Re: [opensc-devel] pam_pkcs11 with many certificates on a single token

Mon, 10 Dec 2012 07:02:40 -0800 

Hello,

Here is my patch (actually, 2 patches that depend if the patch concerns only 
the error 2328 (patch 1) or the whole block processing the return value of 
verify_certificate() (patch 2)).

Thanks for your fast answer.

Hope my patches could help,

Regards,


Frédéric Combeau.

-----Message d'origine-----
De : Ludovic Rousseau [mailto:ludovic.rouss...@gmail.com] 
Envoyé : lundi 10 décembre 2012 13:49
À : COMBEAU Frederic 150138
Cc : opensc-devel@lists.opensc-project.org
Objet : Re: [opensc-devel] pam_pkcs11 with many certificates on a single token

2012/12/10  <frederic.comb...@cea.fr>:
> Hello,

Hello,

> I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but 
> they can contain 4 or 5 certificates (with corresponding rsa keys).
>
> My certificates are not all from the same PKI, so they are not certified by 
> the same ACs.
>
> The problem I encounter with pam_pkcs11 is that if the first certificate it 
> tries to verify is not certified by ACs I installed on my workstation, I got 
> an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops 
> (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not 
> trying to verify others certificates in my token. I do not really want to 
> install all ACs (including CRLs, ...) of my certificates of my token on every 
> workstations.
>
> I tried to add a "continue;" in pam_pkcs11.c in the switch test for the error 
> 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error 
> message "error 2328: ..." and with the continue command, pam_pkcs11 continues 
> to process the next certificates and everything works great.
>
> Maybe I missed something that explains why pam_pkcs11 stops processing 
> certificates if the verification of a certificate returns -4.

I guess it is just a bug or a missing feature.

Can you send me a patch (or, better, a github pull request) so I can fix the 
problem?
The project is at https://github.com/OpenSC/pam_pkcs11

Thanks

--
 Dr. Ludovic Rousseau

Attachment: patch_pam_pkcs11-0.6.8_error2328-1.patch
Description: patch_pam_pkcs11-0.6.8_error2328-1.patch

Attachment: patch_pam_pkcs11-0.6.8_error2328-2.patch
Description: patch_pam_pkcs11-0.6.8_error2328-2.patch

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to