Hello, On 9/19/11 11:25 , Hannu Kotipalo wrote: > I succeeded in configuring pkcs11-pam module to use Identity card issued > by Finnish goverment. Also, smart card with cacert certificates works ok > (certificates ar stored on Aventra MyEID cards). Great!
> However, there seems to be some problem with revocation lists. > > 1) if any of the certificates on the chain does not have a crl > distribution point, the check will fail. I would assume that if > certificate has defined no crl distribution point, it should be ok > withoiut the check? That would be very wrong. If key generation and distribution is one of the weakest links, then revocation and adequate checking is another great problems of PKI setups. Unless you want a simple "possession of key" authentication on a single (disconnected) computer you might omit revocation checking (and use pam_p11 instead), but for everything else that works with certificates, you really want to check them for validity. As CA certificates are not revoked very often (except Diginotar, of course ;)) and they anyway need to be hand-coded into software or configuration to be a trust anchor (at least roots(, you could omit revocation checking for CA-s (given a compromised CA, the CRL for it would be somewhat worthless). But checking end-entity certificates is a must. > Or is it? Looks like one of the ca certificates on > the Finnish ID card does not have the crl dist point. See debug below. Adding certificates would also help. I have two Finnish test cards, I can check the certs as well (given that they are not much different from actual certificates) > > 2) cacert has their crl list at secure https - address. pam-pkcs11 does > not seem to support that. Would it be easy to add it? That might be automatic. pam_pkc11 can use cURL and cURL can handle https. Did you add support for cURL when compiling? Maybe you have not enabled SSL support in cURL? DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 > DEBUG:cert_vfy.c:256: downloading crl from > http://proxy.fineid.fi/crl/vrkcqcc.crl > DEBUG:cert_vfy.c:464: certificate has not been revoked > DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 > Printing data for mapper subject: > /C=FI/serialNumber=nnnnnnnnT/GN=NAME/SN=SURNAME/CN=SURNAME NAME nnnnnnnnT > http://proxy.fineid.fi/arl/vrkroota.crl > /C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=Valtion > kansalaisvarmenteet/CN=VRK Gov. CA for Citizen Qualified Certificates > check_for_revocation() failed: neither the user nor the ca certificate > does contain a crl distribution point The error is misleading. Also, it seems that pkcs11_inspect tries to verify all certificates on the token the same way, as you'd not be authenticating with the CA certificate on the card but your personal certificate, this might need some adjustments in pkcs11_inspect code (only non-CA certificates should be processed). Have you tried to actually use pam_pkcs11 and it fails? pkcs11_inspect might not be most appropriate debugging solution in this case. Best, -- @MartinPaljak +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
