-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I can not remember facing any problems when having stored
more than one
certificate on the etoken.
Wasn't pam_pkcs11 rewritten in a major manner lately?
What version of pam_pkcs11 are you using?
As I don't think the problem is due to two certificates, I
would guess
it is due to the key generation on the etoken.
Have you tried two different certificate, where both
keypairs were
generated on the computer/not on the etoken?
The Windows thing is a bit different: THe Gina expects a
x509 extension
"smartcard logon" to be used to logon to windows.
pam_pkcs11 may nearly use every certificate if it is mapped
correctly.
Kind regards
Cornelius
Moritz Seltmann schrieb:
> Hi everyone,
>
> I got a problem with pam_pkcs11 using x.509
certificates if there is
> more than one certificate stored on an Aladdin eToken
PRO.
>
> My system:
> - Ubuntu 7.04 Feisty Fawn
> - pcscd 1.3.3
> - libccid 1.2.1
> - libopensc/opensc 0.11.1
> - openssl 0.9.8.c
> - Linux RTE 3.65 (libetpkcs11.so)
> - eToken PRO 32k and 64k (4.2)
>
> RTE 3.65 is necessary because the certificates are used
on windows and
> linux.
>
> To create the certificates I am using tinyca2. The
1024bit
> key+certificate are either generated with tinyca2 and
imported through
> firefox (p12-file) or the 1024 bit key is generated on
the eToken (with
> pkcs11-tool), a CSR is created using openssl (with
pkcs11-engine), the
> CSR is signed with tinyca2 and the certificate
(der-format) stored on
> the eToken with pkcs11-tool.
>
> Now the problem is, if there is more than one
certificate stored on the
> eToken pam_pkcs11 will fail, if not the one which was
stored first is
> used, giving the error:
> - ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal()
> failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block
> type is not 01
>
> Or sometimes with the same certificate:
> - ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal()
> failed: error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too
> large for modulus
>
> The funny thing is if I delete all certificates except
one then it will
> work, even if it was not the first certificate stored.
>
> I tried the different certificates stored on the same
eToken with s/mime
> in thunderbird and there was no problem. So to me it
seems as if the
> problem is with pam_pkcs11 or did I miss some
documentation/limitation?
>
> I apologize my problem is off-topic to this list, if
you mind just
> ignore me.
>
> Thanks
> Moritz Seltmann
>
>
>
>
> _______________________________________________
> opensc-user mailing list
> opensc-user lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
- --
Cornelius Kölbel (Senior Security Consultant), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201
Darmstadt
Tel: +49 6151 9067-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt:
HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGi6FwA5hpJzCAJ7QRAvQDAKCfhhGAO7RS2MTSEGkiRDL6XpvziACe
Jane
X2xr74WuE6OKX6KQ15iVT+M=
=wAYf
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
Hello again,
to be honest I had not took a look at pam_pkcs11 yet.
But today I did.
And what should I say. I did it today and nothing worked.
:(
Ok - I know - it isa dumb conclusion to say
"nothing". But i didn't even
manage to login with a token with only one cert.
Always got some signing errors.
Then I remember a discussion about 0.6.0 between Ludovic and
Alon. I
think nss was added in 0.6.0.
And indeed google told me these signing error could be
connected to
openssl 0.9.8c :(
So I will try again to configure with the nss-switch. (Or
revert to
0.5.4) 
Kind regards
Cornelius
Moritz Seltmann schrieb:
> Hi
>
> thanks for your response.
>
> Cornelius Kölbel wrote:
>
>> I can not remember facing any problems when having
stored more than one
>> certificate on the etoken.
>>
>
> I am only facing the problems with pam_pkcs11, with
s/mime in
> thunderbird I can use all certificates stored on the
etoken.
>
>
>> Wasn't pam_pkcs11 rewritten in a major manner
lately?
>> What version of pam_pkcs11 are you using?
>>
>
> I am using pam_pkcs11 0.6.0.
