opensc / pam_pkcs11 Goto Github PK
View Code? Open in Web Editor NEWThis Linux-PAM login module allows a X.509 certificate based user login
License: GNU Lesser General Public License v2.1
This Linux-PAM login module allows a X.509 certificate based user login
License: GNU Lesser General Public License v2.1
@LudovicRousseau I may be able (and willing :)) to step up to maintain this package (despite its limited usability on Mac :).
In the meanwhile, could you share your reasons for dropping it? Do you use something else in place of pam_pkcs11
?
$ valgrind --leak-check=full pkcs11_listcerts
....
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id: 01
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
Found '1' certificate(s)
Certificate #1:
- Subject: /C=EE/CN=MACDONALD,AIDAN PLENERT,0123456789/SN=MACDONALD/GN=AIDAN PLENERT/serialNumber=PNOEE-0123456789
- Issuer: /C=EE/O=SK ID Solutions AS/organizationIdentifier=NTREE-10747013/CN=ESTEID2018
- Algorithm: id-ecPublicKey
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 3
DEBUG:cert_vfy.c:226: crl policy: 1
DEBUG:cert_vfy.c:259: extracting crl distribution points
==10059== Invalid read of size 4
==10059== at 0x4A515E5: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x4A5162C: X509_OBJECT_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x10FBFD: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10C4C0: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x4C110B2: (below main) (libc-start.c:308)
==10059== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==10059==
==10059==
==10059== Process terminating with default action of signal 11 (SIGSEGV)
==10059== Access not within mapped region at address 0x1
==10059== at 0x4A515E5: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x4A5162C: X509_OBJECT_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x10FBFD: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10C4C0: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x4C110B2: (below main) (libc-start.c:308)
==10059== If you believe this happened as a result of a stack
==10059== overflow in your program's main thread (unlikely but
==10059== possible), you can try to increase the size of the
==10059== main thread stack using the --main-stacksize= flag.
==10059== The main thread stack size used in this run was 8388608.
==10059==
==10059== HEAP SUMMARY:
==10059== in use at exit: 262,925 bytes in 4,378 blocks
==10059== total heap usage: 6,665 allocs, 2,287 frees, 470,927 bytes allocated
==10059==
==10059== 16 bytes in 1 blocks are definitely lost in loss record 25 of 840
==10059== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10059== by 0x49DB94D: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x4A51E0D: X509_OBJECT_new (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x10F67E: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10C4C0: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x4C110B2: (below main) (libc-start.c:308)
==10059==
==10059== 256 (32 direct, 224 indirect) bytes in 1 blocks are definitely lost in loss record 735 of 840
==10059== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10059== by 0x49DB94D: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x4A3EC62: OPENSSL_sk_new_reserve (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x48FBC54: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x48FBE78: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x48FB235: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x48FBF81: ASN1_item_ex_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x48FC00E: ASN1_item_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x4A6B614: X509V3_EXT_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==10059== by 0x10FBF0: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10FD13: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x11020C: ??? (in /usr/bin/pkcs11_listcerts)
==10059==
==10059== 1,016 bytes in 1 blocks are definitely lost in loss record 803 of 840
==10059== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10059== by 0x11410C: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x10C3AF: ??? (in /usr/bin/pkcs11_listcerts)
==10059== by 0x4C110B2: (below main) (libc-start.c:308)
==10059==
==10059== LEAK SUMMARY:
==10059== definitely lost: 1,064 bytes in 3 blocks
==10059== indirectly lost: 224 bytes in 8 blocks
==10059== possibly lost: 0 bytes in 0 blocks
==10059== still reachable: 261,637 bytes in 4,367 blocks
==10059== suppressed: 0 bytes in 0 blocks
==10059== Reachable blocks (those to which a pointer was found) are not shown.
==10059== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10059==
==10059== For lists of detected and suppressed errors, rerun with: -s
==10059== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
Maybe the issues is at https://github.com/OpenSC/pam_pkcs11/blob/master/src/common/cert_vfy.c#L282. It's hard to tell.
$ dpkg -l | grep pkcs11
ii firefox-pkcs11-loader 3.13.6.1084-2004 all Firefox PKCS#11 module loader
ii gnome-keyring-pkcs11:amd64 3.36.0-1ubuntu1 amd64 GNOME keyring module for the PKCS#11 module loading library
ii libpam-pkcs11 0.6.11-2 amd64 Fully featured PAM module for using PKCS#11 smart cards
ii libpkcs11-helper1:amd64 1.26-1 amd64 library that simplifies the interaction with PKCS#11
ii opensc-pkcs11:amd64 0.21.0-0RIA1 amd64 Smart card utilities with support for PKCS#15 compatible cards
Hi,
I'm trying to set up PAM authentication using corporate certificates that by default contain whitespaces in the file name.
pkcs11_make_hash_link can't process files with whitespaces in the filename:
$ ll ~/certs/test certificate.cer
-rw-r--r--. 1 user user 2 Mar 22 17:29 'test certificate.cer'
$ pkcs11_make_hash_link ~/certs/
we got a problem with: test certificate.cer
If I remove whitespaces from the file name, pkcs11_make_hash_link creates all links successfully.
Most likely happens when iterating through files with for file in *;
where whitespace is treated as a separator.
Hello, I have pam_pkcs11 working well with RSA certificates, but for a variety of reasons I'd much prefer EC certs, so I upgraded my pam_pkcs11 to 0.6.11 for its greater support. However, when I sign and store a ECDSA certificate, I get the following:
gdm-password]: loading pkcs #11 module...
gdm-password]: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
gdm-password]: module permissions: uid = 0, gid = 0, mode = 755
gdm-password]: loading module /usr/lib/opensc-pkcs11.so
gdm-password]: getting function list
gdm-password]: initialising pkcs #11 module...
gdm-password]: module information:
gdm-password]: - version: 2.20
gdm-password]: - manufacturer: OpenSC Project
gdm-password]: - flags: 0000
gdm-password]: - library description: OpenSC smartcard framework
gdm-password]: - library version: 0.20
gdm-password]: number of slots (a): 1
gdm-password]: number of slots (b): 1
gdm-password]: slot 1:
gdm-password]: - description: Alcor Micro AU9560 00 00
gdm-password]: - manufacturer: Generic
gdm-password]: - flags: 0007
gdm-password]: - token:
gdm-password]: - label: MyEID (Basic PIN)
gdm-password]: - manufacturer: Aventra Ltd.
gdm-password]: - model: PKCS#15
gdm-password]: - serial: 7303016809988479
gdm-password]: - flags: 040d
gdm-password]: opening a new PKCS #11 session for slot 1
gdm-password]: login as user CKU_USER
gdm-password]: Saving Certificate #1:
gdm-password]: - type: 00
gdm-password]: - id: 02
gdm-password]: Found 1 certificates in token
gdm-password]: Retrieveing mapper module list
gdm-password]: Loading static module for mapper 'ms'
gdm-password]: Inserting mapper [ms] into list
gdm-password]: verifying the certificate #1
gdm-password]: Neither CA nor CRL check requested. CertVrfy() skipped
gdm-password]: Mapper module ms match() returns 1
gdm-password]: certificate is valid and matches the user
gdm-password]: reading 128 random bytes from /dev/urandom
gdm-password]: random-value[128] = [...]
gdm-password]: private key type: 0x00000003
gdm-password]: hash[51] = [...]
gdm-password]: signature[64] = [...]
gdm-password]: verifying signature...
gdm-password]: public key type: 0x00000198
gdm-password]: public key bits: 0x00000100
gdm-password]: hashing with SHA256
gdm-password]: logout user
gdm-password]: closing the PKCS #11 session
gdm-password]: releasing keys and certificates
gdm-password]: verify_signature() failed: EVP_VerifyFinal() failed: error:25066067:DSO support routines:dlfcn_load
Output of: pkcs11-tool -O
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: [Removed]
subject: [Removed]
ID: 02
Public Key Object; EC EC_POINT 256 bits
EC_POINT: [Removed]
EC_PARAMS: [Removed]
label: [Removed]
ID: 02
Usage: encrypt, verify
Access: local
Output of: pkcs11-tool -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={192,256}, hw, sign, other flags=0x1800000
ECDSA-SHA1, keySize={192,256}, hw, sign, other flags=0x1800000
ECDH1-COFACTOR-DERIVE, keySize={192,256}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={192,256}, hw, derive, other flags=0x1800000
ECDSA-KEY-PAIR-GEN, keySize={192,256}, hw, generate_key_pair, other flags=0x1800000
RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
RSA-PKCS-PSS, keySize={512,2048}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair
AES-ECB, keySize={128,256}, encrypt, decrypt
AES-CBC, keySize={128,256}, encrypt, decrypt
AES-CBC-PAD, keySize={128,256}, encrypt, decrypt
=> Problem Description
Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_offline on cert_policy the certificate is rejected.
We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.
=> Steps to reproduce
To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.
=> Logs
Our configuration file /etc/pam_pkcs11/pam_pkcs11.conf: https://gist.github.com/tgreil/cfda9fb2cd041dfcf37eec70d7df0022
The following logs are find in /var/log/auth.log
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found
and we also have this screenshot
or in terminal with debug mod:
DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:pklogin_finder.c:138: verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
pam_pkcs11-pam_pkcs11-0.6.10 $ autoconf -i
configure.ac:10: error: possibly undefined macro: AM_INIT_AUTOMAKE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:16: error: possibly undefined macro: AM_MAINTAINER_MODE
configure.ac:18: error: possibly undefined macro: AM_GNU_GETTEXT
configure.ac:26: error: possibly undefined macro: AM_PROG_AR
configure.ac:30: error: possibly undefined macro: AM_PROG_LEX
configure.ac:34: error: possibly undefined macro: AM_CONDITIONAL
configure.ac:37: error: possibly undefined macro: AC_MSG_ERROR
pam_pkcs11-pam_pkcs11-0.6.10 $ ./configure
configure: error: cannot find install-sh, install.sh, or shtool in "." "./.." "./../.."
=> Problem Description
We already opened an issue, the problems may be related: #68
Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_online on cert_policy the certificate is rejected with error: "Failed: getting the certificate of the crl-issuer failed".
We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.
=> Steps to reproduce
To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.
=> Logs
The following logs are find in /var/log/auth.log
Nov 3 08:44:41 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found
Please tell me what information you need to help us.
in short:
DEBUG:pam_pkcs11.c:637: certificate is valid and matches the user
Sprawdzanie podpisu
DEBUG:pkcs11_lib.c:1765: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:1784: random-value[128] = [3e:47:aa:...:cf]
DEBUG:pkcs11_lib.c:1726: hash[35] = [...:51:d3:14:...:af]
ERROR:pam_pkcs11.c:690: sign_value() failed: C_SignInit() failed: 0x00000063
Błąd 2340: Podpisanie nie powiodło się
full explanations here
When running against ASAN it detected a heap-buffer-overflow:
=================================================================
==78084==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000002ffd at pc 0x7fb185325118 bp 0x7ffcc0a9a850 sp 0x7ff
cc0a99ff8
READ of size 1 at 0x60c000002ffd thread T0
#0 0x7fb185325117 in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:70
4
#1 0x7fb182173810 in get_mapent /opt/pam_pkcs11/src/mappers/mapper.c:87
#2 0x7fb182173b9c in mapfile_find /opt/pam_pkcs11/src/mappers/mapper.c:164
#3 0x7fb1821728b2 in find_user /opt/pam_pkcs11/src/pam_pkcs11/mapper_mgr.c:270
#4 0x7fb1821714c4 in pam_sm_authenticate /opt/pam_pkcs11/src/pam_pkcs11/pam_pkcs11.c:578
#5 0x7fb18218f055 (/tmp/pam.T/lib/libpam.so.0+0x4055)
#6 0x7fb18218e933 in pam_authenticate (/tmp/pam.T/lib/libpam.so.0+0x3933)
...
The issue is the get_mapent
function in mapper.c
isn't checking if the from
variable is NULL
or not when it is passed into strchr
some time ago everything was fine :)
but now i need to pull my yubikey to login via pam because when i hit enter [as empty pin] for pin aut which is a fist method in auth-common stack the pam module logs me out!!!!
why the new mechanism doesn't fall back to default password auth method (for empty pin)
and where i can change this to previous behavior for password fallback ? (this is a "must have option" as i use encryption of user home and for login and unwrapp passphrase i need user password when i first login into my account - and no pin solution)
auth [success=2 default=ignore] pam_pkcs11.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
error 2318 - empty smartcard pin not allowed
i have also tried to add nullok
error 2320 - wrong smartcard pin
where do i need setup and which correct option ?
config attached
Hi!
Finally, I've separated and described all my patches for pam_pkcs11
(I said about them a while ago in #27). The description is here: https://github.com/wolneykien/pam_pkcs11/blob/patches/alt/main/PATCHES.md and the file's branch (patches/alt/main
) is the branch where all listed patches are combined together (not a simple merge though). They also available as separate branches named devel/*
in that my repo.
I want to discuss and merge something!
After setting this up for U.S. Government PIV card authentication, I found a problem: everything fails when online CRL checks are enabled. I traced the problem to how CRLs are validated when using a CA hash_dir. Basically, if multiple CAs exist with the same subject
, the CRL signature is only checked against the first one (index 0). The others are read, but ignored.
I think this has something to do with how the EVP_PKEY
is fetched in verify_crl()
, but I'm not entirely sure. It could also be a shortcoming in the OpenSSL API, because the same bug exists in the openssl crl
utility (source link).
pkcs11_module
, make sure the cert_policy
includes ca_online
, and that ca_dir
is a directory.subject
and a CRL distribution point. The CRL distribution point can be unique to each. I will call these CA1 and CA2. For greater realism, you could also create a common root CA, but that shouldn't matter.file:///
URLs are supported as distribution points, but if not you may need an HTTP server.ca_dir
and execute pkcs11_make_hash_dir
. The hashes generated for each of the CAs should be identical, so the links should be like hash.0
and hash.1
.pkcs11_inspect
.Knowing that the certificate is valid for a trusted CA, and that it is NOT revoked, it should verify as OK and output the fingerprint.
Assuming hash.0
points to CA1 and hash.1
points to CA2, you should see something like this with debug=true
:
DEBUG:pkcs11_inspect.c:132: verifing the certificate #1
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 3
DEBUG:cert_vfy.c:207: crl policy: 1
DEBUG:cert_vfy.c:232: extracting crl distribution points
DEBUG:cert_vfy.c:256: downloading crl from http://example.org/CRL2.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:uri.c:255: protocol = [http]
DEBUG:uri.c:256: user = [(null)]
DEBUG:uri.c:257: password = [(null)]
DEBUG:uri.c:258: host = [example.org]
DEBUG:uri.c:259: port = [(null)]
DEBUG:uri.c:260: path = [/CRL2.crl]
DEBUG:uri.c:395: connecting...
DEBUG:uri.c:420: receiving...
DEBUG:uri.c:451: decoding...
DEBUG:cert_vfy.c:130: crl is der encoded
DEBUG:cert_vfy.c:281: verifying crl
DEBUG:cert_vfy.c:165: crl is invalid
DEBUG:cert_vfy.c:462: certificate has been revoked
ERROR:pkcs11_inspect.c:142: verify_certificate() failed:
If you manually rearrange the CA hash links so hash.0
points to CA2 and hash.1
points to CA1, it should succeed. Likewise, if you set ca_dir
to point directly at CA2, it should succeed.
I've tested this using 0.6.7-1 on Ubuntu 12.04, but I'm fairly confident it's still a problem on newer versions. The code I believe to be responsible has not changed since 2005 (0.5.2?).
tar -xvf pam_pkcs11-0.6.9.tar.gz
cd pam_pkcs11-0.6.9/
./configure
make
make all-recursive
make[1]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
Making all in .
make[2]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
make[2]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
Making all in po
make[2]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/po'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/po'
Making all in doc
make[2]: Entering directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/doc'
xsltproc \
--stringparam section.autolabel 1 \
--stringparam section.label.includes.component.label 1 \
-o mappers_api.html pam_pkcs11.xsl mappers_api.xml
warning: failed to load external entity "http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"
compilation error: file pam_pkcs11.xsl line 3 element import
xsl:import : unable to load http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl
make[2]: *** [mappers_api.html] Error 5
make[2]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9/doc'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/amitkuma2/Desktop/tak_print/pam_pkcs11-0.6.9'
make: *** [all] Error 2`
Solaris 11 delivers pkcs11_inspect(1) compiled using -m64 which thus
creates a 64-bit executable. The pkcs11_inspect(1) utility calls the
src/common/cert_info.c:cert_info_sshpuk() routine which declares
'data_len' as an 'int' which is 32-bits in size and will thus be 32-bit
aligned but then passes its address to
src/common/base64.c:base64_encode() which expects a size_t. When
base64_encode() dereferences the address of 'data_len' it expects the
address to be 64-bit aligned since in the LP64 environment, size_t is an
unsigned long and 64-bits in size. This discrepancy results in
accessing an address which is 32-bit aligned but not 64-bit aligned and
this misaligned access then triggers a SIGBUS.
static char **cert_info_sshpuk(X509 *x509)
{
[...]
int data_len;
[...]
/* encode data in base64 format */
data_len= 1+ 4*((2+pt-blob)/3);
[...]
res= base64_encode(blob,pt-blob,data,(size_t *) &data_len);
int base64_encode(const unsigned char *in, size_t len, unsigned char *out,
size_t *outlen)
{
[...]
if (*outlen < len2 + 1) {
> ::status
debugging core file of pkcs11_inspect (64-bit) from c27waspxwnyd12w
file: /usr/lib/pam_pkcs11/pkcs11_inspect
initial argv: ./pkcs11_inspect
threading model: native threads
status: process terminated by SIGBUS (Bus Error), addr=fffffe66942dffec
> $C
fffffe66942df671 openssh_mapper.so`base64_encode+0x40(dc4e3f7680, 117, dc4e3f9690, fffffe66942dffec, 0, dc4e3f9805)
fffffe66942df731 openssh_mapper.so`cert_info_sshpuk+0x29c(dc4e32c4d0, 55555400, 175, 7fcb4f03087f0, dc4e3f7797, 7fcb4f041a000)
fffffe66942df7f1 openssh_mapper.so`openssh_mapper_find_entries+0x1c(dc4e32c4d0, 0, 10011a000, 7fcb4f041a000, 10f9e4, 16a8)
fffffe66942df8a1 inspect_certificate+0x94(dc4e32c4d0, dc4e3f1a60, 10011b9a8, 100006348, 10011a000, 1)
fffffe66942df951 main+0x414(10011b558, fffffe66942e06d8, 1, 0, 1, 100005000)
fffffe66942dfe21 _start+0x17c(0, 0, 0, 0, 0, 0)
// The address of 'data_len' is not 64-bit aligned:
> (fffffe66942dffec & 0x7)
4
// But the address of 'data_len' is instead 32-bit aligned:
> (fffffe66942dffec & 0x3)
0
Since size_t is 64-bits in size in LP64 mode the attempt to dereference
its address which isn't 64-bit aligned triggers a SIGBUS.
The manpage pam_pkcs11(8) contains:
.SH "SEE ALSO"
.BR pam (8),
.BR pam_pkcs11.conf (5),
But there is no pam_pkcs11.conf(5) manpage.
But reported on Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074245
" pam_pkcs11 manpage has no useful information and referes to non-existing pam_pkcs11.conf "
pam_pkcs11/src/common/cert_vfy.c
Line 570 in 240e2eb
I am getting the following failure (full output below),
ERROR:pam_pkcs11.c:736: verify_signature() failed: EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing
Error 2342: Verifying signature failed
I am on commit bb2e3f3a95e44fdf44b0d5a4b377db3179021380
and using an Estonian ID card and I followed setup instructions from Ubuntu
Running this works,
$ pkcs15-tool --read-certificate 01 > /tmp/shell-cert.crt
Using reader with a card: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
$ openssl asn1parse -in /tmp/sc-cert.crt
... bunch of stuff ...
Full output,
$ sudo login aidan
[sudo] password for aidan:
Smartcard authentication starts
DEBUG:pam_config.c:203: Invalid CRL policy: oscp_on
DEBUG:pam_pkcs11.c:335: username = [aidan]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework
DEBUG:pkcs11_lib.c:1185: - library version: 0.21
DEBUG:pkcs11_lib.c:1077: number of slots (a): 2
DEBUG:pkcs11_lib.c:1100: number of slots (b): 2
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Broadcom Corp
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: MACDONALD,AIDAN PLENER... (PIN1)
DEBUG:pkcs11_lib.c:1133: - manufacturer: IDEMIA
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: UA0040364
DEBUG:pkcs11_lib.c:1136: - flags: 040e
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Broadcom Corp
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: MACDONALD,AIDAN PLENER... (PIN2)
DEBUG:pkcs11_lib.c:1133: - manufacturer: IDEMIA
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: UA0040364
DEBUG:pkcs11_lib.c:1136: - flags: 040e
Smart card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome MACDONALD,AIDAN PLENER... (PIN1)!
