pam_pkcs11 with many certificates on a single token

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pam_pkcs11 with many certificates on a single token

frederic.combeau
Hello,

I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys).

My certificates are not all from the same PKI, so they are not certified by the same ACs.

The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations.

I tried to add a "continue;" in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message "error 2328: ..." and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great.

Maybe I missed something that explains why pam_pkcs11 stops processing certificates if the verification of a certificate returns -4.

Thanks for any helps you could give me.

Regards.


Frédéric Combeau.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 with many certificates on a single token

Ludovic Rousseau
2012/12/10  <[hidden email]>:
> Hello,

Hello,

> I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys).
>
> My certificates are not all from the same PKI, so they are not certified by the same ACs.
>
> The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations.
>
> I tried to add a "continue;" in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message "error 2328: ..." and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great.
>
> Maybe I missed something that explains why pam_pkcs11 stops processing certificates if the verification of a certificate returns -4.

I guess it is just a bug or a missing feature.

Can you send me a patch (or, better, a github pull request) so I can
fix the problem?
The project is at https://github.com/OpenSC/pam_pkcs11

Thanks

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 with many certificates on a single token

frederic.combeau
Hello,

Here is my patch (actually, 2 patches that depend if the patch concerns only the error 2328 (patch 1) or the whole block processing the return value of verify_certificate() (patch 2)).

Thanks for your fast answer.

Hope my patches could help,

Regards,


Frédéric Combeau.

-----Message d'origine-----
De : Ludovic Rousseau [mailto:[hidden email]]
Envoyé : lundi 10 décembre 2012 13:49
À : COMBEAU Frederic 150138
Cc : [hidden email]
Objet : Re: [opensc-devel] pam_pkcs11 with many certificates on a single token

2012/12/10  <[hidden email]>:
> Hello,

Hello,

> I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys).
>
> My certificates are not all from the same PKI, so they are not certified by the same ACs.
>
> The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations.
>
> I tried to add a "continue;" in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message "error 2328: ..." and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great.
>
> Maybe I missed something that explains why pam_pkcs11 stops processing certificates if the verification of a certificate returns -4.

I guess it is just a bug or a missing feature.

Can you send me a patch (or, better, a github pull request) so I can fix the problem?
The project is at https://github.com/OpenSC/pam_pkcs11

Thanks

--
 Dr. Ludovic Rousseau

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

patch_pam_pkcs11-0.6.8_error2328-1.patch (2K) Download Attachment
patch_pam_pkcs11-0.6.8_error2328-2.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 with many certificates on a single token

Peter Stuge-4
[hidden email] wrote:
> Here is my patch (actually, 2 patches that depend if the patch
> concerns only the error 2328 (patch 1) or the whole block
> processing the return value of verify_certificate() (patch 2)).

Patch 1 is obviously incorrect because your change is inside a
conditional.

Patch 2 is the correct change in code flow, but please do not ever
use comments to "remove" source code. The version control system
keeps track of history, and commented out code is very confusing,
not to mention ugly.

It would be great if you sent the change in an easy format. Ludovic
mentioned pull requests. You'll need to know git and github specifics
to do that. If you don't, maybe someone can generate a commit in your
name.


Thanks

//Peter
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 with many certificates on a single token

Ludovic Rousseau
In reply to this post by frederic.combeau
2012/12/10  <[hidden email]>:
> Hello,
>
> Here is my patch (actually, 2 patches that depend if the patch concerns only the error 2328 (patch 1) or the whole block processing the return value of verify_certificate() (patch 2)).

Patch 2 applied in git
https://github.com/OpenSC/pam_pkcs11/commit/75613e32dfc49e1174d55ed37c18ce84cabadb47

Thanks

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel