opensc / pam_pkcs11 Goto Github PK

This Linux-PAM login module allows a X.509 certificate based user login

License: GNU Lesser General Public License v2.1

Shell 2.87% C 80.26% Lex 0.28% Makefile 1.09% M4 15.50% sed 0.01%

pam_pkcs11's Introduction

OpenSC documentation

Manual pages for the OpenSC command line tools as well as for the OpenSC configuration files are available online and typically distributed along with your installation.

The OpenSC Wiki includes, among others, information for:

Windows Quick Start
macOS Quick Start
Compiling and Installing on Unix flavors
Frequently Asked Questions
More user and developer provided documentation

Downloads

Latest release

The latest stable version of OpenSC is available on Github. It is available as

Windows installer for 64 bit and 32 bit programs (OpenSC*_win64.msi and OpenSC*_win32.msi)
macOS installer (OpenSC*.dmg)
Source code distribution (opensc*.tar.gz)

Nightly build

The latest source code is available through GitHub. Nightly builds are available by their git hash in branches of OpenSC/Nightly.

Build and testing status

Build and test status of specific cards:

Cards	Status
CAC
virt_CACard
Coolkey
PivApplet
OpenPGP Applet
GidsApplet
IsoApplet
OsEID (MyEID)
SmartCardHSM
ePass2003

pam_pkcs11's People

Contributors

Stargazers

Watchers

pam_pkcs11's Issues

A lot of patches...

Hi!

Finally, I've separated and described all my patches for pam_pkcs11 (I said about them a while ago in #27). The description is here: https://github.com/wolneykien/pam_pkcs11/blob/patches/alt/main/PATCHES.md and the file's branch (patches/alt/main) is the branch where all listed patches are combined together (not a simple merge though). They also available as separate branches named devel/* in that my repo.

I want to discuss and merge something!

Segmentation fault in X509_STORE_get_by_subject ()

Hi,
we have set up a configuration with CRL checking (cert_policy = CA,signature,crl_online) and are experiencing a Segmentation fault in X509_STORE_get_by_subject (). We are on a regularly updated Ubuntu 16.04 and using the latest pam_pkcs11 0.6.9. But the error also appears in version 0.6.8.4.

gdb bt:

Thread 1 "pkcs11_inspect" received signal SIGSEGV, Segmentation fault.
0x00007ffff7aed662 in X509_STORE_get_by_subject () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(gdb) bt
#0  0x00007ffff7aed662 in X509_STORE_get_by_subject () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#1  0x0000000000406f35 in verify_crl (ctx=0x7bbbb0, crl=0x7c3be0) at cert_vfy.c:151
#2  check_for_revocation (x509=x509@entry=0x7305e0, ctx=ctx@entry=0x7bbbb0, policy=<optimized out>) at cert_vfy.c:291
#3  0x00000000004074c2 in verify_certificate (x509=x509@entry=0x7305e0, policy=policy@entry=0x6164d8 <configuration+88>) at cert_vfy.c:464
#4  0x00000000004032fd in main (argc=<optimized out>, argv=<optimized out>) at pkcs11_inspect.c:132

If we turn off CRL checking in the config, everything runs fine. Also switching to offline checking does not help as the segmentation fault also appears in this mode.

Our PKCS11 lib is from CryptoVision: /usr/local/lib/libcvP11.so
The URL where the CRL gets downloaded from: http://crl.d-trust.net/crl/eon_ca_2_2013_xxi.crl

last debug output is:

DEBUG:cert_vfy.c:265: downloading crl from http://crl.d-trust.net/crl/eon_ca_2_2013_xxi.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:uri.c:255: protocol = [http]
DEBUG:uri.c:256: user = [(null)]
DEBUG:uri.c:257: password = [(null)]
DEBUG:uri.c:258: host = [crl.d-trust.net]
DEBUG:uri.c:259: port = [(null)]
DEBUG:uri.c:260: path = [/crl/eon_ca_2_2013_xxi.crl]
DEBUG:uri.c:395: connecting...
DEBUG:uri.c:420: receiving...
DEBUG:uri.c:451: decoding...
DEBUG:cert_vfy.c:113: crl is base64 encoded
DEBUG:cert_vfy.c:290: verifying crl
Segmentation fault

I digged a bit deeper in the code and came up with these findings:

X509_STORE_get_by_subject(vs, type, name, ret) is documented in openssl as "If the certificate or crl is found by some means, then it is placed into ret (which must not be NULL) with an indicator of the type of object returned. This function returns 1 on a match and 0 on error or if no match was found. ". However obj (=ret) is defined as
X509_OBJECT *obj = NULL;
In my opinion it should rather be declared as
X509_OBJECT obj;
and calls to this function changed to i.e.
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
and no attempt to free this object should be made.

In function "check_for_revocation()", X509_CRL_get0_by_cert() is supposed to return 0 on failure and 1 on success. I guess "success" means a revoked certificate was found, so a "failure" would mean the certificate was not revoked. However the code then exits with
return (rv == -1);
This doesn't make sense to me.

After adjusting the code for these findings, everything works fine, but this would somehow imply that the CRL check code never worked in the first place.

Any suggestions? Am I on the wrong track?

Cheers,
Michael

PKCS11 module crashes when no CRL defined for card

I'm seeing a crash in src/common/cert_vfy.c, verify_crl() is being passed a NULL X509_CRL * crl by check_for_revocation(). At minimum the module should not crash, it should detect the situation where crl == NULL and fail gracefully.

Debug output:

Enter your Smart card PIN on the pinpad
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   03
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:196: Inserting mapper [cn] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '<redacted 1>' to CACERT checks
DEBUG:cert_vfy.c:389: Adding hash dir '<redacted 1>' to CRL checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 3
DEBUG:cert_vfy.c:226: crl policy: 1
DEBUG:cert_vfy.c:259: extracting crl distribution points
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 2>.pem
DEBUG:cert_vfy.c:298: download_crl() failed: get_from_uri() failed: curl_easy_perform() failed: Couldn't open file <redacted 2>tdecrl.pem (37)
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 1>/<redacted 3>.crl
DEBUG:cert_vfy.c:113: crl is base64 encoded
DEBUG:cert_vfy.c:313: verifying crl
DEBUG:cert_vfy.c:235: check_for_revocation() failed: verify_crl() failed: getting the issuer's public key failed
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:cert_vfy.c:313: verifying crl

Thread 1 "login" received signal SIGSEGV, Segmentation fault.
X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108
108     ../crypto/x509/x509cset.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7052220 in X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108

This may be related to #42.

make pkcs11_module option "slot_description" a substring match

Hi there

Problem description
A while ago i discovered that the slot_description in the pkcs11_module not working as intended, cause the string which is compared to also have the slot id inside.

Furthermore we use Yubikey as smartcard in our company for authentication. Over the years we got different versions. Some users have Yubikey NEO, some Yubikey 4 and now there are Yubikey 5 as well. On top of that there are users with smartcards from our customers to authenticate on external systems.

So it would be very nice to have a substring match over a full match for the slot_description field in config file.

Testsetup
System: Ubuntu 20.04
opensc version 0.20.0-3 amd64
libpam-pkcs11version 0.6.11-2 amd64

inserted smartcards on the system:

Slot 0: Yubikey NEO OTP+CCID
Slot 1: Yubikey NEO OTP+U2F+CCID
Slot 2: Yubikey 4 OTP+CCID
Slot 3: Gemalto PC Twin Reader with customer smartcard

# opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey NEO OTP+U2F+CCID 00 00
1    Yes             Yubico Yubikey NEO OTP+CCID 01 00
2    Yes             Yubico Yubikey 4 OTP+CCID 02 00
3    Yes             Gemalto PC Twin Reader (922FBFB3) 03 00`

relevant part of pam_pkcs11 config:

# cat /etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11 {
  ...
  use_pkcs11_module = yubikey;
  pkcs11_module yubikey {
    module = /usr/lib/opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    slot_description = "Yubico Yubikey NEO OTP+CCID";
    #slot_num = 1;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    support_threads = false;
    cert_policy = ca,signature;
    #crl check disabled as workaround cause of segmentation fault, see https://github.com/OpenSC/pam_pkcs11/issues/42
    #cert_policy = ca,signature,crl_auto;
    token_type = "YubiKey";
  }
...

Steps to reproduce

# /usr/bin/pklogin_finder debug
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project                  
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework      
DEBUG:pkcs11_lib.c:1185: - library version: 0.20
DEBUG:pkcs11_lib.c:1077: number of slots (a): 5
DEBUG:pkcs11_lib.c:1100: number of slots (b): 5
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+U2F+CCID 00 00                           
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user1                   
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: fa199c6821e35273
DEBUG:pkcs11_lib.c:1136:   - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00                               
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user3                       
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136:   - flags: 2040d
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey 4 OTP+CCID 02 00                                 
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user2                          
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: c0fdcb8f44270042
DEBUG:pkcs11_lib.c:1136:   - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 4:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00                         
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: PKI Card (Card PIN)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: <CUSTOMER>                   
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15         
DEBUG:pkcs11_lib.c:1135:   - serial: 105003013405    
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 5:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00                         
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: PKI Card (Card PUK)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: <CUSTOMER>                   
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15         
DEBUG:pkcs11_lib.c:1135:   - serial: 105003013405    
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
DEBUG:pklogin_finder.c:95: no token available

Expected result
Find smartcard in slot 2 with test.user3 as its key description equal to slot_description in pam_pkcs11.conf (Yubico Yubikey NEO OTP+CCID).

Actual result
As you can see in debug, it adds a 01 00 at the end of the description, which represents the slot ID.
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00
and this resutls in
DEBUG:pklogin_finder.c:95: no token available

If i write this slot_description = "Yubico Yubikey NEO OTP+CCID 01 00"; into pam_pkcs11.conf then it will work, but only if the key is in slot 1. I guess this is not the idea behind the slot_description option, this way it is a more strict version of the alternate slot_num option.

Expected behavior after this request is implement
To change this to a substring match, would also solve the problem with the different Yubikey versions we have. So i can write simply `slot_description = "Yubico Yubikey " into pam_pkcs11.conf and every user can login with his Yubikey on every system.

I like to see the following mis-/matches

Examples of matches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+U2F+CCID"

description from debug: "Yubico Yubikey NEO OTP+CCID 01 00"
description in config : "Yubico Yubikey"

description from debug: "Yubico Yubikey 4 OTP+CCID 02 00"
description in config : "Yubico Yubikey"


Examples of mismatches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+CCID"

description from debug: "Gemalto PC Twin Reader (922FBFB3) 03 00"
description in config : "Yubico Yubikey"`

Very ugly workaround i'm using at the moment
Change the description of all Yubikeys in /etc/libccid_Info.plist on every workstation we have into
<string>Yubico Yubikey description with more then 64 characters to workaround the pkcs11 string matching problem</string>
and enter the following slot description into pam_pkcs11.conf
slot_description = "Yubico Yubikey description with more then 64 characters as wo..."
then it will match, cause the login_finder will cut it of at 64 chars

DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey description with more then 64 characters as wo...
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico                          
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: test.user3                       
DEBUG:pkcs11_lib.c:1133:   - manufacturer: piv_II                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136:   - flags: 2040d

Online CRL verification fails if the ca_dir contains multiple CAs with the same subject

Overview

After setting this up for U.S. Government PIV card authentication, I found a problem: everything fails when online CRL checks are enabled. I traced the problem to how CRLs are validated when using a CA hash_dir. Basically, if multiple CAs exist with the same subject, the CRL signature is only checked against the first one (index 0). The others are read, but ignored.

I think this has something to do with how the EVP_PKEY is fetched in verify_crl(), but I'm not entirely sure. It could also be a shortcoming in the OpenSSL API, because the same bug exists in the openssl crl utility (source link).

Steps to repeat

Configure pam_pkcs11 to use the OpenSC pkcs11_module, make sure the cert_policy includes ca_online, and that ca_dir is a directory.
Create two CAs with the same subject and a CRL distribution point. The CRL distribution point can be unique to each. I will call these CA1 and CA2. For greater realism, you could also create a common root CA, but that shouldn't matter.
Create an empty CRL for CA2 and make it available via the CRL distribution point. I'm not sure if file:/// URLs are supported as distribution points, but if not you may need an HTTP server.
Use CA2 to sign a certificate on a test card.
Place the public certificates for both CA1 and CA2 into the ca_dir and execute pkcs11_make_hash_dir. The hashes generated for each of the CAs should be identical, so the links should be like hash.0 and hash.1.
With the test card inserted, execute pkcs11_inspect.

Expected behavior

Knowing that the certificate is valid for a trusted CA, and that it is NOT revoked, it should verify as OK and output the fingerprint.

Actual behavior

Assuming hash.0 points to CA1 and hash.1 points to CA2, you should see something like this with debug=true:

DEBUG:pkcs11_inspect.c:132: verifing the certificate #1
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 3
DEBUG:cert_vfy.c:207: crl policy: 1
DEBUG:cert_vfy.c:232: extracting crl distribution points
DEBUG:cert_vfy.c:256: downloading crl from http://example.org/CRL2.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:uri.c:255: protocol = [http]
DEBUG:uri.c:256: user = [(null)]
DEBUG:uri.c:257: password = [(null)]
DEBUG:uri.c:258: host = [example.org]
DEBUG:uri.c:259: port = [(null)]
DEBUG:uri.c:260: path = [/CRL2.crl]
DEBUG:uri.c:395: connecting...
DEBUG:uri.c:420: receiving...
DEBUG:uri.c:451: decoding...
DEBUG:cert_vfy.c:130: crl is der encoded
DEBUG:cert_vfy.c:281: verifying crl
DEBUG:cert_vfy.c:165: crl is invalid
DEBUG:cert_vfy.c:462: certificate has been revoked
ERROR:pkcs11_inspect.c:142: verify_certificate() failed:

If you manually rearrange the CA hash links so hash.0 points to CA2 and hash.1 points to CA1, it should succeed. Likewise, if you set ca_dir to point directly at CA2, it should succeed.

Versions affected

I've tested this using 0.6.7-1 on Ubuntu 12.04, but I'm fairly confident it's still a problem on newer versions. The code I believe to be responsible has not changed since 2005 (0.5.2?).

Endless Loop on signature size

I am entering an endless loop because my signature length size is greater that 64. I modified the code in src/commom/pkcs11_lib.c line 1814 *signature_length = 64; to *signature_length = 1024; and everything appears to be fine for me. The code in question is as follows:

if (rv == CKR_BUFFER_TOO_SMALL) {
  /* increase signature length as long as it it to short */
  free(*signature);
  *signature = NULL;
  DBG1("increased signature buffer-length to %ld", *signature_length);

I don't see where the string is getting incremented or increased.

I really don't want my own version of pam_pkcs11 and was wondering if you could take a look at the problem and advise.

Thanks...

cannot build on fedora 32

I'm trying to build and install on fedora 32, but I'm having trouble during the make phase.

It seems a deprecated gcc function is used. Here's my error message:

n of function ‘X509_OBJECT_free_contents’; did you mean ‘X509_OBJECT_up_ref_count’? [-Wimplicit-function-declaration]
  159 |   X509_OBJECT_free_contents(&obj);
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~
      |   X509_OBJECT_up_ref_count
cert_vfy.c:174:3: warning: ‘X509_CRL_get_lastUpdate’ is deprecated [-Wdeprecated-declarations]
  174 |   rv = X509_cmp_current_time(X509_CRL_get_lastUpdate(crl));
      |   ^~
In file included from /usr/include/openssl/opensslconf.h:42,
                 from ../common/pam-pkcs11-ossl-compat.h:30,
                 from cert_st.h:36,
                 from cert_vfy.h:30,
                 from cert_vfy.c:18:
/usr/include/openssl/x509.h:727:1: note: declared here
  727 | DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
      | ^~~~~~~~~~~~~~~~~~
cert_vfy.c:183:3: warning: ‘X509_CRL_get_nextUpdate’ is deprecated [-Wdeprecated-declarations]
  183 |   rv = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
      |   ^~
In file included from /usr/include/openssl/opensslconf.h:42,
                 from ../common/pam-pkcs11-ossl-compat.h:30,
                 from cert_st.h:36,
                 from cert_vfy.h:30,
                 from cert_vfy.c:18:
/usr/include/openssl/x509.h:728:1: note: declared here
  728 | DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
      | ^~~~~~~~~~~~~~~~~~
cert_vfy.c: In function ‘check_for_revocation’:
cert_vfy.c:205:15: error: storage size of ‘obj’ isn’t known
  205 |   X509_OBJECT obj;
      |               ^~~
cert_vfy.c:212:12: error: storage size of ‘crl_pkey’ isn’t known
  212 |   EVP_PKEY crl_pkey;
      |            ^~~~~~~~

Is there any way of using this in fedora 32?

64-bit pkcs11_inspect(1) fails on SPARC with a SIBGUS due to misaligned access

Solaris 11 delivers pkcs11_inspect(1) compiled using -m64 which thus
creates a 64-bit executable. The pkcs11_inspect(1) utility calls the
src/common/cert_info.c:cert_info_sshpuk() routine which declares
'data_len' as an 'int' which is 32-bits in size and will thus be 32-bit
aligned but then passes its address to
src/common/base64.c:base64_encode() which expects a size_t. When
base64_encode() dereferences the address of 'data_len' it expects the
address to be 64-bit aligned since in the LP64 environment, size_t is an
unsigned long and 64-bits in size. This discrepancy results in
accessing an address which is 32-bit aligned but not 64-bit aligned and
this misaligned access then triggers a SIGBUS.

static char **cert_info_sshpuk(X509 *x509)
{ 
  [...] 
        int data_len;
  [...] 
        /* encode data in base64 format */
        data_len= 1+ 4*((2+pt-blob)/3);
  [...] 
        res= base64_encode(blob,pt-blob,data,(size_t *) &data_len);

int base64_encode(const unsigned char *in,  size_t len, unsigned char *out,
    size_t *outlen)
{ 
  [...]
   if (*outlen < len2 + 1) {

> ::status
debugging core file of pkcs11_inspect (64-bit) from c27waspxwnyd12w
file: /usr/lib/pam_pkcs11/pkcs11_inspect
initial argv: ./pkcs11_inspect
threading model: native threads
status: process terminated by SIGBUS (Bus Error), addr=fffffe66942dffec
> $C
fffffe66942df671 openssh_mapper.so`base64_encode+0x40(dc4e3f7680, 117, dc4e3f9690, fffffe66942dffec, 0, dc4e3f9805)
fffffe66942df731 openssh_mapper.so`cert_info_sshpuk+0x29c(dc4e32c4d0, 55555400, 175, 7fcb4f03087f0, dc4e3f7797, 7fcb4f041a000)
fffffe66942df7f1 openssh_mapper.so`openssh_mapper_find_entries+0x1c(dc4e32c4d0, 0, 10011a000, 7fcb4f041a000, 10f9e4, 16a8)
fffffe66942df8a1 inspect_certificate+0x94(dc4e32c4d0, dc4e3f1a60, 10011b9a8, 100006348, 10011a000, 1) 
fffffe66942df951 main+0x414(10011b558, fffffe66942e06d8, 1, 0, 1, 100005000)
fffffe66942dfe21 _start+0x17c(0, 0, 0, 0, 0, 0)
// The address of 'data_len' is not 64-bit aligned:
> (fffffe66942dffec & 0x7)
                4
// But the address of 'data_len' is instead 32-bit aligned:
> (fffffe66942dffec & 0x3)
                0

Since size_t is 64-bits in size in LP64 mode the attempt to dereference
its address which isn't 64-bit aligned triggers a SIGBUS.

pam_pkcs11-0.6.10.tar.gz README says use non-existent ./configure. autoconf and autoconf -i both give errors.

pam_pkcs11-pam_pkcs11-0.6.10 $ autoconf -i
configure.ac:10: error: possibly undefined macro: AM_INIT_AUTOMAKE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:16: error: possibly undefined macro: AM_MAINTAINER_MODE
configure.ac:18: error: possibly undefined macro: AM_GNU_GETTEXT
configure.ac:26: error: possibly undefined macro: AM_PROG_AR
configure.ac:30: error: possibly undefined macro: AM_PROG_LEX
configure.ac:34: error: possibly undefined macro: AM_CONDITIONAL
configure.ac:37: error: possibly undefined macro: AC_MSG_ERROR

pam_pkcs11-pam_pkcs11-0.6.10 $ ./configure
configure: error: cannot find install-sh, install.sh, or shtool in "." "./.." "./../.."

C_Sign fails with 0x00000007 after inserting pin

Hello, I compiled and installed all the necessary packages and configured /etc/pam_pkcs11/subject_mapping with my smart card's subject data, that I got from pkcs11_inspect.
I also added and linked the required CA certificates in /etc/pam_pkcs11/cacerts.
I added the following line to /etc/pam.d/sudo:

#%PAM-1.0

auth sufficient /usr/local/lib/security/pam_pkcs11.so debug

** the rest of the unchanged commands **

But whenever I try to use sudo and type my pin, I get this (snip from the actual log):

Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [6d:86:47:...:e8]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:58:12:56:...:03]
ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007
Error 2340: Signing failed
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
Sorry, try again.

Complete Log:

luis@CTW00632:~$ sudo -i
Smartcard authentication starts
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_pkcs11.c:335: username = [luis]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project                  
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework      
DEBUG:pkcs11_lib.c:1185: - library version: 0.19
DEBUG:pkcs11_lib.c:1077: number of slots (a): 3
DEBUG:pkcs11_lib.c:1100: number of slots (b): 3
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro AU9560 00 00                                        
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: Auth PIN (CARTAO DE CIDADAO)    
DEBUG:pkcs11_lib.c:1133:   - manufacturer: GEMALTO                         
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: **removed**
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: Sign PIN (CARTAO DE CIDADAO)    
DEBUG:pkcs11_lib.c:1133:   - manufacturer: GEMALTO                         
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: **removed**
DEBUG:pkcs11_lib.c:1136:   - flags: 4040c
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: Address PIN (CARTAO DE CIDADAO) 
DEBUG:pkcs11_lib.c:1133:   - manufacturer: GEMALTO                         
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: **removed**
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
Portuguese ID Card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome Auth PIN (CARTAO DE CIDADAO)!
Portuguese ID Card PIN: 
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   45
DEBUG:pkcs11_lib.c:1624: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   52
DEBUG:pkcs11_lib.c:1624: Saving Certificate #3:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   50
DEBUG:pkcs11_lib.c:1659: Found 3 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null'
DEBUG:mapper_mgr.c:196: Inserting mapper [null] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 0
DEBUG:cert_vfy.c:229: no revocation-check performed
DEBUG:cert_vfy.c:496: certificate has not been revoked
DEBUG:mapper_mgr.c:306: Mapper module subject match() returns 1
DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [1b:e5:51:...:2e]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:cc:32:...:74]
DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 256
ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007
Error 2340: Signing failed
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
Sorry, try again.
Smartcard authentication starts
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_pkcs11.c:335: username = [luis]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project                  
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework      
DEBUG:pkcs11_lib.c:1185: - library version: 0.19
DEBUG:pkcs11_lib.c:1077: number of slots (a): 3
DEBUG:pkcs11_lib.c:1100: number of slots (b): 3
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: Auth PIN (CARTAO DE CIDADAO)    
DEBUG:pkcs11_lib.c:1133:   - manufacturer: GEMALTO                         
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: **removed**
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: Sign PIN (CARTAO DE CIDADAO)    
DEBUG:pkcs11_lib.c:1133:   - manufacturer: GEMALTO                         
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: **removed**
DEBUG:pkcs11_lib.c:1136:   - flags: 4040c
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic                         
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: Address PIN (CARTAO DE CIDADAO) 
DEBUG:pkcs11_lib.c:1133:   - manufacturer: GEMALTO                         
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: **removed**
DEBUG:pkcs11_lib.c:1136:   - flags: 040c
Portuguese ID Card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome Auth PIN (CARTAO DE CIDADAO)!
Portuguese ID Card PIN:

This file says that 0x00000007 is CKR_ARGUMENTS_BAD.

I believe the first time h->fl->C_Sign runs, it returns CKR_BUFFER_TOO_SMALL, and in the second loop with signature_length of 256, it fails.

pkcs11-tool -M returns this:

Using slot 0 with a present token (0x0)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
  SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
  MD5-RSA-PKCS, keySize={512,2048}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={512,2048}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair

Why am I getting sign_value() failed: C_Sign() failed: 0x00000007 ?

Provide pam-auth-update configuration file?

Copy of Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/pam-pkcs11/+bug/1650366

Problem:

PAM configuration is managed using pam-auth-update.
However, pam-pkcs11 does not provide the necessary description file below /usr/share/pam-configs.
Hence, it must be added manually to the pam configuration.

Resolution:

pam-pkcs11 should supply a description file in /usr/share/pam-configs similar to the one attached.

Name: PKCS11 Smartcard Authentication
Default: yes
Priority: 128
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_pkcs11.so
Auth-Initial:
	[success=end default=ignore]	pam_pkcs11.so

Regards,
Joachim

Not building against OpenSSL 1.1.1

Fails to build - hangs on

make[3]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/po'
touch stamp-po
make[2]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/po'
Making all in doc
make[2]: Entering directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/doc'
ls: cannot access 'api/*': No such file or directory

If I try to reconfigure --without-docbook it goes further and fails with:

cert_vfy.c:174:3: warning: ‘X509_CRL_get_lastUpdate’ is deprecated [-Wdeprecated-declarations]
rv = X509_cmp_current_time(X509_CRL_get_lastUpdate(crl));
^~
In file included from ../common/pam-pkcs11-ossl-compat.h:30,
from cert_st.h:36,
from cert_vfy.h:30,
from cert_vfy.c:18:
/usr/include/openssl/x509.h:727:1: note: declared here
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
^~~~~~~~~~~~~~~~~~
cert_vfy.c:183:3: warning: ‘X509_CRL_get_nextUpdate’ is deprecated [-Wdeprecated-declarations]
rv = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
^~
In file included from ../common/pam-pkcs11-ossl-compat.h:30,
from cert_st.h:36,
from cert_vfy.h:30,
from cert_vfy.c:18:
/usr/include/openssl/x509.h:728:1: note: declared here
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
^~~~~~~~~~~~~~~~~~
cert_vfy.c: In function ‘check_for_revocation’:
cert_vfy.c:205:15: error: storage size of ‘obj’ isn’t known
X509_OBJECT obj;
^~~
cert_vfy.c:212:12: error: storage size of ‘crl_pkey’ isn’t known
EVP_PKEY crl_pkey;
^~~~~~~~
make[4]: *** [Makefile:540: libcommon_la-cert_vfy.lo] Error 1
make[4]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/src/common'
make[3]: *** [Makefile:615: all-recursive] Error 1
make[3]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/src/common'
make[2]: *** [Makefile:403: all-recursive] Error 1
make[2]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/src'
make[1]: *** [Makefile:459: all-recursive] Error 1
make[1]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10'
make: *** [Makefile:391: all] Error 2

Building on Arch, GCC 8.3

mapper heap-buffer-overflow

When running against ASAN it detected a heap-buffer-overflow:

=================================================================                                                               
==78084==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000002ffd at pc 0x7fb185325118 bp 0x7ffcc0a9a850 sp 0x7ff
cc0a99ff8                                                                                                                       
READ of size 1 at 0x60c000002ffd thread T0                                                                                      
    #0 0x7fb185325117 in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:70
4                                                                                                                               
    #1 0x7fb182173810 in get_mapent /opt/pam_pkcs11/src/mappers/mapper.c:87                                                     
    #2 0x7fb182173b9c in mapfile_find /opt/pam_pkcs11/src/mappers/mapper.c:164                                                  
    #3 0x7fb1821728b2 in find_user /opt/pam_pkcs11/src/pam_pkcs11/mapper_mgr.c:270                                              
    #4 0x7fb1821714c4 in pam_sm_authenticate /opt/pam_pkcs11/src/pam_pkcs11/pam_pkcs11.c:578                                    
    #5 0x7fb18218f055  (/tmp/pam.T/lib/libpam.so.0+0x4055)
    #6 0x7fb18218e933 in pam_authenticate (/tmp/pam.T/lib/libpam.so.0+0x3933)
   ...

The issue is the get_mapent function in mapper.c isn't checking if the from variable is NULL or not when it is passed into strchr

CRLs online fail to process after download and offline ones cause a segfault

Reported to Ubuntu initially #1879710 but may be better addressed here as it seems to affect any Linux distro I try.

Background:

Using a smart card (PIV) to log in to Ubuntu, utilising a Yubikey. Certificate is read, PIN prompts and logs in which is expected behavior. There is however no method for checking CRL's (Certificate Revocation Lists) reliably. This is needed for security in the event someone lost their smart card/Yubikey, it was compromised somehow, or just renewed with a new certificate. A CRL should be checked at each authentication attempt to validate that the certificate being presented is valid.

Issue:

When attempting to read a CRL, it either fails to download or causes a segfault.
CRL's are set within the certificate to download over http, this part of the process works OK. When it checks for revocation it seems to go wrong.

Online CRL's (crl_online in pam_pkcs11.conf) fail with the following error message:
ERROR:pkcs11_inspect.c:137: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed

Offline CRL's (crl_offline in pam_pkcs11.conf) fail with a segfault which seems to point at an issue with libcrypto:

[ 1563.825006] pkcs11_inspect[3820]: segfault at 18 ip 00007ff8e1a95300 sp 00007ffd6db03088 error 4 in libcrypto.so.1.1[7ff8e190e000+19f000]
[ 1563.825013] Code: 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 20 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 28 c3 66 66 2e 0f 1f 84 00 00 00 00 00 <48> 8b 47 18 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 38 c3 66

Workaround:

None - disabling CRL checking defeats the point and is highly insecure.

ocsp could be another potential workaround however this doesn't appear to have been included in the package(s).

unable to build pam_pkcs11

tar -xvf pam_pkcs11-0.6.9.tar.gz 
cd pam_pkcs11-0.6.9/
./configure 
make
make  all-recursive
make[1]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
Making all in .
make[2]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
make[2]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
Making all in po
make[2]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/po'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/po'
Making all in doc
make[2]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/doc'
xsltproc \
--stringparam  section.autolabel 1 \
--stringparam  section.label.includes.component.label 1 \
-o mappers_api.html pam_pkcs11.xsl mappers_api.xml
warning: failed to load external entity "http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"
compilation error: file pam_pkcs11.xsl line 3 element import
xsl:import : unable to load http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl
make[2]: *** [mappers_api.html] Error 5
make[2]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/doc'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
make: *** [all] Error 2`

Possible openssh_mapper error with SSH v1 key

Hi! There is the following mismatch in the openssh_mapper.c:

It uses

RSA_set0_key(rsa, rsa_e, rsa_n, NULL);

when is parsing ssh v1 key, but

RSA_set0_key(rsa, rsa_n, rsa_e, NULL);

for ssh v2 key. Notice the different order of rsa_e and rsa_n in the calls. Possibly, that's an error. However, I don't known where can I get an SSH version 1 key to check it in runtime.

Lightdm cpu 100%

After upgrade Ubuntu to 16:04 I realized that lightdm process was using 100% CPU.

SO: Ubuntu 16.04 64
Package: libpam-pkcs11 0.6.8.4
Token: Aladdin eToken Pro 0529:0620

Looking the code a find a workaroud that is comment pkcs11_lib.c lines 1175-1177.
// if (h->fl != NULL)
// if (h->should_finalize)
// h->fl->C_Finalize(NULL);

Loading of pam_pkcs11 fails: segementation fault in libcrypto.so.1.1

Hi there,

I just run into a segmentation fault when I tried to login in GDM on a pam_pkcs11 smartcard enabled Ubuntu 18.04. When the smartcard is inserted, the smartcard pam_module (pam_pkcs11.so) is loaded and the smartcard login process crashes because of a segfault:

Jan 18 16:17:38 a02 gdm-password]: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
Jan 18 16:17:38 a02 gdm-password]: username = [test]
Jan 18 16:17:38 a02 gdm-password]: loading pkcs #11 module...
Jan 18 16:17:38 a02 gdm-password]: PKCS #11 module = [/lib/libIDPrimePKCS11.so.10]
Jan 18 16:17:38 a02 gdm-password]: module permissions: uid = 0, gid = 0, mode = 755
Jan 18 16:17:38 a02 gdm-password]: loading module /lib/libIDPrimePKCS11.so.10
Jan 18 16:17:38 a02 gdm-password]: getting function list
Jan 18 16:17:38 a02 gdm-password]: initialising pkcs #11 module...
Jan 18 16:17:38 a02 gdm-password]: module information:
Jan 18 16:17:38 a02 gdm-password]: - version: 2.20
Jan 18 16:17:38 a02 gdm-password]: - manufacturer: Gemalto
Jan 18 16:17:38 a02 gdm-password]: - flags: 0000
Jan 18 16:17:38 a02 gdm-password]: - library description: Gemalto PKCS11
Jan 18 16:17:38 a02 gdm-password]: - library version: 10.0
Jan 18 16:17:43 a02 kernel: [ 2957.384488] show_signal_msg: 6 callbacks suppressed
Jan 18 16:17:43 a02 kernel: [ 2957.384494] gdm-session-wor[2972]: segfault at 8 ip 00007f9551329910 sp 00007ffe2dc9be48 error 4 in libcrypto.so.1.1[7f955127d000+24d000]
Jan 18 16:17:43 a02 gdm3: Freeing conversation 'gdm-password' with active job

pam_pkcs11.so is dynamically linked to libcrypto.so.1.1 (in which actually the segfault happens):

root@a02:/etc/pam_pkcs11# ldd /lib/security/pam_pkcs11.so
  .....
  libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f7d82a06000)

First I thought it may be related to the Ubuntu repository pre-packed libpam-pkcs11 package but this does not seem to be true. I tried to remove the Ubuntu 18.04 official libpam-pkcs11 package and compiled pam_pkcs11.so by myself using the following commands:

apt-get install -y libssl-dev libpam0g-dev pkg-config libpcsclite-dev libldap2-dev libnss3-dev
apt-get install -y libtool autoconf automake git
git clone https://github.com/OpenSC/pam_pkcs11.git
cd pam_pkcs11
./bootstrap
./configure --prefix=/usr --exec-prefix=/usr --with-ldap --with-nss
make
make install

I also tested it first without the option --with-nss but I also run into the same issue with the openssl library which is used by default (when no --with-nss is used).

In the further debugging process I tried to switch from libcrypto.so.1.1 to libcrypto.so.1.0.0 which actually solved me issue:

root@a02:/usr/lib/x86_64-linux-gnu# ls -la libcrypto.so*
lrwxrwxrwx 1 root root      16 Dec  5 16:59 libcrypto.so -> libcrypto.so.1.1
-rw-r--r-- 1 root root 2357760 Dec  4 16:58 libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2575848 Dec  5 16:59 libcrypto.so.1.1
root@a02:/usr/lib/x86_64-linux-gnu# mv libcrypto.so.1.1 libcrypto.so.1.1.orig
root@a02:/usr/lib/x86_64-linux-gnu# ln -s libcrypto.so.1.0.0 libcrypto.so.1.1
root@a02:/usr/lib/x86_64-linux-gnu# ls -la libcrypto.so*
lrwxrwxrwx 1 root root      16 Dec  5 16:59 libcrypto.so -> libcrypto.so.1.1
-rw-r--r-- 1 root root 2357760 Dec  4 16:58 libcrypto.so.1.0.0
lrwxrwxrwx 1 root root      18 Jan 18 17:21 libcrypto.so.1.1 -> libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2575848 Dec  5 16:59 libcrypto.so.1.1.orig

With libcrypto.so.1.0.0 it works:

Jan 18 17:22:06 a02 gdm-password]: Initializing NSS ...
Jan 18 17:22:06 a02 gdm-password]: Initializing NSS ... database=/etc/
Jan 18 17:22:06 a02 gdm-password]: ...  NSS Complete
Jan 18 17:22:06 a02 gdm-password]: username = [test]
Jan 18 17:22:06 a02 gdm-password]: loading pkcs #11 module...
Jan 18 17:22:06 a02 gdm-password]: Looking up module in list
Jan 18 17:22:06 a02 gdm-password]: modList = 0x75019cf0 next = 0x0
Jan 18 17:22:06 a02 gdm-password]: dllName= <null>
Jan 18 17:22:06 a02 gdm-password]: loading Module explictly, moduleSpes11.so" name="SmartCard"> module=/u
Jan 18 17:22:12 a02 gdm-password]: load module complete
Jan 18 17:22:12 a02 gdm-password]: initialising pkcs #11 module...
Jan 18 17:23:32 a02 gdm-password]: cert 0: found ....

Does anyone had a similar issue or does know how to fix this in a nice way instead of my workaround?

My pam_pkcs11.conf (at least the relevant part of it):

# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = gemalto;

# Gemalto pkcs11 module
pkcs11_module gemalto {
  module = /lib/libIDPrimePKCS11.so.10;
  description = "Gemalto pkcs#11 module";
  slot_num = 1;
  support_threads = false;
  ca_dir = /etc/pam_pkcs11/cacerts;
  crl_dir = /etc/pam_pkcs11/crls;
  cert_policy = ca,signature;
  token_type = "Smartcard";
}

Thanks!

Regards,
Philip

Get maintained

Hi Ludovic!

I currently maintain the package in Sisyphus and already have a number of patches I want to integrate. If you're really looking for a new maintainer, I can take it over.

EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing

pam_pkcs11/src/common/cert_vfy.c

Line 570 in 240e2eb

rv = EVP_VerifyFinal(md_ctx, *signature, *signature_length, pubkey);

I am getting the following failure (full output below),

ERROR:pam_pkcs11.c:736: verify_signature() failed: EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing
Error 2342: Verifying signature failed

I am on commit bb2e3f3a95e44fdf44b0d5a4b377db3179021380 and using an Estonian ID card and I followed setup instructions from Ubuntu

Running this works,

$ pkcs15-tool --read-certificate 01 > /tmp/shell-cert.crt
Using reader with a card: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
$ openssl asn1parse -in /tmp/sc-cert.crt
... bunch of stuff ...

Full output,

$ sudo login aidan
[sudo] password for aidan: 
Smartcard authentication starts
DEBUG:pam_config.c:203: Invalid CRL policy: oscp_on
DEBUG:pam_pkcs11.c:335: username = [aidan]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project                  
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework      
DEBUG:pkcs11_lib.c:1185: - library version: 0.21
DEBUG:pkcs11_lib.c:1077: number of slots (a): 2
DEBUG:pkcs11_lib.c:1100: number of slots (b): 2
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 
DEBUG:pkcs11_lib.c:1123: - manufacturer: Broadcom Corp                   
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: MACDONALD,AIDAN PLENER... (PIN1)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: IDEMIA                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: UA0040364       
DEBUG:pkcs11_lib.c:1136:   - flags: 040e
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 
DEBUG:pkcs11_lib.c:1123: - manufacturer: Broadcom Corp                   
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: MACDONALD,AIDAN PLENER... (PIN2)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: IDEMIA                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: UA0040364       
DEBUG:pkcs11_lib.c:1136:   - flags: 040e
Smart card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome MACDONALD,AIDAN PLENER... (PIN1)!
Smart card PIN: 
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   01
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:pwent_mapper.c:174: pwent mapper started
DEBUG:mapper_mgr.c:196: Inserting mapper [pwent] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 0
DEBUG:cert_vfy.c:229: no revocation-check performed
DEBUG:cert_vfy.c:496: certificate has not been revoked
DEBUG:cert_info.c:366: CN = [MACDONALD,AIDAN PLENERT,39207050216]
DEBUG:pwent_mapper.c:131: Trying to match pw_entry for cn 'MACDONALD,AIDAN PLENERT,39207050216'
DEBUG:pwent_mapper.c:133: CN 'MACDONALD,AIDAN PLENERT,39207050216' Match login 'aidan'
DEBUG:mapper_mgr.c:306: Mapper module pwent match() returns 1
DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [f2:95:ec:...:ca]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000003
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:75:ef:...:0c]
DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 96
DEBUG:pkcs11_lib.c:1834: signature[96] = [4e:3b:62:...:ba]
DEBUG:pam_pkcs11.c:727: verifying signature...
DEBUG:cert_vfy.c:518: public key type: 0x00000198
DEBUG:cert_vfy.c:519: public key bits: 0x00000180
DEBUG:cert_vfy.c:540: hashing with SHA256
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
ERROR:pam_pkcs11.c:736: verify_signature() failed: EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing
Error 2342: Verifying signature failed

fallback to password on empty pin

pam_pkcs11.txt

some time ago everything was fine :)
but now i need to pull my yubikey to login via pam because when i hit enter [as empty pin] for pin aut which is a fist method in auth-common stack the pam module logs me out!!!!

why the new mechanism doesn't fall back to default password auth method (for empty pin)
and where i can change this to previous behavior for password fallback ? (this is a "must have option" as i use encryption of user home and for login and unwrapp passphrase i need user password when i first login into my account - and no pin solution)

auth [success=2 default=ignore] pam_pkcs11.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap

error 2318 - empty smartcard pin not allowed

i have also tried to add nullok

error 2320 - wrong smartcard pin

where do i need setup and which correct option ?

config attached

Not able to log-in ubuntu with pam using pkcs#11 module

When trying to log-in using pkcs#11 shared library by editing pam configuration file, facing error like-

ubuntu kernel: [13342.185619] lightdm[15882]: segfault at b662b48e ip b71ddd2f sp bfb35dec error 4 in libc-2.19.so[b7163000+1a8000]

Getting this error after exit from C_Finalize (Traced using syslog)..

At log-in Screen messages getting like- Smartcard authentication starts,
Smart card found,
verifying certificate,
Failed to authenticate

when tried through terminal to log-in other user from default user- able to get authentication succeeded at the end(before Segmentation fault in terminal) and getting error(as per syslog) -

ubuntu kernel: [11694.542754] su[13543]: segfault at b676048e ip b7586d2f sp bfd0f0bc error 4 in libc-2.19.so[b750c000+1a8000]

Can any one help us by giving solution to debug this...

EVP_VerifyFinal() failed with EC cert on 0.6.11

Hello, I have pam_pkcs11 working well with RSA certificates, but for a variety of reasons I'd much prefer EC certs, so I upgraded my pam_pkcs11 to 0.6.11 for its greater support. However, when I sign and store a ECDSA certificate, I get the following:

gdm-password]: loading pkcs #11 module...
gdm-password]: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
gdm-password]: module permissions: uid = 0, gid = 0, mode = 755
gdm-password]: loading module /usr/lib/opensc-pkcs11.so
gdm-password]: getting function list
gdm-password]: initialising pkcs #11 module...
gdm-password]: module information:
gdm-password]: - version: 2.20
gdm-password]: - manufacturer: OpenSC Project
gdm-password]: - flags: 0000
gdm-password]: - library description: OpenSC smartcard framework
gdm-password]: - library version: 0.20
gdm-password]: number of slots (a): 1
gdm-password]: number of slots (b): 1
gdm-password]: slot 1:
gdm-password]: - description: Alcor Micro AU9560 00 00
gdm-password]: - manufacturer: Generic
gdm-password]: - flags: 0007
gdm-password]: - token:
gdm-password]:   - label: MyEID (Basic PIN)
gdm-password]:   - manufacturer: Aventra Ltd.
gdm-password]:   - model: PKCS#15
gdm-password]:   - serial: 7303016809988479
gdm-password]:   - flags: 040d
gdm-password]: opening a new PKCS #11 session for slot 1
gdm-password]: login as user CKU_USER
gdm-password]: Saving Certificate #1:
gdm-password]: - type: 00
gdm-password]: - id:   02
gdm-password]: Found 1 certificates in token
gdm-password]: Retrieveing mapper module list
gdm-password]: Loading static module for mapper 'ms'
gdm-password]: Inserting mapper [ms] into list
gdm-password]: verifying the certificate #1
gdm-password]: Neither CA nor CRL check requested. CertVrfy() skipped
gdm-password]: Mapper module ms match() returns 1
gdm-password]: certificate is valid and matches the user
gdm-password]: reading 128 random bytes from /dev/urandom
gdm-password]: random-value[128] = [...]
gdm-password]: private key type: 0x00000003
gdm-password]: hash[51] = [...]
gdm-password]: signature[64] = [...]
gdm-password]: verifying signature...
gdm-password]: public key type: 0x00000198
gdm-password]: public key bits: 0x00000100
gdm-password]: hashing with SHA256
gdm-password]: logout user
gdm-password]: closing the PKCS #11 session
gdm-password]: releasing keys and certificates
gdm-password]: verify_signature() failed: EVP_VerifyFinal() failed: error:25066067:DSO support routines:dlfcn_load

Output of: pkcs11-tool -O

Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:       [Removed]
  subject:    [Removed]
  ID:         02
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:    [Removed]
  EC_PARAMS:   [Removed]
  label:       [Removed]
  ID:         02
  Usage:      encrypt, verify
  Access:     local

Output of: pkcs11-tool -M

Using slot 0 with a present token (0x0)
Supported mechanisms:
  SHA-1, digest
  SHA224, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={192,256}, hw, sign, other flags=0x1800000
  ECDSA-SHA1, keySize={192,256}, hw, sign, other flags=0x1800000
  ECDH1-COFACTOR-DERIVE, keySize={192,256}, hw, derive, other flags=0x1800000
  ECDH1-DERIVE, keySize={192,256}, hw, derive, other flags=0x1800000
  ECDSA-KEY-PAIR-GEN, keySize={192,256}, hw, generate_key_pair, other flags=0x1800000
  RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
  RSA-PKCS-PSS, keySize={512,2048}, hw, sign, verify
  SHA1-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair
  AES-ECB, keySize={128,256}, encrypt, decrypt
  AES-CBC, keySize={128,256}, encrypt, decrypt
  AES-CBC-PAD, keySize={128,256}, encrypt, decrypt

ldap_get_certificate(): no matching entries

Hello. I have some troubles with ldap mapping, I guess. I'm using a simple self sign certificate on the smart card and and exactly the same in the OpenLDAP server. Can you please tell me what could be wrong with the following scheme. Trying to log in with a smart card + pam_pkcs11 (ldap mapping), but got an error:

DEBUG:ldap_mapper.c:1243: Trying to match certificate with user: 'cardholder'
DEBUG:ldap_mapper.c:926: ldap_get_certificate(): begin login = cardholder
DEBUG:ldap_mapper.c:583: added URI ldap://<address>:389
DEBUG:ldap_mapper.c:988: ldap_get_certificate(): try do_open for ldap://<address>:389
DEBUG:ldap_mapper.c:146: do_init():
DEBUG:ldap_mapper.c:416: Set connection timeout to 8
DEBUG:ldap_mapper.c:216: do_ssl_options
DEBUG:ldap_mapper.c:453: do_open(): do_start_tls
DEBUG:ldap_mapper.c:502: do_open(): TLS startup succeeded
DEBUG:ldap_mapper.c:324: do_bind(): bind DN="cn=admin,dc=ldapserver" pass="password"
DEBUG:ldap_mapper.c:357: do_bind rc=97
DEBUG:ldap_mapper.c:1022: ldap_get_certificate(): building default filter_str
DEBUG:ldap_mapper.c:789: ldap_build_cert_filter(): building default filter
DEBUG:ldap_mapper.c:1032: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=cardholder)(userCertificate=...))
DEBUG:ldap_mapper.c:1048: ldap_get_certificate(): no matching entries
DEBUG:ldap_mapper.c:1060: ldap_search_s() failed: Bad search filter
DEBUG:ldap_mapper.c:1212: ldap_get_certificate() failed
DEBUG:ldap_mapper.c:1251: Certificate map to user 'cardholder' failed
DEBUG:mapper_mgr.c:272: Mapper 'ldap' found (null), matched 0
DEBUG:pklogin_finder.c:148: find_user() failed for certificate #1:
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed

my mapper :

  use_pkcs11_module = opensc
  pkcs11_module opensc {
          module = /usr/lib/.../opensc-pkcs11.so;
          cert_policy = none;
  }
  use_mappers = ldap;
  mapper ldap {
        debug = true;
        module = /usr/lib/.../pam_pkcs11/ldap_mapper.so;
        ldaphost = "10.0.0.11";
        ldapport = ;
        URI = "ldap://10.0.0.11";
        scope = 2;
        binddn = "cn=admin,dc=ldapserver";
        passwd = "password";
        base = "dc=ldapserver";
        attribute = "userCertificate";
        ssl = tls
        tls_checkpeer = 0
        #attribute_map = "userCertificate;binary=cert"
        filter = "(&(objectClass=posixAccount)(uid=%s))"
  }

I also get some troubles while downloading the certificate to the ldap so I uploaded the binary cert via an ldif file:

dn: uid=cardholder,dc=ldapserver
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: cardholder
cn: cardholder
sn: cardholder
givenName: Claus
title: Root
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {SSHA}7TS+a0wfVJlUw8F32K503Uoo9Ql8a0Ns
loginShell: /bin/bash
uidNumber: 1006
gidNumber: 1006
homeDirectory: /home/cardholder/
description: This is an example user
userCertificate;binary:< file:///home/user/cardholder.der

I'm using debian 11 and LDAPv3 on the server
Thank you

pkcs11_make_hash_link fails when file names contain whitespaces

Hi,

I'm trying to set up PAM authentication using corporate certificates that by default contain whitespaces in the file name.

Problem

pkcs11_make_hash_link can't process files with whitespaces in the filename:

$ ll ~/certs/test certificate.cer
-rw-r--r--. 1 user user    2 Mar 22 17:29 'test certificate.cer'

$ pkcs11_make_hash_link ~/certs/
we got a problem with: test certificate.cer

Comments

If I remove whitespaces from the file name, pkcs11_make_hash_link creates all links successfully.
Most likely happens when iterating through files with for file in *; where whitespace is treated as a separator.

verify_crl() failed: getting the issuer's public key failed

Hi,

I need help please
when I add crl_online to pam_pkcs11.conf in my ubuntu VM and I try to login with smartcard, I get the following error:

ERROR:pam_pkcs11.c:586: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the issuer's public key failed

Thanks

Segmentation fault (core dumped) with Estonian ID card

$ valgrind --leak-check=full pkcs11_listcerts
  ....

DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   01
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
Found '1' certificate(s)
Certificate #1:
- Subject:   /C=EE/CN=MACDONALD,AIDAN PLENERT,0123456789/SN=MACDONALD/GN=AIDAN PLENERT/serialNumber=PNOEE-0123456789
- Issuer:    /C=EE/O=SK ID Solutions AS/organizationIdentifier=NTREE-10747013/CN=ESTEID2018
- Algorithm: id-ecPublicKey
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 3
DEBUG:cert_vfy.c:226: crl policy: 1
DEBUG:cert_vfy.c:259: extracting crl distribution points
==10059== Invalid read of size 4
==10059==    at 0x4A515E5: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x4A5162C: X509_OBJECT_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x10FBFD: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10C4C0: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x4C110B2: (below main) (libc-start.c:308)
==10059==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
==10059== 
==10059== 
==10059== Process terminating with default action of signal 11 (SIGSEGV)
==10059==  Access not within mapped region at address 0x1
==10059==    at 0x4A515E5: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x4A5162C: X509_OBJECT_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x10FBFD: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10C4C0: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x4C110B2: (below main) (libc-start.c:308)
==10059==  If you believe this happened as a result of a stack
==10059==  overflow in your program's main thread (unlikely but
==10059==  possible), you can try to increase the size of the
==10059==  main thread stack using the --main-stacksize= flag.
==10059==  The main thread stack size used in this run was 8388608.
==10059== 
==10059== HEAP SUMMARY:
==10059==     in use at exit: 262,925 bytes in 4,378 blocks
==10059==   total heap usage: 6,665 allocs, 2,287 frees, 470,927 bytes allocated
==10059== 
==10059== 16 bytes in 1 blocks are definitely lost in loss record 25 of 840
==10059==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10059==    by 0x49DB94D: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x4A51E0D: X509_OBJECT_new (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x10F67E: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10C4C0: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x4C110B2: (below main) (libc-start.c:308)
==10059== 
==10059== 256 (32 direct, 224 indirect) bytes in 1 blocks are definitely lost in loss record 735 of 840
==10059==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10059==    by 0x49DB94D: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x4A3EC62: OPENSSL_sk_new_reserve (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x48FBC54: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x48FBE78: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x48FB235: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x48FBF81: ASN1_item_ex_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x48FC00E: ASN1_item_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x4A6B614: X509V3_EXT_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059==    by 0x10FBF0: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059== 
==10059== 1,016 bytes in 1 blocks are definitely lost in loss record 803 of 840
==10059==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10059==    by 0x11410C: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x10C3AF: ??? (in /usr/bin/pkcs11_listcerts)
==10059==    by 0x4C110B2: (below main) (libc-start.c:308)
==10059== 
==10059== LEAK SUMMARY:
==10059==    definitely lost: 1,064 bytes in 3 blocks
==10059==    indirectly lost: 224 bytes in 8 blocks
==10059==      possibly lost: 0 bytes in 0 blocks
==10059==    still reachable: 261,637 bytes in 4,367 blocks
==10059==         suppressed: 0 bytes in 0 blocks
==10059== Reachable blocks (those to which a pointer was found) are not shown.
==10059== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10059== 
==10059== For lists of detected and suppressed errors, rerun with: -s
==10059== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

Maybe the issues is at https://github.com/OpenSC/pam_pkcs11/blob/master/src/common/cert_vfy.c#L282. It's hard to tell.

$ dpkg -l | grep pkcs11
ii  firefox-pkcs11-loader                      3.13.6.1084-2004                      all          Firefox PKCS#11 module loader
ii  gnome-keyring-pkcs11:amd64                 3.36.0-1ubuntu1                       amd64        GNOME keyring module for the PKCS#11 module loading library
ii  libpam-pkcs11                              0.6.11-2                              amd64        Fully featured PAM module for using PKCS#11 smart cards
ii  libpkcs11-helper1:amd64                    1.26-1                                amd64        library that simplifies the interaction with PKCS#11
ii  opensc-pkcs11:amd64                        0.21.0-0RIA1                          amd64        Smart card utilities with support for PKCS#15 compatible cards

EVP_VerifyFinal() failed: invalid padding

I am trying to setup pam_pkcs11 using an OpenPGP card. Everything seems to work except the signature verification. Here is a snipped from the output:

DEBUG:pam_pkcs11.c:618: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [b3:88:65:...:c6]
DEBUG:pkcs11_lib.c:1735: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1807: hash[51] = [...:9c:83:d0:...:e4]
DEBUG:pkcs11_lib.c:1856: signature[512] = [81:86:05:...:2e]
DEBUG:pam_pkcs11.c:681: verifying signature...
DEBUG:cert_vfy.c:533: public key type: 0x00000006
DEBUG:cert_vfy.c:534: public key bits: 0x00001000
DEBUG:cert_vfy.c:566: hashing with SHA256
ERROR:pam_pkcs11.c:688: verify_signature() failed: EVP_VerifyFinal() failed: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
Error 2342: Verifying signature failed

Simply signing and verifying some data with pkcs11-tool like this is successful:

pkcs11-tool --sign -i testdata --id 03 --output-file testdata.sig_p11
pkcs11-tool --verify -i testdata --signature-file testdata.sig_p11 --id 03

I compiled pam_pkcs11 from sources today, hence this seems to be a bug in the current version. If there is anything I can help to debug this I am willing to try. :)

ssl config option for LDAP mapper has confusing values

The "ssl" configuration option for LDAP mapper can take the following values:

based on the code in ldap_mapper.c

However documentation is not very clear what is the meaning of these values.
One could incorrectly assume (with the recent poodle attack) that ssl stands for "SSL 3.0" and tls stands for "TLS 1.x". This would be incorrect: ssl means in fact "LDAPS" and "tls" means "StartTLS".
Anyone involved with LDAP would immediately understand the exact meaning without examining source code for details.

So I suggest to rename "ssl" to "ldaps", "tls" to "starttls" or at least document these values properly.

unable to sign using ecdsa-with-SHA256

in short:

DEBUG:pam_pkcs11.c:637: certificate is valid and matches the user
Sprawdzanie podpisu
DEBUG:pkcs11_lib.c:1765: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:1784: random-value[128] = [3e:47:aa:...:cf]
DEBUG:pkcs11_lib.c:1726: hash[35] = [...:51:d3:14:...:af]
ERROR:pam_pkcs11.c:690: sign_value() failed: C_SignInit() failed: 0x00000063
Błąd 2340: Podpisanie nie powiodło się

full explanations here

http://crypto.stackexchange.com/questions/40277/ec-signing-using-pkcs11-failed-c-signinit-failed-0x00000063

Can the mail mapper truncate the domain befor mapping?

For our usage, the user's email address within the certificate is their username on the host.

Example:

[email protected] -> bob
[email protected] -> steve

I like the ignoredomain option as I would prefer to validate that myhost.mydomain.com is part of mydomain.com. However, I would prefer not to generate direct maps for each host.

Can some kind of "dropdomain" setting be added to the option list in a way that does not alter the behavior of ignoredomain but does do a user match without the domain component?

Using pam_pkcs11 with multiple cards plugged in

Say I have two smart card readers connected to a machine at the same time. If I have an application that uses pam_pkcs11 for authentication, how will the module go about choosing which user to authenticate as?

I am looking for a way to enumerate a list of the cards connected to a machine and allow a user to pick which card they wish to authenticate as. Is this possible to do with pam_pkcs11? Thanks

New maintainer?

@LudovicRousseau I may be able (and willing :)) to step up to maintain this package (despite its limited usability on Mac :).

In the meanwhile, could you share your reasons for dropping it? Do you use something else in place of pam_pkcs11?

Crl_online even if all certificates are available on crl URI

=> Problem Description

We already opened an issue, the problems may be related: #68

Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_online on cert_policy the certificate is rejected with error: "Failed: getting the certificate of the crl-issuer failed".
We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.

=> Steps to reproduce

To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.

=> Logs

The following logs are find in /var/log/auth.log

Nov 3 08:44:41 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found

Please tell me what information you need to help us.

pkcs11_make_hash_link util does not work

Hi!

I am trying to use pkcs11_make_hash_link util to make a symbolic hash link in /etc/ssl/cacerts directory. Here is a content of that directory produced by ls:

total 12
drwxr-xr-x 2 root root 4096 Jan 22 11:53 .
drwxr-xr-x 6 root root 4096 Jan 22 11:53 ..
-rw-r--r-- 1 asem asem 1029 Jan 22 10:36 root_2048_crt.pem

Than did cd to that directory and executed

sudo pkcs11_make_hash_link

This execution does not produce any output and it seems that everything worked OK, but when I listed directory content again I got this:

total 12
drwxr-xr-x 2 root root 4096 Jan 22 11:53 .
drwxr-xr-x 6 root root 4096 Jan 22 11:53 ..
-rw-r--r-- 1 asem asem 1029 Jan 22 10:36 root_2048_crt.pem

Nothing has changed. As mentioned in the man page to this util, a symbolic link to my cert should be created.

The version of the libpam-pkcs11 that I use is 0.6.9-2build2

Can you help me, please, with this?

P.S. I have tried to use the latest version of this script from here but it also did not work.

What about Kerberos mapper feature

At once a time I've been confused about authenticate throw Kerberos protocol. By delegate of the mapper, we can check user credentials by PKINIT protocol. But nothing. At krb_mapper we see only retrieve the KPN.
Can I open this issue for the start process develop this feature? Thanks!

Check crl_offline failed when openssl works

=> Problem Description

Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_offline on cert_policy the certificate is rejected.
We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.

=> Steps to reproduce

To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.

=> Logs

Our configuration file /etc/pam_pkcs11/pam_pkcs11.conf: https://gist.github.com/tgreil/cfda9fb2cd041dfcf37eec70d7df0022

The following logs are find in /var/log/auth.log

Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found
and we also have this screenshot

or in terminal with debug mod:

DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:pklogin_finder.c:138: verify_certificate() failed: check_for_revocation() failed: no dedicated crl available

opensc / pam_pkcs11 Goto Github PK

pam_pkcs11's Introduction

OpenSC documentation

Downloads

Latest release

Nightly build

Build and testing status

pam_pkcs11's People

Contributors

Stargazers

Watchers

Forkers

pam_pkcs11's Issues

Overview

Steps to repeat

Expected behavior

Actual behavior

Versions affected

Problem:

Resolution:

Problem

Comments

Recommend Projects

Recommend Topics

Recommend Org