Hi!
First shortly about the case; The idea is to use 3rd part issued smart
card to log in to a computer. Basicly you ('sysop') relay on that 3rd
part will identity the user reliably. Actually you are outsourcing the
Certificate management.I configured my system based on instructions from https://help.ubuntu.com/community/CommonAccessCard, with some changes: 1) Of course I use Finnish ID card 2) I use opensc instead of coolkey 3) cert-policy should definitely be "ca,signature" and preferably also "crl" (you can of course also manually remove login access for any card). Checking only ca is not enought, it would be easy to make a card that would pass (I think?). I assume pam_pkcs11 is mainly purposed to be used on self generated certificates instead of ID card. So there is something to be improved (of course, if there is will to support this kind of usage). Here are my comments: 1. When using ID cards, there are usually one Root CA certificate and one intermediate certificate. Current version on pam_pkcs11 needs both to be present on /etc/pam_pkcs11/cacerts/ for it to work. Since the certificate chain is also on the card used, the Root CA *should* be enought (not a big problem thought) 2. For some reason local crl check does not seem to work for me. 3. There should be an option to download crl at predefined interval and then use local crl check (of course you can write your own script..) 4. GUI would be nice.. ;-) About the cURL and https: Compiling the source (0.6.7) after "./configure --with-curl" did not work. I had also manually define it on uri.c: #define HAVE_CURL One note; the most challenging part on this seems to be getting the correct (new enought) versions to be compiled and installed *on correct directory*. You need pcsclite, opensc, and pam_pkcs11. Compile them all with "./configure --prefix=/usr --exec-prefix=/usr". After compiling and installing, double-check if you have some configuration files on /usr/etc instead of /etc. Hannu ps. sorry for top-posting.. 21.09.2011 21:34, Martin Paljak kirjoitti: > Hello, > On 9/19/11 11:25 , Hannu Kotipalo wrote: >> I succeeded in configuring pkcs11-pam module to use Identity card issued >> by Finnish goverment. Also, smart card with cacert certificates works ok >> (certificates ar stored on Aventra MyEID cards). > Great! > > >> However, there seems to be some problem with revocation lists. >> >> 1) if any of the certificates on the chain does not have a crl >> distribution point, the check will fail. I would assume that if >> certificate has defined no crl distribution point, it should be ok >> withoiut the check? > That would be very wrong. If key generation and distribution is one of > the weakest links, then revocation and adequate checking is another > great problems of PKI setups. > > Unless you want a simple "possession of key" authentication on a single > (disconnected) computer you might omit revocation checking (and use > pam_p11 instead), but for everything else that works with certificates, > you really want to check them for validity. > As CA certificates are not revoked very often (except Diginotar, of > course ;)) and they anyway need to be hand-coded into software or > configuration to be a trust anchor (at least roots(, you could omit > revocation checking for CA-s (given a compromised CA, the CRL for it > would be somewhat worthless). But checking end-entity certificates is a > must. > >> Or is it? Looks like one of the ca certificates on >> the Finnish ID card does not have the crl dist point. See debug below. > Adding certificates would also help. I have two Finnish test cards, I > can check the certs as well (given that they are not much different from > actual certificates) > >> >> 2) cacert has their crl list at secure https - address. pam-pkcs11 does >> not seem to support that. Would it be easy to add it? > That might be automatic. pam_pkc11 can use cURL and cURL can handle > https. Did you add support for cURL when compiling? Maybe you have not > enabled SSL support in cURL? > > > > DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 >> DEBUG:cert_vfy.c:256: downloading crl from >> http://proxy.fineid.fi/crl/vrkcqcc.crl >> DEBUG:cert_vfy.c:464: certificate has not been revoked >> DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 >> Printing data for mapper subject: >> /C=FI/serialNumber=nnnnnnnnT/GN=NAME/SN=SURNAME/CN=SURNAME NAME nnnnnnnnT > >> http://proxy.fineid.fi/arl/vrkroota.crl >> /C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=Valtion >> kansalaisvarmenteet/CN=VRK Gov. CA for Citizen Qualified Certificates >> check_for_revocation() failed: neither the user nor the ca certificate >> does contain a crl distribution point > > The error is misleading. Also, it seems that pkcs11_inspect tries to > verify all certificates on the token the same way, as you'd not be > authenticating with the CA certificate on the card but your personal > certificate, this might need some adjustments in pkcs11_inspect code > (only non-CA certificates should be processed). Have you tried to > actually use pam_pkcs11 and it fails? pkcs11_inspect might not be most > appropriate debugging solution in this case. > > Best, > >
smime.p7s
Description: S/MIME-salakirjoitettu allekirjoitus
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
