Re: [Opensc-devel] HI, may I ask several questons on pam_pkcs11-0.6.7 on ubuntu 12.04 x86 sysytem

[Dirk-Willem v. G. <di...@we...>]

> On 03 Apr 2015, at 08:25, 建明 <jia...@12...> wrote:
> 
>   I'm  new to this community and forgive me if I ask something wrong.
>   In the past month, I managed to configuring smart card to do authentication on ubuntu12.04.5 x86
>   I find some problems with pam_pkcs11-0.6.7, which is the version used by ubuntu 12.04.
>  
> The pam_sm_authenticate() checks the certificates one by one in a loop . However,  when verify_certificate() checks the second one and returns -4, the loop breaks.
> so the last certificate even has no chance to be checked.
> 
> As the red colour in the code, it should not break the loop in this case. And if  change the "break" to "continue", the issue is fixed.
...
>                        switch (rv) {
>                                case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
>                                        snprintf(password_prompt, sizeof(password_prompt), _("Error 2324: Certificate has expired"));
>                                        break;
>                                case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
>                                        snprintf(password_prompt, sizeof(password_prompt), _("Error 2326: Certificate not yet valid"));
>                                        break;
>                                case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
>                                        snprintf(password_prompt, sizeof(password_prompt), _("Error 2328: Certificate signature invalid"));
>                                        break;  
>                                default:
>                                        snprintf(password_prompt, sizeof(password_prompt), _("Error 2330: Certificate invalid"));
>                                        break;
I think there is a more general issue here; in PAM we should check *all* certificates; and only if they are ALL invalid should error feedback be given. And expired/invalid/not-yet-valid output should only be given debug/verbose style if there is a valid one. 

As it is not uncommon to do roll-over smartcards; which already have the ‘new’ cert or still have the expired cert.

…..
>   II)  verify_signature() of a correct certificate from smart card reports error like the red colour.

and padding issues. These look like real deficiencies; but I am not familiar enough with that piece of code to suggest how to fix it (we’ve fixed it by hardcoding it to 2048 for a specific case).

Dw.