Hello,
Here is my patch (actually, 2 patches that depend if the patch concerns only
the error 2328 (patch 1) or the whole block processing the return value of
verify_certificate() (patch 2)).
Thanks for your fast answer.
Hope my patches could help,
Regards,
Frédéric Combeau.
-Message d'origine-
De : Ludovic Rousseau [mailto:ludovic.rouss...@gmail.com]
Envoyé : lundi 10 décembre 2012 13:49
À : COMBEAU Frederic 150138
Cc : opensc-devel@lists.opensc-project.org
Objet : Re: [opensc-devel] pam_pkcs11 with many certificates on a single token
2012/12/10 :
> Hello,
Hello,
> I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but
> they can contain 4 or 5 certificates (with corresponding rsa keys).
>
> My certificates are not all from the same PKI, so they are not certified by
> the same ACs.
>
> The problem I encounter with pam_pkcs11 is that if the first certificate it
> tries to verify is not certified by ACs I installed on my workstation, I got
> an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops
> (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not
> trying to verify others certificates in my token. I do not really want to
> install all ACs (including CRLs, ...) of my certificates of my token on every
> workstations.
>
> I tried to add a "continue;" in pam_pkcs11.c in the switch test for the error
> 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error
> message "error 2328: ..." and with the continue command, pam_pkcs11 continues
> to process the next certificates and everything works great.
>
> Maybe I missed something that explains why pam_pkcs11 stops processing
> certificates if the verification of a certificate returns -4.
I guess it is just a bug or a missing feature.
Can you send me a patch (or, better, a github pull request) so I can fix the
problem?
The project is at https://github.com/OpenSC/pam_pkcs11
Thanks
--
Dr. Ludovic Rousseau
patch_pam_pkcs11-0.6.8_error2328-1.patch
Description: patch_pam_pkcs11-0.6.8_error2328-1.patch
patch_pam_pkcs11-0.6.8_error2328-2.patch
Description: patch_pam_pkcs11-0.6.8_error2328-2.patch
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel