Linux authentication with italian CRS/CNS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Linux authentication with italian CRS/CNS

Lorenzo Milesi
I'm trying to use italian CNS/CRS for authentication in Ubuntu Linux.
I'm using SCR3310 reader, the card maker:
Manufacturer ID: IC: Infineon; mask: Siemens
It contains a public and private key, so there sould be no need to create a new key on the card.
I'm trying to use the guide here:
According to `pkcs11_listcerts` the card issuer is
- Issuer:    /C=IT/O=Actalis S.p.A./OU=Servizi di certificazione/CN=Regione Lombardia Certification Authority Cittadini

I downloaded the CA Cert of Actalis and placed in /etc/pam_pkcs11/cacerts, then ran pkcs11_make_hash_link. Certificate info:
# openssl x509 -in CAActalis.pem -text -noout
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IT, O=Actalis S.p.A., OU=Servizi di certificazione, CN=Regione Lombardia Certification Authority Cittadini
            Not Before: Dec 16 20:20:36 2004 GMT
            Not After : Dec 16 20:20:36 2016 GMT
        Subject: C=IT, O=Actalis S.p.A., OU=Servizi di certificazione, CN=Regione Lombardia Certification Authority Cittadini

The subject seems to match.
So I configured sudo to perform an auth check, but I get the following messages:
$ sudo -i
Smartcard authentication starts
DEBUG:pam_pkcs11.c:308: username = [maxxer]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/x86_64-linux-gnu/]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/x86_64-linux-gnu/
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.20
DEBUG:pkcs11_lib.c:1108: - manufacturer: OpenSC (
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: Smart card PKCS#11 API          
DEBUG:pkcs11_lib.c:1111: - library version: 0.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 2
DEBUG:pkcs11_lib.c:1141: number of slots (b): 2
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: Virtual hotplug slot                                            
DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_lib.c:1037: slot 2:
DEBUG:pkcs11_lib.c:1047: - description: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00          
DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: LORENZO MILESI (PIN CNS0)      
DEBUG:pkcs11_lib.c:1058:   - manufacturer: IC: Infineon; mask: Siemens    
DEBUG:pkcs11_lib.c:1059:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1060:   - serial: xxx
DEBUG:pkcs11_lib.c:1061:   - flags: 4040c
Smart card found.
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 2
Smart card PIN:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   01
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:mapper_mgr.c:196: Inserting mapper [pwent] into list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'opensc'
DEBUG:mapper_mgr.c:196: Inserting mapper [opensc] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is invalid: unable to get local issuer certificate
Error 2328: Certificate signature invalid
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() opensc
DEBUG:mapper_mgr.c:145: unloading module opensc
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates

What can be the error? What am I missing?
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. -

WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
Opensc-devel mailing list
[hidden email]