>
>
>> As I don't think the problem is due to two
certificates, I would guess
>> it is due to the key generation on the etoken.
>> Have you tried two different certificate, where
both keypairs were
>> generated on the computer/not on the etoken?
>>
>
> Yes I tried several certificates where the keypair was
generated on the
> computer (tinyca2) and imported via p12-file using
firefox.
>
>
>> pam_pkcs11 may nearly use every certificate if it
is mapped correctly.
>>
>
> That's what I thought, but to me it seems pam_pkcs11
can only use the
> certificate which is listed first in the output from
"pkcs11-tool
> --login --module /usr/local/lib/libetpkcs11.so
-O".
>
> In the Attachment is a debug.log from several tests I
did maybe it is
> helpful.
>
> Kind regards
> Moritz Seltmann
>
>
------------------------------------------------------------
------------
>
> +++ eToken with 2 certificates +++
>
> momax:~$ pkcs11-tool --login --module
/usr/local/lib/libetpkcs11.so -O
> Please enter User PIN:
> Private Key Object; RSA
> label: etgen8
> ID: 42
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: etgen8
> ID: 42
> Certificate Object, type = X.509 cert
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Private Key Object; RSA
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Usage: decrypt, sign, unwrap
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=etgen8 (1/2)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1233: Found 2 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[bd:4b:5c:...:ec]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:8f:64:92:...:f1]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[cf:4a:25:...:77]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:cert_vfy.c:474: signature is valid
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> DEBUG:pam_pkcs11.c:621: releasing pkcs #11 module...
> DEBUG:pam_pkcs11.c:624: authentication succeeded
> DEBUG:pam_pkcs11.c:640: pam_sm_setcred() called
> momax:/etc/pam_pkcs11$ exit
> exit
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=test3Cert (2/2)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1233: Found 2 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[f4:0e:2a:...:d3]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:79:7d:7a:...:75]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[72:b1:49:...:da]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
01
> Password:
> su: Authentication failure
> Sorry.
>
> +++ eToken with 3 certificates +++
>
> momax:/etc/pam_pkcs11$ pkcs11-tool --login --module
/usr/local/lib/libetpkcs11.so -O
> Please enter User PIN:
> Private Key Object; RSA
> label: etgen8
> ID: 42
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: etgen8
> ID: 42
> Certificate Object, type = X.509 cert
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Private Key Object; RSA
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Usage: decrypt, sign, unwrap
> Private Key Object; RSA
> label: test1Cert
> ID: 2e43dcaa8d83c18aaee5848edc8931de45543d24
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test1Cert
> ID: 2e43dcaa8d83c18aaee5848edc8931de45543d24
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=test3Cert (1/3)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1233: Found 3 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[96:c8:14:...:96]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:d7:01:6d:...:21]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[11:7a:20:...:03]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
01
> Password:
> su: Authentication failure
> Sorry.
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=etgen8 (2/3)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1233: Found 3 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[13:a5:fd:...:f0]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:ba:8b:2b:...:40]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[05:e1:ba:...:90]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:cert_vfy.c:474: signature is valid
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> DEBUG:pam_pkcs11.c:621: releasing pkcs #11 module...
> DEBUG:pam_pkcs11.c:624: authentication succeeded
> DEBUG:pam_pkcs11.c:640: pam_sm_setcred() called
> momax:/etc/pam_pkcs11$ exit
> exit
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=test1Cert (3/3)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1233: Found 3 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #3
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[0e:ba:f3:...:06]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:33:d5:e4:...:e9]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[62:7d:e2:...:54]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
01
> Password:
> su: Authentication failure
> Sorry.
>
> +++ eToken with 4 certificates +++
>
> momax:/etc/pam_pkcs11$ pkcs11-tool --login --module
/usr/local/lib/libetpkcs11.so -O
> Please enter User PIN:
> Private Key Object; RSA
> label: etgen8
> ID: 42
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: etgen8
> ID: 42
> Certificate Object, type = X.509 cert
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Private Key Object; RSA
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Usage: decrypt, sign, unwrap
> Private Key Object; RSA
> label: test1Cert
> ID: 2e43dcaa8d83c18aaee5848edc8931de45543d24
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test1Cert
> ID: 2e43dcaa8d83c18aaee5848edc8931de45543d24
> Private Key Object; RSA
> label: test2Cert
> ID: cc6b9bca3eb5a9952a7af7d4bcf8da28b8aca408
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test2Cert
> ID: cc6b9bca3eb5a9952a7af7d4bcf8da28b8aca408
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=test3Cert (1/4)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #4:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: cc
> DEBUG:pkcs11_lib.c:1233: Found 4 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[bf:25:98:...:02]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:d1:84:03:...:94]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[14:01:b0:...:a5]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
01
> Password:
> su: Authentication failure
> Sorry.
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=etgen8 (2/4)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #4:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: cc
> DEBUG:pkcs11_lib.c:1233: Found 4 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[7d:53:75:...:7a]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:78:9c:20:...:ff]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[b2:4c:30:...:98]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:cert_vfy.c:474: signature is valid
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> DEBUG:pam_pkcs11.c:621: releasing pkcs #11 module...
> DEBUG:pam_pkcs11.c:624: authentication succeeded
> DEBUG:pam_pkcs11.c:640: pam_sm_setcred() called
> momax:/etc/pam_pkcs11$ exit
> exit
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=test1Cert (3/4)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #4:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: cc
> DEBUG:pkcs11_lib.c:1233: Found 4 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #3
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[af:79:99:...:8b]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:48:40:10:...:98]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[df:5c:b1:...:c3]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
> Password:
> su: Authentication failure
> Sorry.
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
CN=test2Cert (4/4)
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #4:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: cc
> DEBUG:pkcs11_lib.c:1233: Found 4 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #3
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #4
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[ee:59:8e:...:20]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:e7:89:f8:...:27]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[e0:62:a3:...:fc]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
> Password:
> su: Authentication failure
> Sorry.
>
> +++
>
> momax:/etc/pam_pkcs11$ pkcs11-tool --module
/usr/local/lib/libetpkcs11.so
>
>> --login
>> --keypairgen
>> --key-type rsa:1024
>> --id 43 --label "etgen9"
>>
> Please enter User PIN:
> Key pair generated:
> Private Key Object; RSA
> label: etgen9
> ID: 43
> Usage: decrypt, sign, unwrap
> Public Key Object; RSA 1024 bits
> label: etgen9
> ID: 43
> Usage: encrypt, verify, wrap
>
> momax:~/eToken$ openssl
> OpenSSL> engine -t dynamic -pre
SO_PATH:/usr/lib/engines/engine_pkcs11.so
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
> -pre
MODULE_PATH:/usr/local/lib/libetpkcs11.so>>
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/local/lib/libetpkcs11.so
> Loaded: (pkcs11) pkcs11 engine
> [ available ]
> OpenSSL>
>
> OpenSSL> req -engine pkcs11 -new -key id_43 -keyform
engine -out etgen9-req.pem -text
> engine "pkcs11" set.
> PKCS#11 token PIN:
> You are about to be asked to enter information that
will be incorporated
> into your certificate request.
> What you are about to enter is what is called a
Distinguished Name or a DN.