Smart card PIN:
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id: 01
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:pwent_mapper.c:174: pwent mapper started
DEBUG:mapper_mgr.c:196: Inserting mapper [pwent] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 0
DEBUG:cert_vfy.c:229: no revocation-check performed
DEBUG:cert_vfy.c:496: certificate has not been revoked
DEBUG:cert_info.c:366: CN = [MACDONALD,AIDAN PLENERT,39207050216]
DEBUG:pwent_mapper.c:131: Trying to match pw_entry for cn 'MACDONALD,AIDAN PLENERT,39207050216'
DEBUG:pwent_mapper.c:133: CN 'MACDONALD,AIDAN PLENERT,39207050216' Match login 'aidan'
DEBUG:mapper_mgr.c:306: Mapper module pwent match() returns 1
DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [f2:95:ec:...:ca]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000003
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:75:ef:...:0c]
DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 96
DEBUG:pkcs11_lib.c:1834: signature[96] = [4e:3b:62:...:ba]
DEBUG:pam_pkcs11.c:727: verifying signature...
DEBUG:cert_vfy.c:518: public key type: 0x00000198
DEBUG:cert_vfy.c:519: public key bits: 0x00000180
DEBUG:cert_vfy.c:540: hashing with SHA256
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
ERROR:pam_pkcs11.c:736: verify_signature() failed: EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing
Error 2342: Verifying signature failed
Hi! There is the following mismatch in the openssh_mapper.c
:
It uses
RSA_set0_key(rsa, rsa_e, rsa_n, NULL);
when is parsing ssh v1 key, but
RSA_set0_key(rsa, rsa_n, rsa_e, NULL);
for ssh v2 key. Notice the different order of rsa_e
and rsa_n
in the calls. Possibly, that's an error. However, I don't known where can I get an SSH version 1 key to check it in runtime.
I am entering an endless loop because my signature length size is greater that 64. I modified the code in src/commom/pkcs11_lib.c line 1814 *signature_length = 64; to *signature_length = 1024; and everything appears to be fine for me. The code in question is as follows:
if (rv == CKR_BUFFER_TOO_SMALL) {
/* increase signature length as long as it it to short */
free(*signature);
*signature = NULL;
DBG1("increased signature buffer-length to %ld", *signature_length);
I don't see where the string is getting incremented or increased.
I really don't want my own version of pam_pkcs11 and was wondering if you could take a look at the problem and advise.
Thanks...
Say I have two smart card readers connected to a machine at the same time. If I have an application that uses pam_pkcs11 for authentication, how will the module go about choosing which user to authenticate as?
I am looking for a way to enumerate a list of the cards connected to a machine and allow a user to pick which card they wish to authenticate as. Is this possible to do with pam_pkcs11? Thanks
Hello. I have some troubles with ldap mapping, I guess. I'm using a simple self sign certificate on the smart card and and exactly the same in the OpenLDAP server. Can you please tell me what could be wrong with the following scheme. Trying to log in with a smart card + pam_pkcs11 (ldap mapping), but got an error:
DEBUG:ldap_mapper.c:1243: Trying to match certificate with user: 'cardholder'
DEBUG:ldap_mapper.c:926: ldap_get_certificate(): begin login = cardholder
DEBUG:ldap_mapper.c:583: added URI ldap://<address>:389
DEBUG:ldap_mapper.c:988: ldap_get_certificate(): try do_open for ldap://<address>:389
DEBUG:ldap_mapper.c:146: do_init():
DEBUG:ldap_mapper.c:416: Set connection timeout to 8
DEBUG:ldap_mapper.c:216: do_ssl_options
DEBUG:ldap_mapper.c:453: do_open(): do_start_tls
DEBUG:ldap_mapper.c:502: do_open(): TLS startup succeeded
DEBUG:ldap_mapper.c:324: do_bind(): bind DN="cn=admin,dc=ldapserver" pass="password"
DEBUG:ldap_mapper.c:357: do_bind rc=97
DEBUG:ldap_mapper.c:1022: ldap_get_certificate(): building default filter_str
DEBUG:ldap_mapper.c:789: ldap_build_cert_filter(): building default filter
DEBUG:ldap_mapper.c:1032: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=cardholder)(userCertificate=...))
DEBUG:ldap_mapper.c:1048: ldap_get_certificate(): no matching entries
DEBUG:ldap_mapper.c:1060: ldap_search_s() failed: Bad search filter
DEBUG:ldap_mapper.c:1212: ldap_get_certificate() failed
DEBUG:ldap_mapper.c:1251: Certificate map to user 'cardholder' failed
DEBUG:mapper_mgr.c:272: Mapper 'ldap' found (null), matched 0
DEBUG:pklogin_finder.c:148: find_user() failed for certificate #1:
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed
my mapper :
use_pkcs11_module = opensc
pkcs11_module opensc {
module = /usr/lib/.../opensc-pkcs11.so;
cert_policy = none;
}
use_mappers = ldap;
mapper ldap {
debug = true;
module = /usr/lib/.../pam_pkcs11/ldap_mapper.so;
ldaphost = "10.0.0.11";
ldapport = ;
URI = "ldap://10.0.0.11";
scope = 2;
binddn = "cn=admin,dc=ldapserver";
passwd = "password";
base = "dc=ldapserver";
attribute = "userCertificate";
ssl = tls
tls_checkpeer = 0
#attribute_map = "userCertificate;binary=cert"
filter = "(&(objectClass=posixAccount)(uid=%s))"
}
I also get some troubles while downloading the certificate to the ldap so I uploaded the binary cert via an ldif file:
dn: uid=cardholder,dc=ldapserver
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: cardholder
cn: cardholder
sn: cardholder
givenName: Claus
title: Root
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {SSHA}7TS+a0wfVJlUw8F32K503Uoo9Ql8a0Ns
loginShell: /bin/bash
uidNumber: 1006
gidNumber: 1006
homeDirectory: /home/cardholder/
description: This is an example user
userCertificate;binary:< file:///home/user/cardholder.der
I'm using debian 11 and LDAPv3 on the server
Thank you
Hi there
Problem description
A while ago i discovered that the slot_description in the pkcs11_module not working as intended, cause the string which is compared to also have the slot id inside.
Furthermore we use Yubikey as smartcard in our company for authentication. Over the years we got different versions. Some users have Yubikey NEO, some Yubikey 4 and now there are Yubikey 5 as well. On top of that there are users with smartcards from our customers to authenticate on external systems.
So it would be very nice to have a substring match over a full match for the slot_description field in config file.
Testsetup
System: Ubuntu 20.04
opensc version 0.20.0-3 amd64
libpam-pkcs11version 0.6.11-2 amd64
inserted smartcards on the system:
# opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
1 Yes Yubico Yubikey NEO OTP+CCID 01 00
2 Yes Yubico Yubikey 4 OTP+CCID 02 00
3 Yes Gemalto PC Twin Reader (922FBFB3) 03 00`
relevant part of pam_pkcs11 config:
# cat /etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11 {
...
use_pkcs11_module = yubikey;
pkcs11_module yubikey {
module = /usr/lib/opensc-pkcs11.so;
description = "OpenSC PKCS#11 module";
slot_description = "Yubico Yubikey NEO OTP+CCID";
#slot_num = 1;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
support_threads = false;
cert_policy = ca,signature;
#crl check disabled as workaround cause of segmentation fault, see https://github.com/OpenSC/pam_pkcs11/issues/42
#cert_policy = ca,signature,crl_auto;
token_type = "YubiKey";
}
...
Steps to reproduce
# /usr/bin/pklogin_finder debug
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework
DEBUG:pkcs11_lib.c:1185: - library version: 0.20
DEBUG:pkcs11_lib.c:1077: number of slots (a): 5
DEBUG:pkcs11_lib.c:1100: number of slots (b): 5
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+U2F+CCID 00 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user1
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: fa199c6821e35273
DEBUG:pkcs11_lib.c:1136: - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user3
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136: - flags: 2040d
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey 4 OTP+CCID 02 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user2
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: c0fdcb8f44270042
DEBUG:pkcs11_lib.c:1136: - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 4:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: PKI Card (Card PIN)
DEBUG:pkcs11_lib.c:1133: - manufacturer: <CUSTOMER>
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15
DEBUG:pkcs11_lib.c:1135: - serial: 105003013405
DEBUG:pkcs11_lib.c:1136: - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 5:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: PKI Card (Card PUK)
DEBUG:pkcs11_lib.c:1133: - manufacturer: <CUSTOMER>
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15
DEBUG:pkcs11_lib.c:1135: - serial: 105003013405
DEBUG:pkcs11_lib.c:1136: - flags: 040c
DEBUG:pklogin_finder.c:95: no token available
Expected result
Find smartcard in slot 2 with test.user3 as its key description equal to slot_description in pam_pkcs11.conf (Yubico Yubikey NEO OTP+CCID).
Actual result
As you can see in debug, it adds a 01 00
at the end of the description, which represents the slot ID.
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00
and this resutls in
DEBUG:pklogin_finder.c:95: no token available
If i write this slot_description = "Yubico Yubikey NEO OTP+CCID 01 00";
into pam_pkcs11.conf then it will work, but only if the key is in slot 1. I guess this is not the idea behind the slot_description option, this way it is a more strict version of the alternate slot_num option.
Expected behavior after this request is implement
To change this to a substring match, would also solve the problem with the different Yubikey versions we have. So i can write simply `slot_description = "Yubico Yubikey " into pam_pkcs11.conf and every user can login with his Yubikey on every system.
I like to see the following mis-/matches
Examples of matches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+U2F+CCID"
description from debug: "Yubico Yubikey NEO OTP+CCID 01 00"
description in config : "Yubico Yubikey"
description from debug: "Yubico Yubikey 4 OTP+CCID 02 00"
description in config : "Yubico Yubikey"
Examples of mismatches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+CCID"
description from debug: "Gemalto PC Twin Reader (922FBFB3) 03 00"
description in config : "Yubico Yubikey"`
Very ugly workaround i'm using at the moment
Change the description of all Yubikeys in /etc/libccid_Info.plist on every workstation we have into
<string>Yubico Yubikey description with more then 64 characters to workaround the pkcs11 string matching problem</string>
and enter the following slot description into pam_pkcs11.conf
slot_description = "Yubico Yubikey description with more then 64 characters as wo..."
then it will match, cause the login_finder will cut it of at 64 chars
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey description with more then 64 characters as wo...
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user3
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136: - flags: 2040d
The "ssl" configuration option for LDAP mapper can take the following values:
based on the code in ldap_mapper.c
However documentation is not very clear what is the meaning of these values.
One could incorrectly assume (with the recent poodle attack) that ssl stands for "SSL 3.0" and tls stands for "TLS 1.x". This would be incorrect: ssl means in fact "LDAPS" and "tls" means "StartTLS".
Anyone involved with LDAP would immediately understand the exact meaning without examining source code for details.
So I suggest to rename "ssl" to "ldaps", "tls" to "starttls" or at least document these values properly.
I'm seeing a crash in src/common/cert_vfy.c, verify_crl() is being passed a NULL X509_CRL * crl by check_for_revocation(). At minimum the module should not crash, it should detect the situation where crl == NULL and fail gracefully.
Debug output:
Enter your Smart card PIN on the pinpad
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id: 03
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:196: Inserting mapper [cn] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '<redacted 1>' to CACERT checks
DEBUG:cert_vfy.c:389: Adding hash dir '<redacted 1>' to CRL checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 3
DEBUG:cert_vfy.c:226: crl policy: 1
DEBUG:cert_vfy.c:259: extracting crl distribution points
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 2>.pem
DEBUG:cert_vfy.c:298: download_crl() failed: get_from_uri() failed: curl_easy_perform() failed: Couldn't open file <redacted 2>tdecrl.pem (37)
DEBUG:cert_vfy.c:288: downloading crl from file://<redacted 1>/<redacted 3>.crl
DEBUG:cert_vfy.c:113: crl is base64 encoded
DEBUG:cert_vfy.c:313: verifying crl
DEBUG:cert_vfy.c:235: check_for_revocation() failed: verify_crl() failed: getting the issuer's public key failed
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:cert_vfy.c:313: verifying crl
Thread 1 "login" received signal SIGSEGV, Segmentation fault.
X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108
108 ../crypto/x509/x509cset.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7052220 in X509_CRL_get_issuer (crl=0x0) at ../crypto/x509/x509cset.c:108
This may be related to #42.
Reported to Ubuntu initially #1879710 but may be better addressed here as it seems to affect any Linux distro I try.
Background:
Using a smart card (PIV) to log in to Ubuntu, utilising a Yubikey. Certificate is read, PIN prompts and logs in which is expected behavior. There is however no method for checking CRL's (Certificate Revocation Lists) reliably. This is needed for security in the event someone lost their smart card/Yubikey, it was compromised somehow, or just renewed with a new certificate. A CRL should be checked at each authentication attempt to validate that the certificate being presented is valid.
Issue:
When attempting to read a CRL, it either fails to download or causes a segfault.
CRL's are set within the certificate to download over http, this part of the process works OK. When it checks for revocation it seems to go wrong.
Online CRL's (crl_online in pam_pkcs11.conf) fail with the following error message:
ERROR:pkcs11_inspect.c:137: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Offline CRL's (crl_offline in pam_pkcs11.conf) fail with a segfault which seems to point at an issue with libcrypto:
[ 1563.825006] pkcs11_inspect[3820]: segfault at 18 ip 00007ff8e1a95300 sp 00007ffd6db03088 error 4 in libcrypto.so.1.1[7ff8e190e000+19f000]
[ 1563.825013] Code: 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 20 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 28 c3 66 66 2e 0f 1f 84 00 00 00 00 00 <48> 8b 47 18 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 38 c3 66
Workaround:
None - disabling CRL checking defeats the point and is highly insecure.
ocsp could be another potential workaround however this doesn't appear to have been included in the package(s).
I am trying to setup pam_pkcs11 using an OpenPGP card. Everything seems to work except the signature verification. Here is a snipped from the output:
DEBUG:pam_pkcs11.c:618: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [b3:88:65:...:c6]
DEBUG:pkcs11_lib.c:1735: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1807: hash[51] = [...:9c:83:d0:...:e4]
DEBUG:pkcs11_lib.c:1856: signature[512] = [81:86:05:...:2e]
DEBUG:pam_pkcs11.c:681: verifying signature...
DEBUG:cert_vfy.c:533: public key type: 0x00000006
DEBUG:cert_vfy.c:534: public key bits: 0x00001000
DEBUG:cert_vfy.c:566: hashing with SHA256
ERROR:pam_pkcs11.c:688: verify_signature() failed: EVP_VerifyFinal() failed: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
Error 2342: Verifying signature failed
Simply signing and verifying some data with pkcs11-tool
like this is successful:
pkcs11-tool --sign -i testdata --id 03 --output-file testdata.sig_p11
pkcs11-tool --verify -i testdata --signature-file testdata.sig_p11 --id 03
I compiled pam_pkcs11 from sources today, hence this seems to be a bug in the current version. If there is anything I can help to debug this I am willing to try. :)
Hi!
I am trying to use pkcs11_make_hash_link util to make a symbolic hash link in /etc/ssl/cacerts
directory. Here is a content of that directory produced by ls
:
total 12
drwxr-xr-x 2 root root 4096 Jan 22 11:53 .
drwxr-xr-x 6 root root 4096 Jan 22 11:53 ..
-rw-r--r-- 1 asem asem 1029 Jan 22 10:36 root_2048_crt.pem
Than did cd
to that directory and executed
sudo pkcs11_make_hash_link
This execution does not produce any output and it seems that everything worked OK, but when I listed directory content again I got this:
total 12
drwxr-xr-x 2 root root 4096 Jan 22 11:53 .
drwxr-xr-x 6 root root 4096 Jan 22 11:53 ..
-rw-r--r-- 1 asem asem 1029 Jan 22 10:36 root_2048_crt.pem
Nothing has changed. As mentioned in the man page to this util, a symbolic link to my cert should be created.
The version of the libpam-pkcs11
that I use is 0.6.9-2build2
Can you help me, please, with this?
P.S. I have tried to use the latest version of this script from here but it also did not work.
Hello,
I am trying to migrate to new os version and I need to upgrade pam_pkcs at the same time. My old working setup was Ubuntu 18.04 with pam_pkcs11 0.6.8 compiled manually. Unfortunatelly it is not possible to build it anymore in modern OS and newer versions of ldap mapper seems broken. Maybe there is something I am missing but:
In 0.6.8 ldap filter that is sent to ldap looks like (&(objectClass=posixAccount)(uid=my_user))
In newer versions it is a bit different - it adds userCertificate to the filter. LDAP unfortunately don't find my user as it seems userCertificate filters are not working (it returns 0 users). I tested a lot of options with ldapsearch and certificates and it just gives no results. Tested it on 2 versions of ldap servers and several different syntax in hex, base64 etc.
Can it be new syntax that is not compatible with ldap? Is there a way to change to previous behaviour?
When trying to log-in using pkcs#11 shared library by editing pam configuration file, facing error like-
ubuntu kernel: [13342.185619] lightdm[15882]: segfault at b662b48e ip b71ddd2f sp bfb35dec error 4 in libc-2.19.so[b7163000+1a8000]
Getting this error after exit from C_Finalize (Traced using syslog)..
At log-in Screen messages getting like- Smartcard authentication starts,
Smart card found,
verifying certificate,
Failed to authenticate
when tried through terminal to log-in other user from default user- able to get authentication succeeded at the end(before Segmentation fault in terminal) and getting error(as per syslog) -
ubuntu kernel: [11694.542754] su[13543]: segfault at b676048e ip b7586d2f sp bfd0f0bc error 4 in libc-2.19.so[b750c000+1a8000]
Can any one help us by giving solution to debug this...
Hi,
I need help please
when I add crl_online to pam_pkcs11.conf in my ubuntu VM and I try to login with smartcard, I get the following error:
ERROR:pam_pkcs11.c:586: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the issuer's public key failed
Thanks
After upgrade Ubuntu to 16:04 I realized that lightdm process was using 100% CPU.
SO: Ubuntu 16.04 64
Package: libpam-pkcs11 0.6.8.4
Token: Aladdin eToken Pro 0529:0620
Looking the code a find a workaroud that is comment pkcs11_lib.c lines 1175-1177.
// if (h->fl != NULL)
// if (h->should_finalize)
// h->fl->C_Finalize(NULL);
I'm trying to build and install on fedora 32, but I'm having trouble during the make
phase.
It seems a deprecated gcc function is used. Here's my error message:
n of function ‘X509_OBJECT_free_contents’; did you mean ‘X509_OBJECT_up_ref_count’? [-Wimplicit-function-declaration]
159 | X509_OBJECT_free_contents(&obj);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| X509_OBJECT_up_ref_count
cert_vfy.c:174:3: warning: ‘X509_CRL_get_lastUpdate’ is deprecated [-Wdeprecated-declarations]
174 | rv = X509_cmp_current_time(X509_CRL_get_lastUpdate(crl));
| ^~
In file included from /usr/include/openssl/opensslconf.h:42,
from ../common/pam-pkcs11-ossl-compat.h:30,
from cert_st.h:36,
from cert_vfy.h:30,
from cert_vfy.c:18:
/usr/include/openssl/x509.h:727:1: note: declared here
727 | DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
| ^~~~~~~~~~~~~~~~~~
cert_vfy.c:183:3: warning: ‘X509_CRL_get_nextUpdate’ is deprecated [-Wdeprecated-declarations]
183 | rv = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
| ^~
In file included from /usr/include/openssl/opensslconf.h:42,
from ../common/pam-pkcs11-ossl-compat.h:30,
from cert_st.h:36,
from cert_vfy.h:30,
from cert_vfy.c:18:
/usr/include/openssl/x509.h:728:1: note: declared here
728 | DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
| ^~~~~~~~~~~~~~~~~~
cert_vfy.c: In function ‘check_for_revocation’:
cert_vfy.c:205:15: error: storage size of ‘obj’ isn’t known
205 | X509_OBJECT obj;
| ^~~
cert_vfy.c:212:12: error: storage size of ‘crl_pkey’ isn’t known
212 | EVP_PKEY crl_pkey;
| ^~~~~~~~
Is there any way of using this in fedora 32?
Hi there,
I just run into a segmentation fault when I tried to login in GDM on a pam_pkcs11 smartcard enabled Ubuntu 18.04. When the smartcard is inserted, the smartcard pam_module (pam_pkcs11.so
) is loaded and the smartcard login process crashes because of a segfault:
Jan 18 16:17:38 a02 gdm-password]: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
Jan 18 16:17:38 a02 gdm-password]: username = [test]
Jan 18 16:17:38 a02 gdm-password]: loading pkcs #11 module...
Jan 18 16:17:38 a02 gdm-password]: PKCS #11 module = [/lib/libIDPrimePKCS11.so.10]
Jan 18 16:17:38 a02 gdm-password]: module permissions: uid = 0, gid = 0, mode = 755
Jan 18 16:17:38 a02 gdm-password]: loading module /lib/libIDPrimePKCS11.so.10
Jan 18 16:17:38 a02 gdm-password]: getting function list
Jan 18 16:17:38 a02 gdm-password]: initialising pkcs #11 module...
Jan 18 16:17:38 a02 gdm-password]: module information:
Jan 18 16:17:38 a02 gdm-password]: - version: 2.20
Jan 18 16:17:38 a02 gdm-password]: - manufacturer: Gemalto
Jan 18 16:17:38 a02 gdm-password]: - flags: 0000
Jan 18 16:17:38 a02 gdm-password]: - library description: Gemalto PKCS11
Jan 18 16:17:38 a02 gdm-password]: - library version: 10.0
Jan 18 16:17:43 a02 kernel: [ 2957.384488] show_signal_msg: 6 callbacks suppressed
Jan 18 16:17:43 a02 kernel: [ 2957.384494] gdm-session-wor[2972]: segfault at 8 ip 00007f9551329910 sp 00007ffe2dc9be48 error 4 in libcrypto.so.1.1[7f955127d000+24d000]
Jan 18 16:17:43 a02 gdm3: Freeing conversation 'gdm-password' with active job
pam_pkcs11.so
is dynamically linked to libcrypto.so.1.1
(in which actually the segfault happens):
root@a02:/etc/pam_pkcs11# ldd /lib/security/pam_pkcs11.so
.....
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f7d82a06000)
First I thought it may be related to the Ubuntu repository pre-packed libpam-pkcs11
package but this does not seem to be true. I tried to remove the Ubuntu 18.04 official libpam-pkcs11
package and compiled pam_pkcs11.so
by myself using the following commands:
apt-get install -y libssl-dev libpam0g-dev pkg-config libpcsclite-dev libldap2-dev libnss3-dev
apt-get install -y libtool autoconf automake git
git clone https://github.com/OpenSC/pam_pkcs11.git
cd pam_pkcs11
./bootstrap
./configure --prefix=/usr --exec-prefix=/usr --with-ldap --with-nss
make
make install
I also tested it first without the option --with-nss
but I also run into the same issue with the openssl
library which is used by default (when no --with-nss
is used).
In the further debugging process I tried to switch from libcrypto.so.1.1
to libcrypto.so.1.0.0
which actually solved me issue:
root@a02:/usr/lib/x86_64-linux-gnu# ls -la libcrypto.so*
lrwxrwxrwx 1 root root 16 Dec 5 16:59 libcrypto.so -> libcrypto.so.1.1
-rw-r--r-- 1 root root 2357760 Dec 4 16:58 libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2575848 Dec 5 16:59 libcrypto.so.1.1
root@a02:/usr/lib/x86_64-linux-gnu# mv libcrypto.so.1.1 libcrypto.so.1.1.orig
root@a02:/usr/lib/x86_64-linux-gnu# ln -s libcrypto.so.1.0.0 libcrypto.so.1.1
root@a02:/usr/lib/x86_64-linux-gnu# ls -la libcrypto.so*
lrwxrwxrwx 1 root root 16 Dec 5 16:59 libcrypto.so -> libcrypto.so.1.1
-rw-r--r-- 1 root root 2357760 Dec 4 16:58 libcrypto.so.1.0.0
lrwxrwxrwx 1 root root 18 Jan 18 17:21 libcrypto.so.1.1 -> libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2575848 Dec 5 16:59 libcrypto.so.1.1.orig
With libcrypto.so.1.0.0
it works:
Jan 18 17:22:06 a02 gdm-password]: Initializing NSS ...
Jan 18 17:22:06 a02 gdm-password]: Initializing NSS ... database=/etc/
Jan 18 17:22:06 a02 gdm-password]: ... NSS Complete
Jan 18 17:22:06 a02 gdm-password]: username = [test]
Jan 18 17:22:06 a02 gdm-password]: loading pkcs #11 module...
Jan 18 17:22:06 a02 gdm-password]: Looking up module in list
Jan 18 17:22:06 a02 gdm-password]: modList = 0x75019cf0 next = 0x0
Jan 18 17:22:06 a02 gdm-password]: dllName= <null>
Jan 18 17:22:06 a02 gdm-password]: loading Module explictly, moduleSpes11.so" name="SmartCard"> module=/u
Jan 18 17:22:12 a02 gdm-password]: load module complete
Jan 18 17:22:12 a02 gdm-password]: initialising pkcs #11 module...
Jan 18 17:23:32 a02 gdm-password]: cert 0: found ....
Does anyone had a similar issue or does know how to fix this in a nice way instead of my workaround?
My pam_pkcs11.conf
(at least the relevant part of it):
# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = gemalto;
# Gemalto pkcs11 module
pkcs11_module gemalto {
module = /lib/libIDPrimePKCS11.so.10;
description = "Gemalto pkcs#11 module";
slot_num = 1;
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca,signature;
token_type = "Smartcard";
}
Thanks!
Regards,
Philip
Fails to build - hangs on
make[3]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/po'
touch stamp-po
make[2]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/po'
Making all in doc
make[2]: Entering directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/doc'
ls: cannot access 'api/*': No such file or directory
If I try to reconfigure --without-docbook it goes further and fails with:
cert_vfy.c:174:3: warning: ‘X509_CRL_get_lastUpdate’ is deprecated [-Wdeprecated-declarations]
rv = X509_cmp_current_time(X509_CRL_get_lastUpdate(crl));
^~
In file included from ../common/pam-pkcs11-ossl-compat.h:30,
from cert_st.h:36,
from cert_vfy.h:30,
from cert_vfy.c:18:
/usr/include/openssl/x509.h:727:1: note: declared here
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
^~~~~~~~~~~~~~~~~~
cert_vfy.c:183:3: warning: ‘X509_CRL_get_nextUpdate’ is deprecated [-Wdeprecated-declarations]
rv = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
^~
In file included from ../common/pam-pkcs11-ossl-compat.h:30,
from cert_st.h:36,
from cert_vfy.h:30,
from cert_vfy.c:18:
/usr/include/openssl/x509.h:728:1: note: declared here
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
^~~~~~~~~~~~~~~~~~
cert_vfy.c: In function ‘check_for_revocation’:
cert_vfy.c:205:15: error: storage size of ‘obj’ isn’t known
X509_OBJECT obj;
^~~
cert_vfy.c:212:12: error: storage size of ‘crl_pkey’ isn’t known
EVP_PKEY crl_pkey;
^~~~~~~~
make[4]: *** [Makefile:540: libcommon_la-cert_vfy.lo] Error 1
make[4]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/src/common'
make[3]: *** [Makefile:615: all-recursive] Error 1
make[3]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/src/common'
make[2]: *** [Makefile:403: all-recursive] Error 1
make[2]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10/src'
make[1]: *** [Makefile:459: all-recursive] Error 1
make[1]: Leaving directory '/tmp/pam_pkcs11-pam_pkcs11-0.6.10'
make: *** [Makefile:391: all] Error 2
Building on Arch, GCC 8.3
Hi,
we have set up a configuration with CRL checking (cert_policy = CA,signature,crl_online) and are experiencing a Segmentation fault in X509_STORE_get_by_subject (). We are on a regularly updated Ubuntu 16.04 and using the latest pam_pkcs11 0.6.9. But the error also appears in version 0.6.8.4.
gdb bt:
Thread 1 "pkcs11_inspect" received signal SIGSEGV, Segmentation fault.
0x00007ffff7aed662 in X509_STORE_get_by_subject () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(gdb) bt
#0 0x00007ffff7aed662 in X509_STORE_get_by_subject () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#1 0x0000000000406f35 in verify_crl (ctx=0x7bbbb0, crl=0x7c3be0) at cert_vfy.c:151
#2 check_for_revocation (x509=x509@entry=0x7305e0, ctx=ctx@entry=0x7bbbb0, policy=<optimized out>) at cert_vfy.c:291
#3 0x00000000004074c2 in verify_certificate (x509=x509@entry=0x7305e0, policy=policy@entry=0x6164d8 <configuration+88>) at cert_vfy.c:464
#4 0x00000000004032fd in main (argc=<optimized out>, argv=<optimized out>) at pkcs11_inspect.c:132
If we turn off CRL checking in the config, everything runs fine. Also switching to offline checking does not help as the segmentation fault also appears in this mode.
