search

OpenSC / pam_pkcs11

This Linux-PAM login module allows a X.509 certificate based user login
GNU Lesser General Public License v2.1
65 stars 51 forks source link

Check crl_offline failed when openssl works #68

Open tgreil opened 1 year ago

tgreil commented 1 year ago

=> Problem Description

Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_offline on cert_policy the certificate is rejected. We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.

=> Steps to reproduce

To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.

=> Logs

Our configuration file /etc/pam_pkcs11/pam_pkcs11.conf: https://gist.github.com/tgreil/cfda9fb2cd041dfcf37eec70d7df0022

The following logs are find in /var/log/auth.log

Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: no dedicated crl available Oct 27 14:54:32 mymachin gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found and we also have this screenshot

or in terminal with debug mod:

DEBUG:cert_vfy.c:389: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks DEBUG:cert_vfy.c:226: crl policy: 2 DEBUG:cert_vfy.c:241: looking for an dedicated local crl DEBUG:pkcs11_lib.c:1490: logout user DEBUG:pkcs11_lib.c:1497: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1503: releasing keys and certificates DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove DEBUG:pklogin_finder.c:138: verify_certificate() failed: check_for_revocation() failed: no dedicated crl available

tgreil commented 1 year ago

We also have a problem with crl_online, probably due to the same cause. The error message for crl_online is: "failed to get crl ..." tell me if you need any additional information