Hi!
First shortly about the case; The idea is to use 3rd part issued smart
card to log in to a computer. Basicly you ('sysop') relay on that 3rd
part will identity the user reliably. Actually you are outsourcing the
Certificate management.
I configured my system based on instructions from
https://help.ubuntu.com/community/CommonAccessCard, with some changes:
1) Of course I use Finnish ID card 2) I use opensc instead of coolkey 3)
cert-policy should definitely be ca,signature and preferably also
crl (you can of course also manually remove login access for any
card). Checking only ca is not enought, it would be easy to make a card
that would pass (I think?).
I assume pam_pkcs11 is mainly purposed to be used on self generated
certificates instead of ID card. So there is something to be improved
(of course, if there is will to support this kind of usage).
Here are my comments:
1. When using ID cards, there are usually one Root CA certificate and
one intermediate certificate. Current version on pam_pkcs11 needs both
to be present on /etc/pam_pkcs11/cacerts/ for it to work. Since the
certificate chain is also on the card used, the Root CA *should* be
enought (not a big problem thought)
2. For some reason local crl check does not seem to work for me.
3. There should be an option to download crl at predefined interval and
then use local crl check (of course you can write your own script..)
4. GUI would be nice.. ;-)
About the cURL and https: Compiling the source (0.6.7) after
./configure --with-curl did not work. I had also manually define it on
uri.c: #define HAVE_CURL
One note; the most challenging part on this seems to be getting the
correct (new enought) versions to be compiled and installed *on correct
directory*. You need pcsclite, opensc, and pam_pkcs11. Compile them all
with ./configure --prefix=/usr --exec-prefix=/usr. After compiling and
installing, double-check if you have some configuration files on
/usr/etc instead of /etc.
Hannu
ps. sorry for top-posting..
21.09.2011 21:34, Martin Paljak kirjoitti:
Hello,
On 9/19/11 11:25 , Hannu Kotipalo wrote:
I succeeded in configuring pkcs11-pam module to use Identity card issued
by Finnish goverment. Also, smart card with cacert certificates works ok
(certificates ar stored on Aventra MyEID cards).
Great!
However, there seems to be some problem with revocation lists.
1) if any of the certificates on the chain does not have a crl
distribution point, the check will fail. I would assume that if
certificate has defined no crl distribution point, it should be ok
withoiut the check?
That would be very wrong. If key generation and distribution is one of
the weakest links, then revocation and adequate checking is another
great problems of PKI setups.
Unless you want a simple possession of key authentication on a single
(disconnected) computer you might omit revocation checking (and use
pam_p11 instead), but for everything else that works with certificates,
you really want to check them for validity.
As CA certificates are not revoked very often (except Diginotar, of
course ;)) and they anyway need to be hand-coded into software or
configuration to be a trust anchor (at least roots(, you could omit
revocation checking for CA-s (given a compromised CA, the CRL for it
would be somewhat worthless). But checking end-entity certificates is a
must.
Or is it? Looks like one of the ca certificates on
the Finnish ID card does not have the crl dist point. See debug below.
Adding certificates would also help. I have two Finnish test cards, I
can check the certs as well (given that they are not much different from
actual certificates)
2) cacert has their crl list at secure https - address. pam-pkcs11 does
not seem to support that. Would it be easy to add it?
That might be automatic. pam_pkc11 can use cURL and cURL can handle
https. Did you add support for cURL when compiling? Maybe you have not
enabled SSL support in cURL?
DEBUG:pkcs11_inspect.c:132: verifing the certificate #1
DEBUG:cert_vfy.c:256: downloading crl from
http://proxy.fineid.fi/crl/vrkcqcc.crl
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1
Printing data for mapper subject:
/C=FI/serialNumber=T/GN=NAME/SN=SURNAME/CN=SURNAME NAME T
http://proxy.fineid.fi/arl/vrkroota.crl
/C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=Valtion
kansalaisvarmenteet/CN=VRK Gov. CA for Citizen Qualified Certificates
check_for_revocation() failed: neither the user nor the ca certificate
does contain a crl distribution point
The error is misleading. Also, it seems that pkcs11_inspect tries to
verify all certificates on the token the same way, as you'd not be
authenticating with the CA certificate on the card but your personal
certificate, this might need some adjustments in pkcs11_inspect code
(only non-CA certificates should be processed). Have you tried to
actually use pam_pkcs11