Picon

ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found

Hi guys, sorry if my english sucks!

I want your help to find out what I am doing wrong using smartcard login with ldap map.

1) My openldap server has an attribute named cryptPassword I use to login
2) My certificate has an attribute named CPF I want to use as login

Using token watchdata, ubuntu 14.04 amd64, libpam-pkcs11 0.6.8-4 amd64

I try to do
<b>~$ openssl verify -CApath /etc/pam_pkcs11/cacerts </b>
but it gives me no response.

~$ pkcs11_inspect
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.10
DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module        
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: eferro
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.                
DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK     
DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
DEBUG:pkcs11_lib.c:1061:   - flags: 060d
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
PIN for token:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   28
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:847: test ssltls = tls
DEBUG:ldap_mapper.c:849: LDAP mapper started.
DEBUG:ldap_mapper.c:850: debug         = 1
DEBUG:ldap_mapper.c:851: ignorecase    = 0
DEBUG:ldap_mapper.c:852: ldaphost      = my-ldap-addr
DEBUG:ldap_mapper.c:853: ldapport      = 389
DEBUG:ldap_mapper.c:854: ldapURI       = my-ldap-addr my-ldap-addr2
DEBUG:ldap_mapper.c:855: scope         = 2
DEBUG:ldap_mapper.c:856: binddn        = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:857: passwd        = estacao <at> rlsl
DEBUG:ldap_mapper.c:858: base          = dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:859: attribute     = userCertificate
DEBUG:ldap_mapper.c:860: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:861: searchtimeout = 20
DEBUG:ldap_mapper.c:862: ssl_on        = 2
DEBUG:ldap_mapper.c:864: tls_randfile  =
DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
DEBUG:ldap_mapper.c:866: tls_cacertdir =
DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
DEBUG:ldap_mapper.c:868: tls_ciphers   =
DEBUG:ldap_mapper.c:869: tls_cert      =
DEBUG:ldap_mapper.c:870: tls_key       =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pkcs11_inspect.c:126: Found '1' certificate(s)
DEBUG:pkcs11_inspect.c:130: verifying the certificate #1
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 0
DEBUG:cert_vfy.c:210: no revocation-check performed
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_inspect.c:144: Inspecting certificate #1
Printing data for mapper ldap:
-----BEGIN CERTIFICATE-----
MIIHVzCCBT+gAwIBAgIDEsMCMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJC
UjETMBEGA1UEChMKSUNQLUJyYXNpbDEPMA0GA1UECxMGQ1NQQi0xMTswOQYDVQQL
EzJTZXJ2aWNvIEZlZGVyYWwgZGUgUHJvY2Vzc2FtZW50byBkZSBEYWRvcyAtIFNF
UlBSTzE0MDIGA1UEAxMrQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIGRvIFNFUlBS
TyBGaW5hbCB2NDAeFw0xNDExMjYxOTE3MzZaFw0xNzExMjUxOTE3MzZaMIGnMQsw
CQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEZMBcGA1UECxMQUGVzc29h
IEZpc2ljYSBBMzERMA8GA1UECxMIQVJTRVJQUk8xKzApBgNVBAsTIkF1dG9yaWRh
ZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxKDAmBgNVBAMTH0VNTUFOVUVMIE5B
WkFSRU5PIERFIExJTUEgRkVSUk8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCR3zXAdudH3f9ink4EvkVZmvNwp912HlmW9GIh8EiBX1LNmb0RT54X8/Sw
W+vaj/udVN+J2mwYQLrZ6n88SbU1/suDqjjjkCV6EkeQ87TUyQ6qUblhbD63kJEa
C3AXVQsdPCivD7KDMaqC6CK8SzZzXplFsP/EoYsc1JFZcBFll+S+Ila310tsRO8i
xXouUqBPurPeJs65bYt9Y3ZcrS/3zIImYkpZ8Qy1cyD0PG4x63CfHpZ22iyk/RAW
nYuDXsiujlLJnS9qNtO/ZKjBIX/GAhPQTtbsxncP7M3+I0UXPrmE+GaLuAzrsyoW
fokShglZ/MOkMreS8L/m4BVvDwh5AgMBAAGjggKJMIIChTAfBgNVHSMEGDAWgBRk
22dbs5UXUoSJtO9nILAIiXwHcTAOBgNVHQ8BAf8EBAMCBeAwWQYDVR0gBFIwUDBO
BgZgTAECAw0wRDBCBggrBgEFBQcCARY2aHR0cDovL3JlcG9zaXRvcmlvLnNlcnBy
by5nb3YuYnIvZG9jcy9kcGNzZXJwcm9hY2YucGRmMIHRBgNVHR8EgckwgcYwPKA6
oDiGNmh0dHA6Ly9yZXBvc2l0b3Jpby5zZXJwcm8uZ292LmJyL2xjci9hY3NlcnBy
b2FjZnY0LmNybDA+oDygOoY4aHR0cDovL2NlcnRpZmljYWRvczIuc2VycHJvLmdv
di5ici9sY3IvYWNzZXJwcm9hY2Z2NC5jcmwwRqBEoEKGQGh0dHA6Ly9yZXBvc2l0
b3Jpby5pY3BicmFzaWwuZ292LmJyL2xjci9zZXJwcm8vYWNzZXJwcm9hY2Z2NC5j
cmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpodHRwOi8vcmVwb3NpdG9y
aW8uc2VycHJvLmdvdi5ici9jYWRlaWFzL2Fjc2VycHJvYWNmdjQucDdiMIGrBgNV
HREEgaMwgaCgPQYFYEwBAwGgNAQyMjUwMzE5NzAyMzE5OTE1NjMwNDE4MDAwMjY5
OTkxMDAwMDAxMDE4NjgyOTg1U1NQTUGgFwYFYEwBAwagDgQMMDAwMDAwMDAwMDAw
oCgGBWBMAQMFoB8EHTAyOTk5ODA4MDc1MjA4ODAxNzBTQU8gTFVJU01BgRxlbW1h
bnVlbC5mZXJyb0BzZXJwcm8uZ292LmJyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr
BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAfkATOsGd4grAh8vruyJK38tVVPvU
NDQu8yoqutJYkWI8NWrlQIdcKLLmrgQpVK10ri8z4geLRjmuSdb9FNOhKgwvOMz3
5R+oVlfxuFFuI++03MM+Q3CmxF6ifgeGxVqi9TB97Unw3PusdPqiiPph7qG+Zhtr
pbcgBJ8EmioT4W8r8Idfh0PcTGPywpTGZKGxT6vA0/ztCcJWo/wrAXu8ilXuarUv
mUCXegk95+Ca3Z5tAuvNGtnWjUjdVz19gyTa4H2cM8pkT98R4l8PgXXu3qVd4SAn
a/LwlH6VjzUgWTv9rUTkIozJaMKx/v0vS7EUZR4Gsenq8r/L5XEKUlnk8keN62eU
7an8oUofAUNhS50qbMmcf1nB4euTd4X3dVW8urAdXoR10xUj0ADxPZ7P+O15kzg8
zkJU0UvGj57prna8u2bHMOqmaAX88zzBrflgu63EdBk3lD4lN1h0nylSGIMsXOQ/
l516VKforHnUwwgPs43NFP/6j7gvUOn3wKT4UsDgUBJ0pUFvX14Pnk229kI+G1lD
IzeFZbS4er6AZpXMJx3I1gLOCfB8MLF/3/+ofp+y5/Ptflyk8HgHueBEOuZKiKxC
/sH+x3P5Kr/iGqBGnbsHw4ukO3oNJUOY62OQJynRWZuhs54rnTlzzUlgRtWsBQtX
9GY+ttfIpZgFnpc=
-----END CERTIFICATE-----

DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
DEBUG:pkcs11_inspect.c:161: releasing pkcs #11 module...
DEBUG:pkcs11_inspect.c:164: Process completed

--------------------------------------------------------------------------
~$ pkcs11_listcerts
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.10
DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module        
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: eferro
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.                
DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK     
DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
DEBUG:pkcs11_lib.c:1061:   - flags: 060d
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
PIN for token:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   28
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
Found '1' certificate(s)
Certificate #1:
- Subject:   /C=BR/O=ICP-Brasil/OU=Pessoa Fisica A3/OU=ARcompany/OU=Autoridade Certificadora companyACF/CN=EMMANUEL FERRO
- Issuer:    /C=BR/O=ICP-Brasil/OU=CSPB-1/OU=Servico Federal de Processamento de Dados - company/CN=Autoridade Certificadora do company Final v4
- Algorithm: rsaEncryption
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 0
DEBUG:cert_vfy.c:210: no revocation-check performed
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:160: Process completed

--------------------------------------------------------------------------
:~$ sudo login 22222222222
Smartcard authentication starts
DEBUG:pam_pkcs11.c:308: username = [22222222222]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.10
DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module        
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: eferro
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.                
DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK     
DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
DEBUG:pkcs11_lib.c:1061:   - flags: 060d
Token found.
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
Welcome eferro!
Token PIN:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   28
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:847: test ssltls = tls
DEBUG:ldap_mapper.c:849: LDAP mapper started.
DEBUG:ldap_mapper.c:850: debug         = 1
DEBUG:ldap_mapper.c:851: ignorecase    = 0
DEBUG:ldap_mapper.c:852: ldaphost      = my-ldap-addr
DEBUG:ldap_mapper.c:853: ldapport      = 389
DEBUG:ldap_mapper.c:854: ldapURI       = my-ldap-addr my-ldap-addr2
DEBUG:ldap_mapper.c:855: scope         = 2
DEBUG:ldap_mapper.c:856: binddn        = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:857: passwd        = mypass
DEBUG:ldap_mapper.c:858: base          = dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:859: attribute     = userCertificate
DEBUG:ldap_mapper.c:860: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:861: searchtimeout = 20
DEBUG:ldap_mapper.c:862: ssl_on        = 2
DEBUG:ldap_mapper.c:864: tls_randfile  =
DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
DEBUG:ldap_mapper.c:866: tls_cacertdir =
DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
DEBUG:ldap_mapper.c:868: tls_ciphers   =
DEBUG:ldap_mapper.c:869: tls_cert      =
DEBUG:ldap_mapper.c:870: tls_key       =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 0
DEBUG:cert_vfy.c:210: no revocation-check performed
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:ldap_mapper.c:618: ldap_get_certificate(): begin login = 22222222222
DEBUG:ldap_mapper.c:623: ldap_get_certificate(): filter_str = (&(objectClass=posixAccount)(uid=22222222222))
DEBUG:ldap_mapper.c:581: added URI my-ldap-addr
DEBUG:ldap_mapper.c:581: added URI my-ldap-addr2
DEBUG:ldap_mapper.c:581: added URI ldap://my-ldap-addr:389
DEBUG:ldap_mapper.c:682: ldap_get_certificate(): try do_open for my-ldap-addr
DEBUG:ldap_mapper.c:144: do_init():
DEBUG:ldap_mapper.c:393: do_open(): do_init failed
DEBUG:ldap_mapper.c:696: ldap_get_certificate(): do_open failed
DEBUG:ldap_mapper.c:892: ldap_get_certificate() failed
DEBUG:mapper_mgr.c:306: Mapper module ldap match() returns 0
DEBUG:pam_pkcs11.c:634: certificate is valid but does not match the user
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates

Login incorrect
Smartcard authentication starts
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
Please insert your Token or enter your username.

--------------------------------------------------------------------------
:~$ sudo vim /etc/pam_pkcs11/pam_pkcs11.conf
--------------------------------------------------------------------------
pam_pkcs11  {
        # Allow empty passwords
        nullok = true;

        # Enable debugging support.
        debug = true; ##false;

        # Do not prompt the user for the passwords but take them from the
        # PAM_ items instead.
        use_first_pass = false;

        # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
        # is unset.
        try_first_pass = false;

        # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
        # previously set (intended for stacking password modules only).
        use_authtok = true; ##false;

        # Filename of the PKCS #11 module. The default value is "default"
        use_pkcs11_module = wdtoken;

[...]

        # WatchData
        pkcs11_module wdtoken {
                module = "/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so";
                description = "Watchdata token";
                slot_num = 0;
                support_threads = true;
                ca_dir = "/etc/pam_pkcs11/cacerts";
                cert_policy = ca, signature;
                token_type = Token;
        }

[...]

        use_mappers = ldap;

[...]

        mapper ldap {
                debug = true;
                module = "/lib/pam_pkcs11/ldap_mapper.so";
                ldaphost = "my.ldap.addr";
                ldapport = 389;
                URI = "my.ldap.addr my.ldap.addr2";
                scope = 2;
                binddn = "uid=workstation,ou=serv,ou=corp,dc=company,dc=gov,dc=br";
                passwd = "mypass";
                base = "dc=company,dc=gov,dc=br";
                attribute = userCertificate;
                filter = "(&(objectClass=posixAccount)(uid=%s))";
                ssl = tls;
                tls_cacertfile = "/etc/ssl/certs/389-ca.crt";
                tls_checkpeer = 0;
        }
}

-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
mike tancsa | 24 Apr 18:20 2015
Picon

pkcs11_engine on windows

Hi,
	I am having some challenges successfully compiling/using the 
pkcs11_engine on Windows and was hoping someone could point me in the 
right direction.....

I setup a cygwin environment on Windows 7 64bit. I have the latest 
OpenSC installed, and built and installed libP11 from the github repo. I 
then built the dll
  export set LIBS='-lp11'
  export set LDFLAGS='-L/usr/local/lib/'
  ./bootstrap
  ./configure
  make
  make install

$ ls -l  ~/work/engine_pkcs11/src/.libs
total 215
-rw-r--r-- 1 mdtancsa None     20 Apr 24 11:07 engine_pkcs11.def
-rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
-rw-r--r-- 1 mdtancsa None   2036 Apr 24 11:07 engine_pkcs11.dll.a
-rw-r--r-- 1 mdtancsa None     28 Apr 24 11:07 engine_pkcs11.dll.def
lrwxrwxrwx 1 mdtancsa None     19 Apr 24 11:07 engine_pkcs11.la -> 
../engine_pkcs11.la
-rw-r--r-- 1 mdtancsa None   1003 Apr 24 11:07 engine_pkcs11.lai
-rw-r--r-- 1 mdtancsa None  52803 Apr 24 11:07 
engine_pkcs11_la-engine_pkcs11.o
-rw-r--r-- 1 mdtancsa None  21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o

$ file engine_pkcs11.dll
engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

Then I try and generate a key (both with the old non java etokens using 
the opensc-pkcs11.dll and the java etokens using the safenet dll) which 
seems to work.  But I am not able to get the openssl portion working so 
I can then generate a request.

$ ./pkcs15-init.exe -E
Using reader with a card: AKS ifdh 0

$ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike" 
--so-pin 123456 --so-puk 123456 -T
2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged 
to disk
Using reader with a card: AKS ifdh 0

$ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u 
sign,decrypt --id 45
2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged 
to disk
Using reader with a card: AKS ifdh 0

$ ./pkcs15-tool.exe --list-keys -k -c -C
Private RSA Key [Private Key]
         Object Flags   : [0x3], private, modifiable
         Usage          : [0x2E], decrypt, sign, signRecover, unwrap
         Access Flags   : [0x1D], sensitive, alwaysSensitive, 
neverExtract, local
         ModLength      : 2048
         Key ref        : 16 (0x10)
         Native         : yes
         Path           : 3f005015
         Auth ID        : 01
         ID             : 45
         MD:guid        : {ce92c7be-ec89-8a73-acae-68759a047368}
           :cmap flags  : 0x0
           :sign        : 0
           :key-exchange: 0

Using reader with a card: AKS ifdh 0

$ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
Public Key Object; RSA 2048 bits
   label:      Private Key
   ID:         45
   Usage:      encrypt, verify, wrap
Using slot 1 with a present token (0x1)

$ ./openssl.exe
OpenSSL> engine dynamic -pre 
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre 
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem 
-text -x509 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot 
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL>

Trying with the SafeNet DLL gives the same / similar problem

$ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen 
--key-type rsa:2048 --id 45
Key pair generated:
Private Key Object; RSA
   label:
   ID:         45
   Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
   label:
   ID:         45
   Usage:      encrypt, verify, wrap
Using slot 2 with a present token (0x2)

Trying with slot 2
OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem 
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot 
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL> q

And just specifying the key also fails

OpenSSL> engine dynamic -pre 
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre 
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem 
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot 
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req

	---Mike

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Pierre LADEN | 24 Apr 15:21 2015
Picon

Re: cryptomate64 support

Hi,

Just wanted to let you know the end of the story, it might help other "lost" users.

ACS send us a "Linux client kit" which provide PKCS11 lib for their tokens.
The provided admin tool works quite well with Linux, allowing to manage the tokens.
Ssh client, or pkcs11 compliant browser are working too, with that same lib.

Unfortunately the library (libacospkcs11.so) is not opensource, and ACS does not seem to provide an full opensource opensc module.

Regards,
Pierre

2015-04-16 15:17 GMT+02:00 Pierre LADEN <pladen <at> acipia.fr>:
2015-04-15 16:59 GMT+02:00 Martin Paljak <martin <at> martinpaljak.net>:
On 15/04/15 17:54, Pierre LADEN wrote:
> However it seems like opensc have some support for "acos5 / ACS ACOS5
> card", which is quite near the ACOS5-64 included in Cryptomate64 (64k
> instead of 32k).

The driver is incomplete, it just displays some basic information.

 

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Ludovic Rousseau | 24 Apr 12:56 2015
Picon

RFC7512: The PKCS #11 URI Scheme

Hello,

I just discovered the RFC7512 [2] by reading [1].

Internet Engineering Task Force (IETF)                       J. Pechanec
Request for Comments: 7512                                     D. Moffat
Category: Standards Track                             Oracle Corporation
ISSN: 2070-1721                                               April 2015

                        The PKCS #11 URI Scheme

Abstract

   This memo specifies a PKCS #11 Uniform Resource Identifier (URI)
   Scheme for identifying PKCS #11 objects stored in PKCS #11 tokens and
   also for identifying PKCS #11 tokens, slots, or libraries.  The URI
   scheme is based on how PKCS #11 objects, tokens, slots, and libraries
   are identified in "PKCS #11 v2.20: Cryptographic Token Interface
   Standard".

Regards,

[1] http://www.bortzmeyer.org/7512.html (in french)
[2] https://www.rfc-editor.org/rfc/rfc7512.txt

--

-- 
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Dirk-Willem van Gulik | 23 Apr 09:14 2015

Allowing socket based IPC for X11 on pam_auth

On some system a socket/IPC can be used for the local display (as opposed to the more traditional linux
localhost:0.0). OSX is one example (as are more modern X11 installs)

Tiny patch below may be of use. Also contains a small signature update for OpenPAM >= 20071221.

Dw.

https://github.com/OpenSC/pam_pkcs11/commit/21c6f331e519c703d77d03691f30e423ec5c7047

8  src/pam_pkcs11/pam_pkcs11.c
 <at>  <at>  -72,7 +72,7  <at>  <at>  static int is_spaced_str(const char *str) {
 /*
  * implement pam utilities for older versions of pam.
  */
-static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt, ...)
+int pam_prompt(const pam_handle_t *pamh, int style, char **response, const char *fmt, ...)
 {
   int rv;
   struct pam_conv *conv;
 <at>  <at>  -216,12 +216,12  <at>  <at>  PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons

   /* Either slot_description or slot_num, but not both, needs to be used */
   if ((configuration->slot_description != NULL && configuration->slot_num != -1) ||
(configuration->slot_description == NULL && configuration->slot_num == -1)) {
-	ERR("Error setting configuration parameters");
+	ERR("Error setting configuration parameters (no slot numbers or slot descriptions found)");
 	return PAM_AUTHINFO_UNAVAIL;
   }

   /* fail if we are using a remote server
-   * local login: DISPLAY=:0
+   * local login: DISPLAY=:0 (linux) or a <path>:0 (Solaris, OSX)
    * XDMCP login: DISPLAY=host:0 */
   {
 	  char *display = getenv("DISPLAY");
 <at>  <at>  -229,7 +229,7  <at>  <at>  PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
 	  if (display)
 	  {
 		  if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':')
-			  && (display[0] != '\0')) {
+			  && (display[0] != '\0' && display[0] != '/')) {
 			  ERR1("Remote login (from %s) is not (yet) supported", display);
 			  pam_syslog(pamh, LOG_ERR,
 				  "Remote login (from %s) is not (yet) supported", display);
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Martin Paljak | 22 Apr 12:47 2015
Picon

PKCS#11 2.40 published.

Link:

https://lists.oasis-open.org/archives/tc-announce/201504/msg00006.html

--
Martin
+372 515 6495

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
Ludovic Rousseau | 21 Apr 09:44 2015
Picon

Pinpad support with PC/SC

Hello,

Some people (2 including me) at the PC/SC workgroup are working on
better documenting how to use a pinpad reader with PC/SC. A draft of
the document is available at [1].

The draft contains samples of use (untested by me) with an IAS/ECC
card. It looks like it is a hot topic for OpenSC these days :-)

Note that:
- The document is still a draft.
- Not all pinpad readers may support all the features described in the document.

Comments, questions, remarks, etc. are greatly welcome.

Bye

[1] http://ludovic.rousseau.free.fr/softwares/pcsc-lite/SecurePIN%20discussion%20v5.pdf

--

-- 
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
Pierre LADEN | 15 Apr 14:51 2015
Picon

cryptomate64 support

hi list,

we re trying to get cryptomate64 tokens to work.
http://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x072F0x90DB

Despite being in "should work" status, it does not work yet. We ve tested with both stock Ubuntu ccid driver and ACS driver from vendor.

The result of the "parse" command is exactly the same as it is in
http://pcsclite.alioth.debian.org/ccid/readers/ACS_CryptoMate64.txt

# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
Slot 1 (0x1): (GetSlotInfo failed, CKR_GENERAL_ERROR)

# pkcs15-tool -Dv
Using reader with a card: ACS CryptoMate64 00 00
Connecting to card in reader ACS CryptoMate64 00 00...
Using card driver Default driver for unknown cards.
Trying to find a PKCS#15 compatible card...
PKCS#15 binding failed: Unsupported card

how can we get this to work ?

Pierre
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Peter Popovec | 14 Apr 15:10 2015
Picon

Different/bad signature output format for RSA/EC keys

Hi,

I found some difference in pkcs15-crypt output for usage with RSA/EC keys.

Please, check the following two examples of file signing:


# create testing file
$ echo "test" > testfile.txt
# create sha1 hash of testing file in binary form:
$ sha1sum testfile.txt|cut -d ' ' -f 1|xxd -p -r > testfile.txt.sha1
# store testing RSA key to (initialized) card:
$ pkcs15-init --store-private-key keys/testTEST.key --pin 1111 --auth-id=1
# then I sign the testing file:
$ pkcs15-crypt  -s --sha-1 -i testfile.txt.sha1 --pkcs1 --pin=1111 -o testfile.txt.sha1.signature
# verification of this signature by openssl:
$ openssl dgst -sha1 -verify  keys/testTEST.pub -signature testfile.txt.sha1.signature  testfile.txt
Verified OK

This seems to be expected behavior. I repeat this with EC key:

