Hello, I have pam_pkcs11 working well with RSA certificates, but for a variety of reasons I'd much prefer EC certs, so I upgraded my pam_pkcs11 to 0.6.11 for its greater support. However, when I sign and store a ECDSA certificate, I get the following:
gdm-password]: loading pkcs #11 module...
gdm-password]: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
gdm-password]: module permissions: uid = 0, gid = 0, mode = 755
gdm-password]: loading module /usr/lib/opensc-pkcs11.so
gdm-password]: getting function list
gdm-password]: initialising pkcs #11 module...
gdm-password]: module information:
gdm-password]: - version: 2.20
gdm-password]: - manufacturer: OpenSC Project
gdm-password]: - flags: 0000
gdm-password]: - library description: OpenSC smartcard framework
gdm-password]: - library version: 0.20
gdm-password]: number of slots (a): 1
gdm-password]: number of slots (b): 1
gdm-password]: slot 1:
gdm-password]: - description: Alcor Micro AU9560 00 00
gdm-password]: - manufacturer: Generic
gdm-password]: - flags: 0007
gdm-password]: - token:
gdm-password]: - label: MyEID (Basic PIN)
gdm-password]: - manufacturer: Aventra Ltd.
gdm-password]: - model: PKCS#15
gdm-password]: - serial: 7303016809988479
gdm-password]: - flags: 040d
gdm-password]: opening a new PKCS #11 session for slot 1
gdm-password]: login as user CKU_USER
gdm-password]: Saving Certificate #1:
gdm-password]: - type: 00
gdm-password]: - id: 02
gdm-password]: Found 1 certificates in token
gdm-password]: Retrieveing mapper module list
gdm-password]: Loading static module for mapper 'ms'
gdm-password]: Inserting mapper [ms] into list
gdm-password]: verifying the certificate #1
gdm-password]: Neither CA nor CRL check requested. CertVrfy() skipped
gdm-password]: Mapper module ms match() returns 1
gdm-password]: certificate is valid and matches the user
gdm-password]: reading 128 random bytes from /dev/urandom
gdm-password]: random-value[128] = [...]
gdm-password]: private key type: 0x00000003
gdm-password]: hash[51] = [...]
gdm-password]: signature[64] = [...]
gdm-password]: verifying signature...
gdm-password]: public key type: 0x00000198
gdm-password]: public key bits: 0x00000100
gdm-password]: hashing with SHA256
gdm-password]: logout user
gdm-password]: closing the PKCS #11 session
gdm-password]: releasing keys and certificates
gdm-password]: verify_signature() failed: EVP_VerifyFinal() failed: error:25066067:DSO support routines:dlfcn_load
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: [Removed]
subject: [Removed]
ID: 02
Public Key Object; EC EC_POINT 256 bits
EC_POINT: [Removed]
EC_PARAMS: [Removed]
label: [Removed]
ID: 02
Usage: encrypt, verify
Access: local
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={192,256}, hw, sign, other flags=0x1800000
ECDSA-SHA1, keySize={192,256}, hw, sign, other flags=0x1800000
ECDH1-COFACTOR-DERIVE, keySize={192,256}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={192,256}, hw, derive, other flags=0x1800000
ECDSA-KEY-PAIR-GEN, keySize={192,256}, hw, generate_key_pair, other flags=0x1800000
RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
RSA-PKCS-PSS, keySize={512,2048}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair
AES-ECB, keySize={128,256}, encrypt, decrypt
AES-CBC, keySize={128,256}, encrypt, decrypt
AES-CBC-PAD, keySize={128,256}, encrypt, decrypt