List Info

Thread: Re: pam_pkcs11 fails with more than one certificatestored on eToken
Re: pam_pkcs11 fails with more than one certificatestored on eToken
country flaguser name
Bulgaria		 2007-07-04 07:36:42 
Greets Moritz,
As far as I know from my communication with guys from the
eToken Tech
Support, their driver chooses the latest added certificate.
This is the
case when impelementing smartcard logon in windows
environment and have
more than one smartcard logon/user certificate on token. I
still haven`t
played with implementing x509 certificates authentication in
pam, but I
think you will give one token to one user to connect
explicitly to the
server mentioned. So what is the reason storing more than
one
certificate on token? Despite that fact though, I suppose
the problem is
more in the Aladdin`s RTE than in the pam_pkcs11 module.
Soon there will
be 4.0 release for linux and MacOS and it can give us some
answers. Hope
I was useful.

Best Regards,
Lyuben R. Bahtarliev
System Integration Specialist
Aladdin Ltd. eToken Certified Engineer

Mobile:  +359897975706
 Office:  +35929434647
   Fax:   +35929441523
    Icq:   21261028


 

-----Original Message-----
From: opensc-user-bounceslists.opensc-project.org
[mailto:opensc-user-bounceslists.opensc-project.org]
On Behalf Of
Moritz Seltmann
Sent: Wednesday, July 04, 2007 12:48 PM
To: opensc-userlists.opensc-project.org
Subject: [opensc-user] pam_pkcs11 fails with more than one
certificatestored on eToken

Hi everyone,

I got a problem with pam_pkcs11 using x.509 certificates if
there is
more than one certificate stored on an Aladdin eToken PRO.

My system:
- Ubuntu 7.04 Feisty Fawn
- pcscd 1.3.3
- libccid 1.2.1
- libopensc/opensc 0.11.1
- openssl 0.9.8.c
- Linux RTE 3.65 (libetpkcs11.so)
- eToken PRO 32k and 64k (4.2)

RTE 3.65 is necessary because the certificates are used on
windows and
linux.

To create the certificates I am using tinyca2. The 1024bit
key+certificate are either generated with tinyca2 and
imported through
firefox (p12-file) or the 1024 bit key is generated on the
eToken (with
pkcs11-tool), a CSR is created using openssl (with
pkcs11-engine), the
CSR is signed with tinyca2 and the certificate (der-format)
stored on
the eToken with pkcs11-tool.

Now the problem is, if there is more than one certificate
stored on the
eToken pam_pkcs11 will fail, if not the one which was stored
first is
used, giving the error:
- ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal()
failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block
type is not 01

Or sometimes with the same certificate:
- ERROR:pam_pkcs11.c:546: verify_signature() failed:
EVP_VerifyFinal()
failed: error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too
large for modulus

The funny thing is if I delete all certificates except one
then it will
work, even if it was not the first certificate stored.

I tried the different certificates stored on the same eToken
with s/mime
in thunderbird and there was no problem. So to me it seems
as if the
problem is with pam_pkcs11 or did I miss some
documentation/limitation?

I apologize my problem is off-topic to this list, if you
mind just
ignore me.

Thanks
Moritz Seltmann




_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user


_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails with more than one certificatestored on eToken
country flaguser name
Germany		 2007-07-05 09:01:08 
Hi Lyuben

thanks for your response.

Lyuben Bahtarliev wrote:
> I still haven`t
> played with implementing x509 certificates
authentication in pam, but I
> think you will give one token to one user to connect
explicitly to the
> server mentioned. So what is the reason storing more
than one
> certificate on token? Despite that fact though, I
suppose the problem is
> more in the Aladdin`s RTE than in the pam_pkcs11
module. Soon there will
> be 4.0 release for linux and MacOS and it can give us
some answers. Hope
> I was useful.

Well I thought about having one certificate from our own CA
and one from
an official CA stored on the etoken. One used for internal
server
authentication and the other one for email
signing/encryption or to have
different certificates for signing and encryption.

I am looking forward to see RTE v4.0 for linux and maybe my
problems
will disappear.

> Best Regards,
> Lyuben R. Bahtarliev
> System Integration Specialist
> Aladdin Ltd. eToken Certified Engineer
> 
> Mobile:  +359897975706
>  Office:  +35929434647
>    Fax:   +35929441523
>     Icq:   21261028


Kind regards
Moritz Seltman
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails with more than one certificatestored on eToken
country flaguser name
Germany		 2007-07-06 05:40:08 
Hello a third,

something is strange about the signature padding.
To be honest I didn't think about signature padding last
week. 
But with pam_pkcs11 0.6.0 I always get the problem that the
signature 
padding was not correct:
RSA_padding_check_PKCS1_type_1: block type is not 01.

Maybe it is a question for the devel-list: What does 
cert_policy=signature realy mean?

"Does also a signature check to ensure that private
            and public key matches"

What is checked then and what not? Is absolutely no
signature calculated?

When I remove the signature from the cert_policy
(cert_policy=ca;) 
everything works fine. But what would be the sense of
absolutely not 
calculating any signature?

Regards
Cornelius



Moritz Seltmann schrieb:
> Hi Lyuben
>
> thanks for your response.
>
> Lyuben Bahtarliev wrote:
>   
>> I still haven`t
>> played with implementing x509 certificates
authentication in pam, but I
>> think you will give one token to one user to
connect explicitly to the
>> server mentioned. So what is the reason storing
more than one
>> certificate on token? Despite that fact though, I
suppose the problem is
>> more in the Aladdin`s RTE than in the pam_pkcs11
module. Soon there will
>> be 4.0 release for linux and MacOS and it can give
us some answers. Hope
>> I was useful.
>>     
>
> Well I thought about having one certificate from our
own CA and one from
> an official CA stored on the etoken. One used for
internal server
> authentication and the other one for email
signing/encryption or to have
> different certificates for signing and encryption.
>
> I am looking forward to see RTE v4.0 for linux and
maybe my problems
> will disappear.
>
>   
>> Best Regards,
>> Lyuben R. Bahtarliev
>> System Integration Specialist
>> Aladdin Ltd. eToken Certified Engineer
>>
>> Mobile:  +359897975706
>>  Office:  +35929434647
>>    Fax:   +35929441523
>>     Icq:   21261028
>>     
>
>
> Kind regards
> Moritz Seltman
> _______________________________________________
> opensc-user mailing list
> opensc-userlists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>   

-- 
Cornelius Kölbel (Senior Security Consultant), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201
Darmstadt
Tel: +49 6151 9067-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt:
HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther


_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )