Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_offline on cert_policy the certificate is rejected.
We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.
=> Steps to reproduce
To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found
and we also have this screenshot
or in terminal with debug mod:
DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:226: crl policy: 2
DEBUG:cert_vfy.c:241: looking for an dedicated local crl
DEBUG:pkcs11_lib.c:1490: logout user
DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1503: releasing keys and certificates
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:pklogin_finder.c:138: verify_certificate() failed: check_for_revocation() failed: no dedicated crl available
We also have a problem with crl_online, probably due to the same cause.
The error message for crl_online is: "failed to get crl ..."
tell me if you need any additional information
=> Problem Description
Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_offline on cert_policy the certificate is rejected. We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.
=> Steps to reproduce
To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.
=> Logs
Our configuration file /etc/pam_pkcs11/pam_pkcs11.conf: https://gist.github.com/tgreil/cfda9fb2cd041dfcf37eec70d7df0022
The following logs are find in /var/log/auth.log
Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found and we also have this screenshot
or in terminal with debug mod:
DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks DEBUG:cert_vfy.c:226: crl policy: 2 DEBUG:cert_vfy.c:241: looking for an dedicated local crl DEBUG:pkcs11_lib.c:1490: logout user DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1503: releasing keys and certificates DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove DEBUG:pklogin_finder.c:138: verify_certificate() failed: check_for_revocation() failed: no dedicated crl available