Your message dated Wed, 28 Sep 2016 18:37:21 +0200
with message-id <[email protected]>
and subject line Re: libpam-pkcs11: pam_pkcs11.so exit with error if on of
multiple certificates
has caused the Debian Bug report #814822,
regarding libpam-pkcs11: pam_pkcs11.so exit with error if on of multiple
certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
814822: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814822
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-pkcs11
Version: 0.6.8-4
Severity: normal
On my PKI Card are six certificates:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: be
DEBUG:pkcs11_lib.c:1577: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: df
DEBUG:pkcs11_lib.c:1577: Saving Certificate #3:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: 3b
DEBUG:pkcs11_lib.c:1577: Saving Certificate #4:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: 39
DEBUG:pkcs11_lib.c:1577: Saving Certificate #5:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: 7b
DEBUG:pkcs11_lib.c:1577: Saving Certificate #6:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: 62
DEBUG:pkcs11_lib.c:1612: Found 6 certificates in token
Some of them are for email en-/decryption and one is for authenticaten (see
below).
The some certificates are expired, but are needed to read older encrypted
emails.
The Problem is now, that pam_pkcs11.c returned an error after validating then
first certificate with 'certificate has expired':
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT
checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid:
certificate has expired
Error 2324: Certificate has expired
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail
DEBUG:mapper_mgr.c:148: Module mail is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest
DEBUG:mapper_mgr.c:148: Module digest is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn
DEBUG:mapper_mgr.c:148: Module cn is static: don't remove
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
Password:
I think this is an error. Invalid certificates should be removed from the
certificate array and the validation process should check the next certificate.
The second problem at this case is, that it seems not be possible to select the
certificate with pattern matching on the 'object label' e.g.:
Public Key Object; RSA 1024 bits
label: gabriel.sailer ENC 22
ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Usage: encrypt, verify, wrap
Public Key Object; RSA 2048 bits
label: gabriel.sailer AUT 10
ID: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Usage: encrypt, verify, wrap
Public Key Object; RSA 2048 bits
label: gabriel.sailer ENC 11
ID: cccccccccccccccccccccccccccccccccccccccc
Usage: encrypt, verify, wrap
Public Key Object; RSA 2048 bits
label: gabriel.sailer ENC 21
ID: dddddddddddddddddddddddddddddddddddddddd
Usage: encrypt, verify, wrap
Public Key Object; RSA 1024 bits
label: gabriel.sailer ENC 23
ID: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Usage: encrypt, verify, wrap
Public Key Object; RSA 2048 bits
label: gabriel.sailer ENC 24
ID: ffffffffffffffffffffffffffffffffffffffff
Usage: encrypt, verify, wrap
Secret Key Object; unknown key algorithm 21
label: Challenge/Response 3DES Key 01
ID: 43524b3031
Usage: verify
Certificate Object, type = X.509 cert
label: gabriel.sailer ENC 22
ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Certificate Object, type = X.509 cert
label: gabriel.sailer AUT 10
ID: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Certificate Object, type = X.509 cert
label: gabriel.sailer ENC 11
ID: cccccccccccccccccccccccccccccccccccccccc
Certificate Object, type = X.509 cert
label: gabriel.sailer ENC 21
ID: dddddddddddddddddddddddddddddddddddddddd
Certificate Object, type = X.509 cert
label: gabriel.sailer ENC 23
ID: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Certificate Object, type = X.509 cert
label: gabriel.sailer ENC 24
ID: ffffffffffffffffffffffffffffffffffffffff
A pattern match with the string '.* AUT 10$' could select the right
certificate, also if there are more the on valid certificates are on the PKI
card.
There could be also a problem with the clr list, if they are only accessable
via a user/password protected proxy server. This could be if a part of the
company is outsourced and get an new domainname.
May be it should be possible to allow ignoring crl *on there own risk*.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-pkcs11 depends on:
ii libc6 2.19-18+deb8u2
ii libcurl3 7.38.0-4+deb8u3
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii libpam0g 1.1.8-3.1+deb8u1+b1
ii libpcsclite1 1.8.13-1
ii libssl1.0.0 1.0.1k-3+deb8u2
libpam-pkcs11 recommends no packages.
libpam-pkcs11 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Le 28/09/2016 à 17:44, Gabriel Sailer a écrit :
With the latest version this problem is solved.
Great. I close the bug.
Thanks.
--
Dr. Ludovic Rousseau
--- End Message ---