> There are quite a few fields but you can leave some
blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [DE]:
> State or Province Name (full name)
[Baden-Wuerttemberg]:
> Locality Name (eg, city) [Stuttgart]:
> Organization Name (eg, company) [Hochschule der
Medien]:
> Organizational Unit Name (eg, section)
[Medieninformatik]:
> Common Name (eg, YOUR name) []:etgen9
> Email Address []:
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> OpenSSL> quit
>
> ### Sign CSR etgen9-req.pem with tinyca2 -> export
certificate
>
> momax:~/eToken$ pkcs11-tool --module
/usr/local/lib/libetpkcs11.so
>
>> --login
>> -w etgen9-cert.der --type cert
--label "etgen9"
>>
> Please enter User PIN:
> Generated certificate:
> Certificate Object, type = X.509 cert
> label: etgen9
> momax:~/eToken$
>
> momax:/etc/pam_pkcs11$ pkcs11-tool --login --module
/usr/local/lib/libetpkcs11.so -O
> Please enter User PIN:
> Private Key Object; RSA
> label: etgen8
> ID: 42
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: etgen8
> ID: 42
> Certificate Object, type = X.509 cert
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Private Key Object; RSA
> label: test3Cert
> ID: 48982564b3bd0ce6602fcfe00e07b43fd58ffdc6
> Usage: decrypt, sign, unwrap
> Private Key Object; RSA
> label: test1Cert
> ID: 2e43dcaa8d83c18aaee5848edc8931de45543d24
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test1Cert
> ID: 2e43dcaa8d83c18aaee5848edc8931de45543d24
> Private Key Object; RSA
> label: test2Cert
> ID: cc6b9bca3eb5a9952a7af7d4bcf8da28b8aca408
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test2Cert
> ID: cc6b9bca3eb5a9952a7af7d4bcf8da28b8aca408
> Private Key Object; RSA
> label: test4Cert
> ID: a56b207a8ae6de0d8a67d5eb6745c5ac166b5cfb
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test4Cert
> ID: a56b207a8ae6de0d8a67d5eb6745c5ac166b5cfb
> Private Key Object; RSA
> label: test5Cert
> ID: 7a94c76356b3f4ac8acdb1867ce29c17d7f4dfb3
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test5Cert
> ID: 7a94c76356b3f4ac8acdb1867ce29c17d7f4dfb3
> Private Key Object; RSA
> label: test8Cert
> ID: fec64e736fe0a58aa63f1a80573ef8b8a214aaf1
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: test8Cert
> ID: fec64e736fe0a58aa63f1a80573ef8b8a214aaf1
> Private Key Object; RSA
> label: etgen9
> ID: 43
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: etgen9
> momax:/etc/pam_pkcs11$
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
DN=etgen9
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #4:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: cc
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #5:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: a5
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #6:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 7a
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #7:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: fe
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #8:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 80
> DEBUG:pkcs11_lib.c:1233: Found 8 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #2
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #3
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #4
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #5
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #6
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #7
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 0
> DEBUG:mapper_mgr.c:300: Mapper module null match()
returns 0
> DEBUG:pam_pkcs11.c:486: certificate is valid but does
not match the user
> DEBUG:pam_pkcs11.c:436: verifing the certificate #8
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[21:87:90:...:04]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:ec:47:76:...:8c]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[6b:e1:5f:...:1b]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal() failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
01
> Password:
>
> su: Authentication failure
> Sorry.
>
> momax:/etc/pam_pkcs11$ sudo vi subject_mapping ->
DN=etgen8
>
> momax:/etc/pam_pkcs11$ su mo
> DEBUG:pam_config.c:208: Using config file
/etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your smart card or enter your username.
> DEBUG:pam_pkcs11.c:287: username = [mo]
> DEBUG:pam_pkcs11.c:298: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:742: PKCS #11 module =
[/usr/local/lib/libetpkcs11.so]
> DEBUG:pkcs11_lib.c:759: module permissions: uid = 0,
gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:768: loading module
/usr/local/lib/libetpkcs11.so
> DEBUG:pkcs11_lib.c:776: getting function list
> DEBUG:pam_pkcs11.c:307: initialising pkcs #11
module...
> DEBUG:pkcs11_lib.c:868: module information:
> DEBUG:pkcs11_lib.c:869: - version: 2.1
> DEBUG:pkcs11_lib.c:870: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:871: - flags: 0000
> DEBUG:pkcs11_lib.c:872: - library description: eToken
PKCS#11
> DEBUG:pkcs11_lib.c:873: - library version: 3.65
> DEBUG:pkcs11_lib.c:880: number of slots (a): 3
> DEBUG:pkcs11_lib.c:903: number of slots (b): 3
> DEBUG:pkcs11_lib.c:804: slot 1:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0007
> DEBUG:pkcs11_lib.c:814: - token:
> DEBUG:pkcs11_lib.c:820: - label: HdM eToken #1
> DEBUG:pkcs11_lib.c:821: - manufacturer: Aladdin
Knowledge Systems Ltd.
