From: Logan G. <lo...@ie...> - 2020-08-03 10:06:22
|
Ah, understood. I missed that part of the mailing list, it's a shame no one from Canonical or Red Hat have stepped in as they both advertise smart card support using pam_pkcs11! I will happily help with some basic maintenance so getting write access would be greatly appreciated. I'm unlikely to have time, but if a rewrite is in order is the best path still through libp11 as mentioned four years ago? Best, Logan On Mon, Aug 3, 2020 at 2:34 AM Ludovic Rousseau <lud...@gm...> wrote: > Hello, > > I used to be the maintainer of pam_pkcs11. > 4 years ago I asked for help > > https://opensc-devel.narkive.com/iYD5vBPl/pam-pkcs-11-needs-a-new-maintainer-s-soon-or-it-will-die > > If you plan to use pam_pkcs11 personally and professionally then it is > a good idea to engage in its development. > I can add you to the pam_pkcs11-maintainers team so you have write access. > > Regards, > > Le lun. 3 août 2020 à 11:15, Logan Garbarini <lo...@ie...> a écrit : > > > > Hi all, > > > > I've been starting to use OpenSC and pam_pkcs11 personally and > professionally and have discovered a couple issues in `pam_pkcs11`. It > looks like the mailing list is the proper avenue for raising some of these > issues so here I go. > > > > 1) I've put up a pull request for one bug that has been verified by > another user here, this seems to be primarily an issue with OpenSSL > versions and how they are handled: > > > > https://github.com/OpenSC/pam_pkcs11/pull/45 > > > > 2) I've found what appears to be a much trickier issue in the ECDSA > signature verification of cert_vfy.c ( > https://github.com/OpenSC/pam_pkcs11/issues/44). I'll reproduce the > salient parts of the issue below: > > > >> When using signature verification in pam_pkcs11, I immediately run into > the following verification issue on ECDSA certs/keys in verify_signature(): > >> > >> verify_signature() failed: EVP_VerifyFinal() failed: error:25066067:DSO > support routines:dlfcn_load > >> > >> The primary issues seems to be "Signed big-endian encoding of minimal > length", from the stackexchange post How can I convert a DER ECDSA > signature to ASN.1?. The current upstream code doesn't seem to even yield a > properly terminated ASN1 signatures on modern OpenSSL versions (1.1.0) and > even if it did lacks handling of BIGNUMs that may be interpreted as signed > integers if not properly padded (see above stack exchange). > > > > > > I have attached a hacky demo patch file that along with the linked stack > exchange posts clarifies my issue and what appears to be the necessary > solution. > > > > This leads me into my primary question, as someone who hasn't had too > much exposure to OpenSC and is certainly not an expert in the OpenSSL API, > what is the best way to contribute? > > > > It seems like EVP_Verify is a much older API and EVP_DigestVerify is now > recommended, has better documentation, and has better support for ECDSA > signatures (https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying). > However, this would be a much bigger change than trying to reassemble the > ASN1 encoding using BN_bin2bn and ECDSA_SIG_get0_*. > > > > Best, > > Logan > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > -- > Dr. Ludovic Rousseau > |