Re: [Opensc-devel] HI, may I ask several questons on pam_pkcs11-0.6.7 on ubuntu 12.04 x86 sysytem

[Ludovic R. <lud...@gm...>]

2015-04-03 11:22 GMT+02:00 Dirk-Willem van Gulik <di...@we...>:
>
> On 03 Apr 2015, at 08:25, 建明 <jia...@12...> wrote:
>
>   I'm  new to this community and forgive me if I ask something wrong.
>   In the past month, I managed to configuring smart card to do
> authentication on ubuntu12.04.5 x86
>   I find some problems with pam_pkcs11-0.6.7, which is the version used by
> ubuntu 12.04.
>
>
> The pam_sm_authenticate() checks the certificates one by one in a loop .
> However,  when verify_certificate() checks the second one and returns -4,
> the loop breaks.
> so the last certificate even has no chance to be checked.
>
> As the red colour in the code, it should not break the loop in this case.
> And if  change the "break" to "continue", the issue is fixed.
>
> ...
>
>                        switch (rv) {
>
>                                case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
>                                        snprintf(password_prompt,
> sizeof(password_prompt), _("Error 2324: Certificate has expired"));
>                                        break;
>                                case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
>                                        snprintf(password_prompt,
> sizeof(password_prompt), _("Error 2326: Certificate not yet valid"));
>                                        break;
>                                case -4: //
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
>                                        snprintf(password_prompt,
> sizeof(password_prompt), _("Error 2328: Certificate signature invalid"));
>                                        break;
>                                default:
>                                        snprintf(password_prompt,
> sizeof(password_prompt), _("Error 2330: Certificate invalid"));
>                                        break;
>
> I think there is a more general issue here; in PAM we should check *all*
> certificates; and only if they are ALL invalid should error feedback be
> given. And expired/invalid/not-yet-valid output should only be given
> debug/verbose style if there is a valid one.
>
> As it is not uncommon to do roll-over smartcards; which already have the
> ‘new’ cert or still have the expired cert.

I changed the "break;" in "continue;" in
https://github.com/OpenSC/pam_pkcs11/commit/4ef003ac43405f6391bf965a043f9fe4c4704f1d

Thanks

-- 
 Dr. Ludovic Rousseau