Our PKCS11 lib is from CryptoVision: /usr/local/lib/libcvP11.so
The URL where the CRL gets downloaded from: http://crl.d-trust.net/crl/eon_ca_2_2013_xxi.crl
last debug output is:
DEBUG:cert_vfy.c:265: downloading crl from http://crl.d-trust.net/crl/eon_ca_2_2013_xxi.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:uri.c:255: protocol = [http]
DEBUG:uri.c:256: user = [(null)]
DEBUG:uri.c:257: password = [(null)]
DEBUG:uri.c:258: host = [crl.d-trust.net]
DEBUG:uri.c:259: port = [(null)]
DEBUG:uri.c:260: path = [/crl/eon_ca_2_2013_xxi.crl]
DEBUG:uri.c:395: connecting...
DEBUG:uri.c:420: receiving...
DEBUG:uri.c:451: decoding...
DEBUG:cert_vfy.c:113: crl is base64 encoded
DEBUG:cert_vfy.c:290: verifying crl
Segmentation fault
I digged a bit deeper in the code and came up with these findings:
X509_STORE_get_by_subject(vs, type, name, ret) is documented in openssl as "If the certificate or crl is found by some means, then it is placed into ret (which must not be NULL) with an indicator of the type of object returned. This function returns 1 on a match and 0 on error or if no match was found. ". However obj (=ret) is defined as
X509_OBJECT *obj = NULL;
In my opinion it should rather be declared as
X509_OBJECT obj;
and calls to this function changed to i.e.
rv = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_CRL_get_issuer(crl), &obj);
and no attempt to free this object should be made.
In function "check_for_revocation()", X509_CRL_get0_by_cert() is supposed to return 0 on failure and 1 on success. I guess "success" means a revoked certificate was found, so a "failure" would mean the certificate was not revoked. However the code then exits with
return (rv == -1);
This doesn't make sense to me.
After adjusting the code for these findings, everything works fine, but this would somehow imply that the CRL check code never worked in the first place.
Any suggestions? Am I on the wrong track?
Cheers,
Michael
Copy of Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/pam-pkcs11/+bug/1650366
PAM configuration is managed using pam-auth-update.
However, pam-pkcs11 does not provide the necessary description file below /usr/share/pam-configs.
Hence, it must be added manually to the pam configuration.
pam-pkcs11 should supply a description file in /usr/share/pam-configs similar to the one attached.
Name: PKCS11 Smartcard Authentication
Default: yes
Priority: 128
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_pkcs11.so
Auth-Initial:
[success=end default=ignore] pam_pkcs11.so
Regards,
Joachim
Hello, I compiled and installed all the necessary packages and configured /etc/pam_pkcs11/subject_mapping
with my smart card's subject data, that I got from pkcs11_inspect
.
I also added and linked the required CA certificates in /etc/pam_pkcs11/cacerts
.
I added the following line to /etc/pam.d/sudo
:
#%PAM-1.0
auth sufficient /usr/local/lib/security/pam_pkcs11.so debug
** the rest of the unchanged commands **
But whenever I try to use sudo and type my pin, I get this (snip from the actual log):
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [6d:86:47:...:e8]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:58:12:56:...:03]
ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007
Error 2340: Signing failed
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
Sorry, try again.
luis@CTW00632:~$ sudo -i
Smartcard authentication starts
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_pkcs11.c:335: username = [luis]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework
DEBUG:pkcs11_lib.c:1185: - library version: 0.19
DEBUG:pkcs11_lib.c:1077: number of slots (a): 3
DEBUG:pkcs11_lib.c:1100: number of slots (b): 3
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro AU9560 00 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: Auth PIN (CARTAO DE CIDADAO)
DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: **removed**
DEBUG:pkcs11_lib.c:1136: - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: Sign PIN (CARTAO DE CIDADAO)
DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: **removed**
DEBUG:pkcs11_lib.c:1136: - flags: 4040c
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: Address PIN (CARTAO DE CIDADAO)
DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: **removed**
DEBUG:pkcs11_lib.c:1136: - flags: 040c
Portuguese ID Card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome Auth PIN (CARTAO DE CIDADAO)!
Portuguese ID Card PIN:
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id: 45
DEBUG:pkcs11_lib.c:1624: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id: 52
DEBUG:pkcs11_lib.c:1624: Saving Certificate #3:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id: 50
DEBUG:pkcs11_lib.c:1659: Found 3 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null'
DEBUG:mapper_mgr.c:196: Inserting mapper [null] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 0
DEBUG:cert_vfy.c:229: no revocation-check performed
DEBUG:cert_vfy.c:496: certificate has not been revoked
DEBUG:mapper_mgr.c:306: Mapper module subject match() returns 1
DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [1b:e5:51:...:2e]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000000
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:cc:32:...:74]
DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 256
ERROR:pam_pkcs11.c:717: sign_value() failed: C_Sign() failed: 0x00000007
Error 2340: Signing failed
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
Sorry, try again.
Smartcard authentication starts
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_pkcs11.c:335: username = [luis]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework
DEBUG:pkcs11_lib.c:1185: - library version: 0.19
DEBUG:pkcs11_lib.c:1077: number of slots (a): 3
DEBUG:pkcs11_lib.c:1100: number of slots (b): 3
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: Auth PIN (CARTAO DE CIDADAO)
DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: **removed**
DEBUG:pkcs11_lib.c:1136: - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: Sign PIN (CARTAO DE CIDADAO)
DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: **removed**
DEBUG:pkcs11_lib.c:1136: - flags: 4040c
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Alcor Micro **removed**
DEBUG:pkcs11_lib.c:1123: - manufacturer: Generic
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: Address PIN (CARTAO DE CIDADAO)
DEBUG:pkcs11_lib.c:1133: - manufacturer: GEMALTO
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: **removed**
DEBUG:pkcs11_lib.c:1136: - flags: 040c
Portuguese ID Card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome Auth PIN (CARTAO DE CIDADAO)!
Portuguese ID Card PIN:
This file says that 0x00000007 is CKR_ARGUMENTS_BAD.
I believe the first time h->fl->C_Sign runs, it returns CKR_BUFFER_TOO_SMALL
, and in the second loop with signature_length
of 256, it fails.
pkcs11-tool -M
returns this:
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
MD5-RSA-PKCS, keySize={512,2048}, sign, verify
RIPEMD160-RSA-PKCS, keySize={512,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair
Why am I getting sign_value() failed: C_Sign() failed: 0x00000007
?
For our usage, the user's email address within the certificate is their username on the host.
Example:
[email protected] -> bob
[email protected] -> steve
I like the ignoredomain
option as I would prefer to validate that myhost.mydomain.com
is part of mydomain.com
. However, I would prefer not to generate direct maps for each host.
Can some kind of "dropdomain" setting be added to the option list in a way that does not alter the behavior of ignoredomain
but does do a user match without the domain component?
At once a time I've been confused about authenticate throw Kerberos protocol. By delegate of the mapper, we can check user credentials by PKINIT protocol. But nothing. At krb_mapper we see only retrieve the KPN.
Can I open this issue for the start process develop this feature? Thanks!
Hi Ludovic!
I currently maintain the package in Sisyphus and already have a number of patches I want to integrate. If you're really looking for a new maintainer, I can take it over.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.