Re: [opensc-devel] pam_pkcs11 with many certificates on a single token
2012/12/10 frederic.comb...@cea.fr: Hello, Here is my patch (actually, 2 patches that depend if the patch concerns only the error 2328 (patch 1) or the whole block processing the return value of verify_certificate() (patch 2)). Patch 2 applied in git https://github.com/OpenSC/pam_pkcs11/commit/75613e32dfc49e1174d55ed37c18ce84cabadb47 Thanks -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pam_pkcs11 with many certificates on a single token
Hello, I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys). My certificates are not all from the same PKI, so they are not certified by the same ACs. The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations. I tried to add a continue; in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message error 2328: ... and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great. Maybe I missed something that explains why pam_pkcs11 stops processing certificates if the verification of a certificate returns -4. Thanks for any helps you could give me. Regards. Frédéric Combeau. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pam_pkcs11 with many certificates on a single token
2012/12/10 frederic.comb...@cea.fr: Hello, Hello, I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys). My certificates are not all from the same PKI, so they are not certified by the same ACs. The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations. I tried to add a continue; in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message error 2328: ... and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great. Maybe I missed something that explains why pam_pkcs11 stops processing certificates if the verification of a certificate returns -4. I guess it is just a bug or a missing feature. Can you send me a patch (or, better, a github pull request) so I can fix the problem? The project is at https://github.com/OpenSC/pam_pkcs11 Thanks -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pam_pkcs11 with many certificates on a single token
Hello, Here is my patch (actually, 2 patches that depend if the patch concerns only the error 2328 (patch 1) or the whole block processing the return value of verify_certificate() (patch 2)). Thanks for your fast answer. Hope my patches could help, Regards, Frédéric Combeau. -Message d'origine- De : Ludovic Rousseau [mailto:ludovic.rouss...@gmail.com] Envoyé : lundi 10 décembre 2012 13:49 À : COMBEAU Frederic 150138 Cc : opensc-devel@lists.opensc-project.org Objet : Re: [opensc-devel] pam_pkcs11 with many certificates on a single token 2012/12/10 frederic.comb...@cea.fr: Hello, Hello, I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys). My certificates are not all from the same PKI, so they are not certified by the same ACs. The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations. I tried to add a continue; in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message error 2328: ... and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great. Maybe I missed something that explains why pam_pkcs11 stops processing certificates if the verification of a certificate returns -4. I guess it is just a bug or a missing feature. Can you send me a patch (or, better, a github pull request) so I can fix the problem? The project is at https://github.com/OpenSC/pam_pkcs11 Thanks -- Dr. Ludovic Rousseau patch_pam_pkcs11-0.6.8_error2328-1.patch Description: patch_pam_pkcs11-0.6.8_error2328-1.patch patch_pam_pkcs11-0.6.8_error2328-2.patch Description: patch_pam_pkcs11-0.6.8_error2328-2.patch ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pam_pkcs11 with many certificates on a single token
frederic.comb...@cea.fr wrote: Here is my patch (actually, 2 patches that depend if the patch concerns only the error 2328 (patch 1) or the whole block processing the return value of verify_certificate() (patch 2)). Patch 1 is obviously incorrect because your change is inside a conditional. Patch 2 is the correct change in code flow, but please do not ever use comments to remove source code. The version control system keeps track of history, and commented out code is very confusing, not to mention ugly. It would be great if you sent the change in an easy format. Ludovic mentioned pull requests. You'll need to know git and github specifics to do that. If you don't, maybe someone can generate a commit in your name. Thanks //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