#store testing EC key to (initialized) card
$ pkcs15-init --store-private-key keys/prime192v1-key.pem  --auth-id=1 --pin 1111
# extract public part directly from card:
$ pkcs15-tool --list-public-keys
Public EC Key [Public Key]
        Object Flags   : [0x2], modifiable
        Usage          : [0x40], verify
        Access Flags   : [0x0]
        FieldLength    : 192
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050155501
        ID             : 55e1379c931514e60f9a6f4f687fa79e69b90159
#
$ pkcs15-tool --read-public-key 55e1379c931514e60f9a6f4f687fa79e69b90159 > keys/prime192v1-pub.pem
# Or we can use:
$ openssl ec -in keys/prime192v1-key.pem -pubout > keys/prime192v1-pub.pem
# Now signature is generated:
$ pkcs15-crypt  -s --sha-1 -i testfile.txt.sha1 --pkcs1 --pin=1111 -o testfile.txt.sha1.signature
# verifing signature:
$ openssl dgst -sha1 -verify  keys/prime192v1-pub.pem  -signature testfile.txt.sha1  testfile.txtError Verifying Data
140316864693904:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1345:
140316864693904:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:388:Type=ECDSA_SIG

This should work in my opinion in the same way as with use of RSA key ...  but this does not work.

By inspection of signature:

$ hexdump -C testfile.txt.sha1.signature
00000000  b7 0f f5 1b 85 e1 3c 91  3d ef 3f 7a 30 ef 95 bf  |......<.=.?z0...|
00000010  95 c7 8c 8b 4d 98 3c 4f  80 97 09 05 93 29 41 5c  |....M.<O.....)A\|
00000020  21 a5 3f 01 ea ff 8b 38  bb 43 93 f4 cf fc 61 7f  |!.?....8.C....a.|
00000030

seems to be some missing tags in this file.


I add these missing tags:

(echo -n -e "06\002\031\000";dd if=testfile.txt.sha1.signature bs=1 count=24; echo -e -n "\002\031\000";dd if=testfile.txt.sha1.signature bs=1 count=24 skip=24)2>/dev/null > testfile.txt.sha1.signature.corrected

Corrected signature dump:

$ hexdump -C testfile.txt.sha1.signature.corrected
00000000  30 36 02 19 00 b7 0f f5  1b 85 e1 3c 91 3d ef 3f  |06.........<.=.?|
00000010  7a 30 ef 95 bf 95 c7 8c  8b 4d 98 3c 4f 02 19 00  |z0.......M.<O...|
00000020  80 97 09 05 93 29 41 5c  21 a5 3f 01 ea ff 8b 38  |.....)A\!.?....8|
00000030  bb 43 93 f4 cf fc 61 7f                           |.C....a.|
00000038

Then signature verification:

openssl dgst -sha1 -verify  keys/prime192v1-pub.pem  -signature testfile.txt.sha1.signature.corrected  testfile.txt
Verified OK

Do You think that this behavior is correct or this is (pkcs15-crypt) design error ?

Thanks.

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Peter Popovec | 9 Apr 10:02 2015
Picon

Wrong OID comparation in card.c for EC keys

Hi

I have problem to upload  EC keys into card:

OPENSC_DEBUG=255 pkcs15-init -vvv --store-private-key keys/prime192v1-key.pem

I have added some debug logs  into card.c, to get more precisely the place of this fail:

static sc_algorithm_info_t * sc_card_find_alg(sc_card_t *card,
                unsigned int algorithm, unsigned int key_length, void *param)
{
        int i;

        for (i = 0; i < card->algorithm_count; i++) {
                sc_algorithm_info_t *info = &card->algorithms[i];

                if (info->algorithm != algorithm)
                        continue;
                if (info->key_length != key_length)
                        continue;
                if (param)   {
                        sc_log(card->ctx, "comparing alg parameters\n");  // <<<<<< TEMP DEBUG LOG
                        if (info->algorithm == SC_ALGORITHM_EC){
                                sc_log(card->ctx, "SC_ALGORITHM_EC\n"); //<<<<<<<TEMP DEBUG LOG

                                if(sc_compare_oid((struct sc_object_id *)param, &info->u._ec.params.id))
                                        continue;
                        }
                }
                return info;
        }
        return NULL;
}


This is log of failed key upload:

0x7f0252186700 09:38:06.029 [pkcs15-init] pkcs15-myeid.c:481:myeid_store_key: called
0x7f0252186700 09:38:06.029 [pkcs15-init] card.c:861:sc_card_find_alg: comparing alg parameters
0x7f0252186700 09:38:06.029 [pkcs15-init] card.c:863:sc_card_find_alg: SC_ALGORITHM_EC
0x7f0252186700 09:38:06.030 [pkcs15-init] pkcs15-myeid.c:493:myeid_store_key: Unsupported algorithm or key size: -1300 (Invalid arguments)
0x7f0252186700 09:38:06.030 [pkcs15-init] pkcs15-lib.c:1444:sc_pkcs15init_store_private_key: Card specific 'store key' failed: -1300 (Invalid arguments)
Failed to store private key: Invalid arguments
0x7f0252186700 09:38:06.030 [pkcs15-init] pkcs15-lib.c:417:sc_pkcs15init_unbind: called
0x7f0252186700 09:38:06.030 [pkcs15-init] pkcs15-lib.c:418:sc_pkcs15init_unbind: Pksc15init Unbind: 0:0x1911a40:0

Apparently, this fail is at  OID comparation.  But the card supports this OID(1, 2, 840, 10045, 3, 1, 1) ..
Finally, the problem is in bad condition:


                                if(sc_compare_oid((struct sc_object_id *)param, &info->u._ec.params.id))
                                        continue;

sc_compare_oid() return true if OIDs matches,  and this condition must be negated.

Already similar construction is in  src/tools/pkcs15-tool.c  function   read_data_object(void),
with correct condition:

        for (i = 0; i < count; i++) {
                struct sc_pkcs15_data_info *cinfo = (struct sc_pkcs15_data_info *) objs[i]->data;
                struct sc_pkcs15_data *data_object = NULL;

                if (!sc_format_oid(&oid, opt_data))   {
                        if (!sc_compare_oid(&oid, &cinfo->app_oid))     // <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
                                continue;
                }

If someone can confirm this bug in card.c sc_card_find_alg(), please, generate a git pull request .. suggested patch in attachment.

Thanks



Attachment (card_c.patch): text/x-patch, 668 bytes
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
建明 | 3 Apr 08:25 2015

HI, may I ask several questons on pam_pkcs11-0.6.7 on ubuntu 12.04 x86 sysytem


Hello, guys

  I'm  new to this community and forgive me if I ask something wrong.
  In the past month, I managed to configuring smart card to do authentication on ubuntu12.04.5 x86
  I find some problems with pam_pkcs11-0.6.7, which is the version used by ubuntu 12.04.
 
I) problem I
I installed three certificates on the smart card,among which, only the last one is the correct one.
The pam_sm_authenticate() checks the certificates one by one in a loop . However,  when verify_certificate() checks the second one and returns -4, the loop breaks.
so the last certificate even has no chance to be checked.

As the red colour in the code, it should not break the loop in this case. And if  change the "break" to "continue", the issue is fixed.

pam_sm_authenticate()
{

for (i = 0; i < ncert; i++) {
      rv = verify_certificate(x509,&configuration->policy);
if (rv < 0) { ERR1("verify_certificate() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "verify_certificate() failed: %s", get_error()); switch (rv) { case -2: // X509_V_ERR_CERT_HAS_EXPIRED: snprintf(password_prompt, sizeof(password_prompt), _("Error 2324: Certificate has expired")); break; case -3: // X509_V_ERR_CERT_NOT_YET_VALID: snprintf(password_prompt, sizeof(password_prompt), _("Error 2326: Certificate not yet valid")); break; case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: snprintf(password_prompt, sizeof(password_prompt), _("Error 2328: Certificate signature invalid")); break; default: snprintf(password_prompt, sizeof(password_prompt), _("Error 2330: Certificate invalid")); break; }     }//for
}//function
  II)  verify_signature() of a correct certificate from smart card reports error like the red colour.
 I create the certificate using a windows 2008 server Certificate agent by some standard way as illustrated at the end of the email.
 I believe the certificate format should be right. and I don't know why the library complains .

DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
ERROR:pam_pkcs11.c:728: verify_signature() failed: EVP_VerifyFinal() failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Error 2342: Verifying signature failed
 

  III) It only supports 128 bytes key length, this is hard coded like this. int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, CK_ULONG length, CK_BYTE **signature, CK_ULONG *signature_length) { *signature_length = 128; } However, in real life, 2048bits key length is commonly used.

Any reply or comments are appreciated. thank everyone in advance.


Best regards
Jianming


Appended is the detailed instructions on configuring pam on ubuntu.

Configure Linux smartcard authentication
  • Getting started

The following instructions are verified on Ubuntu12.04 32bits on x86 arch. The smartcard is Gemalto.net v2.

PIV smartcard is not verified, so i don't know whether it works.

  • Writing the certificate into the smartcard

I tried self-signed certificate into the smartcard for authentication with no luck. Maybe this's worth more investigation.

If self signed certificate doesn't works for pam-pkcs11, it's suggested that you setup the certificate in the windows domain

with AD (active directory service)and CA (certificate agent service).

