Re: [Opensc-devel] HI, may I ask several questons on pam_pkcs11-0.6.7 on ubuntu 12.04 x86 sysytem

[建明 <jia...@12...>]

HI, Gulik

thanks for reply.
as you mentioned ,
>>>
we’ve fixed it by hardcoding it to 2048 for a specific case

>>>

I don't quite understand. can you share the patch?

Best regards
Jianming




在 2015-04-03 17:22:24，"Dirk-Willem van Gulik" <di...@we...> 写道：


On 03 Apr 2015, at 08:25, 建明 <jia...@12...> wrote:


  I'm  new to this community and forgive me if I ask something wrong.

  In the past month, I managed to configuring smart card to do authentication on ubuntu12.04.5 x86
  I find some problems with pam_pkcs11-0.6.7, which is the version used by ubuntu 12.04.
 

The pam_sm_authenticate() checks the certificates one by one in a loop . However,  when verify_certificate() checks the second one and returns -4, the loop breaks.
so the last certificate even has no chance to be checked.

As the red colour in the code, it should not break the loop in this case. And if  change the "break" to "continue", the issue is fixed.

...

                       switch (rv) {

                               case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
                                       snprintf(password_prompt, sizeof(password_prompt), _("Error 2324: Certificate has expired"));
                                       break;
                               case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
                                       snprintf(password_prompt, sizeof(password_prompt), _("Error 2326: Certificate not yet valid"));
                                       break;
                               case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
                                       snprintf(password_prompt, sizeof(password_prompt), _("Error 2328: Certificate signature invalid"));
                                       break;  
                               default:
                                       snprintf(password_prompt, sizeof(password_prompt), _("Error 2330: Certificate invalid"));
                                       break;

I think there is a more general issue here; in PAM we should check *all* certificates; and only if they are ALL invalid should error feedback be given. And expired/invalid/not-yet-valid output should only be given debug/verbose style if there is a valid one. 


As it is not uncommon to do roll-over smartcards; which already have the ‘new’ cert or still have the expired cert.


…..
  II)  verify_signature() of a correct certificate from smart card reports error like the red colour.


and padding issues. These look like real deficiencies; but I am not familiar enough with that piece of code to suggest how to fix it (we’ve fixed it by hardcoding it to 2048 for a specific case).



Dw.