> DEBUG:pkcs11_lib.c:822: - model: eToken CardOS/M4
> DEBUG:pkcs11_lib.c:823: - serial: 001330f3
> DEBUG:pkcs11_lib.c:824: - flags: 000d
> DEBUG:pkcs11_lib.c:804: slot 2:
> DEBUG:pkcs11_lib.c:810: - description: AKS ifdh 01 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> DEBUG:pkcs11_lib.c:804: slot 3:
> DEBUG:pkcs11_lib.c:810: - description: Cherry ST1044U
00 00
> DEBUG:pkcs11_lib.c:811: - manufacturer: Aladdin Ltd.
> DEBUG:pkcs11_lib.c:812: - flags: 0006
> Smart card inserted.
> DEBUG:pkcs11_lib.c:1015: opening a new PKCS #11 session
for slot 1
> Welcome HdM eToken #1!
> Smart card password:
> DEBUG:pam_pkcs11.c:396: password = [Mo07test]
> DEBUG:pkcs11_lib.c:1034: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 42
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #2:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 2e
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #3:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 48
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #4:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: cc
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #5:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: a5
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #6:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 7a
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #7:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: fe
> DEBUG:pkcs11_lib.c:1198: Saving Certificate #8:
> DEBUG:pkcs11_lib.c:1200: - type: 00
> DEBUG:pkcs11_lib.c:1201: - id: 80
> DEBUG:pkcs11_lib.c:1233: Found 8 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'subject'
> DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into
list
> DEBUG:mapper_mgr.c:73: Loading static module for mapper
'null'
> DEBUG:mapper_mgr.c:197: Inserting mapper [null] into
list
> DEBUG:pam_pkcs11.c:436: verifing the certificate #1
> DEBUG:cert_vfy.c:335: Adding hashdir lookup to
x509_store
> DEBUG:cert_vfy.c:347: Adding hash dir
'/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:433: certificate is valid
> DEBUG:cert_vfy.c:204: crl policy: 0
> DEBUG:cert_vfy.c:207: no revocation-check performed
> DEBUG:cert_vfy.c:447: certificate has not been revoked
> DEBUG:mapper_mgr.c:300: Mapper module subject match()
returns 1
> DEBUG:pam_pkcs11.c:489: certificate is valid and
matches the user
> DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
> DEBUG:pkcs11_lib.c:1403: random-value[128] =
[b8:ee:1a:...:cc]
> DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:46:18:9a:...:07]
> DEBUG:pkcs11_lib.c:1375: signature[128] =
[40:be:cd:...:8a]
> DEBUG:pam_pkcs11.c:537: verifying signature...
> DEBUG:cert_vfy.c:474: signature is valid
> DEBUG:pkcs11_lib.c:1065: logout user
> DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
> DEBUG:pam_pkcs11.c:621: releasing pkcs #11 module...
> DEBUG:pam_pkcs11.c:624: authentication succeeded
> DEBUG:pam_pkcs11.c:640: pam_sm_setcred() called
>
> momax:/etc/pam_pkcs11$ ps f
> PID TTY STAT TIME COMMAND
> 19874 pts/3 Ss+ 0:00 bash
> 10559 pts/2 Ss+ 0:00 bash
> 7857 pts/1 Ss 0:00 bash
> 20714 pts/1 S 0:00 _ su mo
> 20728 pts/1 S 0:00 _ bash
> 20750 pts/1 R+ 0:00 _ ps f
> 6377 pts/0 Ss+ 0:00 /bin/bash
> momax:/etc/pam_pkcs11$ exit
> exit
>
>
--
Cornelius Kölbel (Senior Security Consultant), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201
Darmstadt
Tel: +49 6151 9067-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt:
HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
