[opensc-devel] Using Finnish Goverment Identity card for smart card logging

Hannu Kotipalo Mon, 19 Sep 2011 13:36:18 -0700

Hi!

I succeeded in configuring pkcs11-pam module to use Identity card issued
by Finnish goverment. Also, smart card with cacert certificates works ok
(certificates ar stored on Aventra MyEID cards).


I improvised instructions from
https://help.ubuntu.com/community/CommonAccessCard

However, there seems to be some problem with revocation lists.

1) if any of the certificates on the chain does not have a crl
distribution point, the check will fail. I would assume that if
certificate has defined no crl distribution point, it should be ok
withoiut the check? Or is it? Looks like one of the ca certificates on
the Finnish ID card does not have the crl dist point. See debug below.

2) cacert has their crl list at secure https - address. pam-pkcs11 does
not seem to support that. Would it be easy to add it?

Here are the debugs from pkcs11_inspect debug (cert_policy =
ca,signature,crl_online;)

btw, this mail has been signed with cacert.org certificate on Aventra
MyEID card.

Finnish ID card:
-----------------
xxxx@xxxx:~/src/pam_pkcs11-0.6.7$ pkcs11_inspect debug
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.20
DEBUG:pkcs11_lib.c:1108: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: Smart card PKCS#11 API

DEBUG:pkcs11_lib.c:1111: - library version: 0.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 3
DEBUG:pkcs11_lib.c:1141: number of slots (b): 3
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: Virtual hotplug slot

DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_lib.c:1037: slot 2:
DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00
00
DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: HENKILOKORTTI (perustunnusluku)
DEBUG:pkcs11_lib.c:1058:   - manufacturer: VRK-FINEID
DEBUG:pkcs11_lib.c:1059:   - model: PKCS#15
DEBUG:pkcs11_lib.c:1060:   - serial: 4600015070963841
DEBUG:pkcs11_lib.c:1061:   - flags: 040c
DEBUG:pkcs11_lib.c:1037: slot 3:
DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00
00
DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: HENKILOKORTTI (allekirjoitustunn
DEBUG:pkcs11_lib.c:1058:   - manufacturer: VRK-FINEID
DEBUG:pkcs11_lib.c:1059:   - model: PKCS#15
DEBUG:pkcs11_lib.c:1060:   - serial: 4600015070963841
DEBUG:pkcs11_lib.c:1061:   - flags: 040c
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 2
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   45
DEBUG:pkcs11_lib.c:1577: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   47
DEBUG:pkcs11_lib.c:1577: Saving Certificate #3:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   48
DEBUG:pkcs11_lib.c:1612: Found 3 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list
DEBUG:pkcs11_inspect.c:128: Found '3' certificate(s)
DEBUG:pkcs11_inspect.c:132: verifing the certificate #1
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to
CACERT checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 1
DEBUG:cert_vfy.c:232: extracting crl distribution points
DEBUG:cert_vfy.c:256: downloading crl from
http://proxy.fineid.fi/crl/vrkcqcc.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:uri.c:255: protocol = [http]
DEBUG:uri.c:256: user = [(null)]
DEBUG:uri.c:257: password = [(null)]
DEBUG:uri.c:258: host = [proxy.fineid.fi]
DEBUG:uri.c:259: port = [(null)]
DEBUG:uri.c:260: path = [/crl/vrkcqcc.crl]
DEBUG:uri.c:395: connecting...
DEBUG:uri.c:420: receiving...
DEBUG:uri.c:451: decoding...
DEBUG:cert_vfy.c:130: crl is der encoded
DEBUG:cert_vfy.c:281: verifying crl
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1
Printing data for mapper subject:
/C=FI/serialNumber=nnnnnnnnT/GN=NAME/SN=SURNAME/CN=SURNAME NAME nnnnnnnnT
DEBUG:pkcs11_inspect.c:132: verifing the certificate #2
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to
CACERT checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 1
DEBUG:cert_vfy.c:232: extracting crl distribution points
DEBUG:cert_vfy.c:256: downloading crl from
http://proxy.fineid.fi/arl/vrkroota.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:uri.c:255: protocol = [http]
DEBUG:uri.c:256: user = [(null)]
DEBUG:uri.c:257: password = [(null)]
DEBUG:uri.c:258: host = [proxy.fineid.fi]
DEBUG:uri.c:259: port = [(null)]
DEBUG:uri.c:260: path = [/arl/vrkroota.crl]
DEBUG:uri.c:395: connecting...
DEBUG:uri.c:420: receiving...
DEBUG:uri.c:451: decoding...
DEBUG:cert_vfy.c:130: crl is der encoded
DEBUG:cert_vfy.c:281: verifying crl
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_inspect.c:146: Inspecting certificate #2
Printing data for mapper subject:
/C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=Valtion
kansalaisvarmenteet/CN=VRK Gov. CA for Citizen Qualified Certificates
DEBUG:pkcs11_inspect.c:132: verifing the certificate #3
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to
CACERT checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 1
DEBUG:cert_vfy.c:232: extracting crl distribution points
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
ERROR:pkcs11_inspect.c:139: verify_certificate() failed:
check_for_revocation() failed: neither the user nor the ca certificate
does contain a crl distribution point
-----------------------------------
cacert certificates:
-------------------------
xxxx@xxxx:~/src/pam_pkcs11-0.6.7$ pkcs11_inspect debug
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.20
DEBUG:pkcs11_lib.c:1108: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: Smart card PKCS#11 API

DEBUG:pkcs11_lib.c:1111: - library version: 0.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 4
DEBUG:pkcs11_lib.c:1141: number of slots (b): 4
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: Virtual hotplug slot

DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_lib.c:1037: slot 2:
DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00
00
DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_lib.c:1037: slot 3:
DEBUG:pkcs11_lib.c:1047: - description: ACS ACR38U 00 00

DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: MyEID (Basic PIN)
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Aventra Ltd.
DEBUG:pkcs11_lib.c:1059:   - model: PKCS#15
DEBUG:pkcs11_lib.c:1060:   - serial: 0098001614952151
DEBUG:pkcs11_lib.c:1061:   - flags: 040d
DEBUG:pkcs11_lib.c:1037: slot 4:
DEBUG:pkcs11_lib.c:1047: - description: ACS ACR38U 00 00

DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org)
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: MyEID (Allekirjoitus - PIN)
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Aventra Ltd.
DEBUG:pkcs11_lib.c:1059:   - model: PKCS#15
DEBUG:pkcs11_lib.c:1060:   - serial: 0098001614952151
DEBUG:pkcs11_lib.c:1061:   - flags: 040d
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 3
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   dd
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list
DEBUG:pkcs11_inspect.c:128: Found '1' certificate(s)
DEBUG:pkcs11_inspect.c:132: verifing the certificate #1
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to
CACERT checks
DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 1
DEBUG:cert_vfy.c:232: extracting crl distribution points
DEBUG:cert_vfy.c:256: downloading crl from https://www.cacert.org/revoke.crl
DEBUG:uri.c:593: parsing uri:
DEBUG:cert_vfy.c:266: download_crl() failed: get_from_uri() failed:
unsupported protocol
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
ERROR:pkcs11_inspect.c:139: verify_certificate() failed:
check_for_revocation() failed: downloading the crl failed for all
distribution points
-----------------------

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] Using Finnish Goverment Identity card for smart card logging

Reply via email to