c:148: Module cn is static: don't remove >> DEBUG:pkcs11_lib.c:1443: logout user >> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session >> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates >> Password: >> >> I think this is an error. Invalid certificates should be removed from the >> certificate array and the validation process should check the next >> certificate. > > I hink this problem is solved with the latest version 0.6.9-1 of the package. > Please try this version and confirm if this bug is fixed or not. > > Thanks >