    • create AD service on windows 2008 server. Then join the ubuntu machine into the AD
sudo apt-get install likewise-open sudo domainjoin-cli join DomainFQN DomainAcount reboot

After setup , try the following command with success. su DomainAccount <at> DomainFQN

    • Install CA service on the AD server, and writing the certificate into the smart card

The document includes detailed step-by-step instruction on how to issue the certificate and enroll the certificate into the smart card.

http://henrysluiman.blogspot.hk/2011/12/installing-windows-2008-r2-certificate.html

It's rather tedious steps that torture you patience. However after some trial, you will make it.

Note: in this step, Pay special attention that the public key length should be 1024 bits rather then 2048 bits ,

since the linux pam-pkcs11 lib only supports 1024 bits key length.


    • Export the CA root certificate and save it in a file like certnew.pem

By default , the exported certificate is .cer file,which is in binary format. However, the Linux Pam expects PEM ,

which is ASCII format. You need to convert the .cert file into .PEM file. I do this by some workaround.

I copy the file into my Mac book, click it in mac book, and there is option to do the conversion.

  • Setup the software on the ubuntu machine
    • libpam-pkcs11

This is a plugin to linux PAM subsystem. It instructs PAM how to use smart card to do the authentication.

In practise, there is some problem with this lib, and we need to make some workaround to the source code

before move on.After compile the source code, replace the lib to /lib/security/pam_pkcs11.s0.

    • pcscd libpcsclite1

The underlying library to initiate r/w to the smart card user reader.

    • libgemaltodonentp11.deb

The vendor's implementation of pkcs#11 spec, which instructs how to interpret with the data from smart card.


    • pcsc-tools

Optional. It provides pcsc_scan tools to communicate with the smart card hardware, by passing the pkcs#11 spec.

This is used to verify whether the physical layer of smart card works.

    • opensc

This is optional. it includes pkcs11-tool which can be used to r/w object from/to the smart card. To verify the card setup ok, execute

pkcs11-tool --module /usr/lib/libgtop11dotnet.so -I -p 0000 -O -L

  • Config the PAM software.

Document online illustrates how to configure the PAM to do smart card login. However, seems it's

some old and need some modification.

http://ubuntuforums.org/showthread.php?t=1557180#2

These are verified steps based on it.

    • sudo mkdir -p /etc/pam_pkcs11/cacerts /etc/pam_pkcs11/crls

/etc/pam_pkcs11/cacerts is where the CA root certificate certnew.pem is stored. /etc/pam_pkcs11/crls is of no interest currently.

    • modify the pam pkcs11 conf file

zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.example.gz | sudo tee /etc/pam_pkcs11/pam_pkcs11.conf

The key is modify ca_dir in the config file to the path name of CA root certificate file

pkcs11_module opensc { module = /usr/lib/libgtop11dotnet.so; description = "OpenSC PKCS#11 module"; .... ca_dir = /etc/pam_pkcs11/cacerts/viewconnection-jianming-CA.pem;


    • Modify the pam-pkcs11.so source code

This seems some problems with pam-pkcs11.so, you need to make some workarounds before moving on.

      • Don't exit the loop when meet one wrong certificate, continue to pick another one.
if (rv < 0) { ERR1("verify_certificate() failed: %s", get_error()); if (!configuration->quiet) { pam_syslog(pamh, LOG_ERR, "verify_certificate() failed: %s", get_error()); switch (rv) { case -2: // X509_V_ERR_CERT_HAS_EXPIRED: snprintf(password_prompt, sizeof(password_prompt), _("Error 2324: Certificate has expired")); break; case -3: // X509_V_ERR_CERT_NOT_YET_VALID: snprintf(password_prompt, sizeof(password_prompt), _("Error 2326: Certificate not yet valid")); break; case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: snprintf(password_prompt, sizeof(password_prompt), _("Error 2328: Certificate signature invalid")); continue default: snprintf(password_prompt, sizeof(password_prompt), _("Error 2330: Certificate invalid")); break; }
      • padding format verification failed.

In file pam_pkcs11-0.6.7/src/common/cert_vfy.c

EVP_VerifyInit(&md_ctx, EVP_sha1()); EVP_VerifyUpdate(&md_ctx, data, data_length); rv = EVP_VerifyFinal(&md_ctx, signature, signature_length, pubkey); EVP_PKEY_free(pubkey); if (rv != 1) { set_error("EVP_VerifyFinal() failed: %s", ERR_error_string(ERR_get_error(), NULL)); // return -1 }
      • It only supports 128 bytes key length. so remember this restriction when creating and signing the certificate.
int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data, CK_ULONG length, CK_BYTE **signature, CK_ULONG *signature_length) { *signature_length = 128; }
    • modify the pam conf file

Take su command as example. Add one line to the beginning of /etc/pam.d/su auth sufficient pam_pkcs11.so

    • Verification

After all the previous steps, execute the command to test whether it works.

su DomainAccount <at> DomainFQN

The command will prompts user for smartcard pin. After input Pin , the autentication succeeds
















Many thanks




------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Gmane