Re: [opensc-devel] Using Finnish Goverment Identity card for smart card logging
Hello, On 9/19/11 11:25 , Hannu Kotipalo wrote: I succeeded in configuring pkcs11-pam module to use Identity card issued by Finnish goverment. Also, smart card with cacert certificates works ok (certificates ar stored on Aventra MyEID cards). Great! However, there seems to be some problem with revocation lists. 1) if any of the certificates on the chain does not have a crl distribution point, the check will fail. I would assume that if certificate has defined no crl distribution point, it should be ok withoiut the check? That would be very wrong. If key generation and distribution is one of the weakest links, then revocation and adequate checking is another great problems of PKI setups. Unless you want a simple possession of key authentication on a single (disconnected) computer you might omit revocation checking (and use pam_p11 instead), but for everything else that works with certificates, you really want to check them for validity. As CA certificates are not revoked very often (except Diginotar, of course ;)) and they anyway need to be hand-coded into software or configuration to be a trust anchor (at least roots(, you could omit revocation checking for CA-s (given a compromised CA, the CRL for it would be somewhat worthless). But checking end-entity certificates is a must. Or is it? Looks like one of the ca certificates on the Finnish ID card does not have the crl dist point. See debug below. Adding certificates would also help. I have two Finnish test cards, I can check the certs as well (given that they are not much different from actual certificates) 2) cacert has their crl list at secure https - address. pam-pkcs11 does not seem to support that. Would it be easy to add it? That might be automatic. pam_pkc11 can use cURL and cURL can handle https. Did you add support for cURL when compiling? Maybe you have not enabled SSL support in cURL? DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 DEBUG:cert_vfy.c:256: downloading crl from http://proxy.fineid.fi/crl/vrkcqcc.crl DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 Printing data for mapper subject: /C=FI/serialNumber=T/GN=NAME/SN=SURNAME/CN=SURNAME NAME T http://proxy.fineid.fi/arl/vrkroota.crl /C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=Valtion kansalaisvarmenteet/CN=VRK Gov. CA for Citizen Qualified Certificates check_for_revocation() failed: neither the user nor the ca certificate does contain a crl distribution point The error is misleading. Also, it seems that pkcs11_inspect tries to verify all certificates on the token the same way, as you'd not be authenticating with the CA certificate on the card but your personal certificate, this might need some adjustments in pkcs11_inspect code (only non-CA certificates should be processed). Have you tried to actually use pam_pkcs11 and it fails? pkcs11_inspect might not be most appropriate debugging solution in this case. Best, -- @MartinPaljak +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Using Finnish Goverment Identity card for smart card logging
Hi! I succeeded in configuring pkcs11-pam module to use Identity card issued by Finnish goverment. Also, smart card with cacert certificates works ok (certificates ar stored on Aventra MyEID cards). I improvised instructions from https://help.ubuntu.com/community/CommonAccessCard However, there seems to be some problem with revocation lists. 1) if any of the certificates on the chain does not have a crl distribution point, the check will fail. I would assume that if certificate has defined no crl distribution point, it should be ok withoiut the check? Or is it? Looks like one of the ca certificates on the Finnish ID card does not have the crl dist point. See debug below. 2) cacert has their crl list at secure https - address. pam-pkcs11 does not seem to support that. Would it be easy to add it? Here are the debugs from pkcs11_inspect debug (cert_policy = ca,signature,crl_online;) btw, this mail has been signed with cacert.org certificate on Aventra MyEID card. Finnish ID card: - @:~/src/pam_pkcs11-0.6.7$ pkcs11_inspect debug DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/opensc-pkcs11.so] DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/opensc-pkcs11.so DEBUG:pkcs11_lib.c:1009: getting function list DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1106: module information: DEBUG:pkcs11_lib.c:1107: - version: 2.20 DEBUG:pkcs11_lib.c:1108: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1109: - flags: DEBUG:pkcs11_lib.c:1110: - library description: Smart card PKCS#11 API DEBUG:pkcs11_lib.c:: - library version: 0.0 DEBUG:pkcs11_lib.c:1118: number of slots (a): 3 DEBUG:pkcs11_lib.c:1141: number of slots (b): 3 DEBUG:pkcs11_lib.c:1037: slot 1: DEBUG:pkcs11_lib.c:1047: - description: Virtual hotplug slot DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1049: - flags: 0006 DEBUG:pkcs11_lib.c:1037: slot 2: DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00 00 DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: HENKILOKORTTI (perustunnusluku) DEBUG:pkcs11_lib.c:1058: - manufacturer: VRK-FINEID DEBUG:pkcs11_lib.c:1059: - model: PKCS#15 DEBUG:pkcs11_lib.c:1060: - serial: 4600015070963841 DEBUG:pkcs11_lib.c:1061: - flags: 040c DEBUG:pkcs11_lib.c:1037: slot 3: DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00 00 DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: HENKILOKORTTI (allekirjoitustunn DEBUG:pkcs11_lib.c:1058: - manufacturer: VRK-FINEID DEBUG:pkcs11_lib.c:1059: - model: PKCS#15 DEBUG:pkcs11_lib.c:1060: - serial: 4600015070963841 DEBUG:pkcs11_lib.c:1061: - flags: 040c DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 2 DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 45 DEBUG:pkcs11_lib.c:1577: Saving Certificate #2: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 47 DEBUG:pkcs11_lib.c:1577: Saving Certificate #3: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 48 DEBUG:pkcs11_lib.c:1612: Found 3 certificates in token DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject' DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list DEBUG:pkcs11_inspect.c:128: Found '3' certificate(s) DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks DEBUG:cert_vfy.c:450: certificate is valid DEBUG:cert_vfy.c:207: crl policy: 1 DEBUG:cert_vfy.c:232: extracting crl distribution points DEBUG:cert_vfy.c:256: downloading crl from http://proxy.fineid.fi/crl/vrkcqcc.crl DEBUG:uri.c:593: parsing uri: DEBUG:uri.c:255: protocol = [http] DEBUG:uri.c:256: user = [(null)] DEBUG:uri.c:257: password = [(null)] DEBUG:uri.c:258: host = [proxy.fineid.fi] DEBUG:uri.c:259: port = [(null)] DEBUG:uri.c:260: path = [/crl/vrkcqcc.crl] DEBUG:uri.c:395: connecting... DEBUG:uri.c:420: receiving... DEBUG:uri.c:451: decoding... DEBUG:cert_vfy.c:130: crl is der encoded DEBUG:cert_vfy.c:281: verifying crl DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 Printing data for mapper subject: /C=FI/serialNumber=T/GN=NAME/SN=SURNAME/CN=SURNAME