OpenSC / pam_pkcs11

This Linux-PAM login module allows a X.509 certificate based user login
GNU Lesser General Public License v2.1
65 stars 51 forks source link

EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing #57

Closed aodhan-domhnaill closed 3 years ago

aodhan-domhnaill commented 3 years ago

https://github.com/OpenSC/pam_pkcs11/blob/240e2eb675534d8030df3bc2b02607bdb19af1ff/src/common/cert_vfy.c#L570

I am getting the following failure (full output below),

ERROR:pam_pkcs11.c:736: verify_signature() failed: EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing
Error 2342: Verifying signature failed

I am on commit bb2e3f3a95e44fdf44b0d5a4b377db3179021380 and using an Estonian ID card and I followed setup instructions from Ubuntu

Running this works,

$ pkcs15-tool --read-certificate 01 > /tmp/shell-cert.crt
Using reader with a card: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
$ openssl asn1parse -in /tmp/sc-cert.crt
... bunch of stuff ...

Full output,

$ sudo login aidan
[sudo] password for aidan: 
Smartcard authentication starts
DEBUG:pam_config.c:203: Invalid CRL policy: oscp_on
DEBUG:pam_pkcs11.c:335: username = [aidan]
DEBUG:pam_pkcs11.c:346: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pam_pkcs11.c:361: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project                  
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework      
DEBUG:pkcs11_lib.c:1185: - library version: 0.21
DEBUG:pkcs11_lib.c:1077: number of slots (a): 2
DEBUG:pkcs11_lib.c:1100: number of slots (b): 2
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 
DEBUG:pkcs11_lib.c:1123: - manufacturer: Broadcom Corp                   
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: MACDONALD,AIDAN PLENER... (PIN1)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: IDEMIA                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: UA0040364       
DEBUG:pkcs11_lib.c:1136:   - flags: 040e
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 
DEBUG:pkcs11_lib.c:1123: - manufacturer: Broadcom Corp                   
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132:   - label: MACDONALD,AIDAN PLENER... (PIN2)
DEBUG:pkcs11_lib.c:1133:   - manufacturer: IDEMIA                          
DEBUG:pkcs11_lib.c:1134:   - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135:   - serial: UA0040364       
DEBUG:pkcs11_lib.c:1136:   - flags: 040e
Smart card found.
DEBUG:pkcs11_lib.c:1411: opening a new PKCS #11 session for slot 1
Welcome MACDONALD,AIDAN PLENER... (PIN1)!
Smart card PIN: 
DEBUG:pkcs11_lib.c:1430: login as user CKU_USER
DEBUG:pkcs11_lib.c:1624: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1626: - type: 00
DEBUG:pkcs11_lib.c:1627: - id:   01
DEBUG:pkcs11_lib.c:1659: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:pwent_mapper.c:174: pwent mapper started
DEBUG:mapper_mgr.c:196: Inserting mapper [pwent] into list
DEBUG:pam_pkcs11.c:578: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:370: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:382: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:482: certificate is valid
DEBUG:cert_vfy.c:226: crl policy: 0
DEBUG:cert_vfy.c:229: no revocation-check performed
DEBUG:cert_vfy.c:496: certificate has not been revoked
DEBUG:cert_info.c:366: CN = [MACDONALD,AIDAN PLENERT,39207050216]
DEBUG:pwent_mapper.c:131: Trying to match pw_entry for cn 'MACDONALD,AIDAN PLENERT,39207050216'
DEBUG:pwent_mapper.c:133: CN 'MACDONALD,AIDAN PLENERT,39207050216' Match login 'aidan'
DEBUG:mapper_mgr.c:306: Mapper module pwent match() returns 1
DEBUG:pam_pkcs11.c:664: certificate is valid and matches the user
Checking signature
DEBUG:pkcs11_lib.c:139: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:157: random-value[128] = [f2:95:ec:...:ca]
DEBUG:pkcs11_lib.c:1734: private key type: 0x00000003
DEBUG:pkcs11_lib.c:1804: hash[51] = [...:38:75:ef:...:0c]
DEBUG:pkcs11_lib.c:1826: increased signature buffer-length to 96
DEBUG:pkcs11_lib.c:1834: signature[96] = [4e:3b:62:...:ba]
DEBUG:pam_pkcs11.c:727: verifying signature...
DEBUG:cert_vfy.c:518: public key type: 0x00000198
DEBUG:cert_vfy.c:519: public key bits: 0x00000180
DEBUG:cert_vfy.c:540: hashing with SHA256
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
ERROR:pam_pkcs11.c:736: verify_signature() failed: EVP_VerifyFinal() failed: error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing
Error 2342: Verifying signature failed
wolneykien commented 3 years ago

Do you have any specific (non-default) settings in openssl.cnf?

aodhan-domhnaill commented 3 years ago

openssl.cnf.gz

I don't think so. I never touched it myself. I attached it

wolneykien commented 3 years ago

Are these about the same?

wolneykien commented 3 years ago

Anyway, it would be nice to debug it deeper: down to asn1_item_embed_d2i:field missing in order to known which particular field is missing.

aodhan-domhnaill commented 3 years ago

https://github.com/OpenSC/pam_pkcs11/issues/44 shouldn't be an issue AFAIK because I am running on the latest build. And looks like the other linked issue was resolved by #44 as well.

Maybe I can modify the code a bit to have it say what field was missing.

aodhan-domhnaill commented 3 years ago

I made a small modification and I noticed that Ubuntu 20.04 wasn't using the built from source versions when running sudo login aidan.

After running the below, it worked

sudo mv /usr/local/lib/security/* /lib/security/
sudo mv /usr/local/lib/pam_pkcs11/* /lib/pam_pkcs11/

because I needed to replace the Ubuntu installed versions with the most recent version from commit bb2e3f3a95e44fdf44b0d5a4b377db3179021380