Ok, I attach the debug.
Note 1: on the card there are stored two certificates (one for signature,
another for logon) and only the second has the CA included.
Note 2: if I extract the logon certificate from the card and issue "openssl
verify -CApath /etc/pam_pkcs11/cacerts /home/mario/cert.cer" the result is
OK.
Mario
$ sudo -i
Smartcard authentication starts
DEBUG:pam_pkcs11.c:308: username = [mario]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/opt/libbit4xpki.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1001: loading module /opt/libbit4xpki.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.20
DEBUG:pkcs11_lib.c:1108: - manufacturer: bit4id srl
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: bit4id PKCS#11
DEBUG:pkcs11_lib.c:1111: - library version: 1.2
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: ACS ACR 38U-CCID 00 00
DEBUG:pkcs11_lib.c:1048: - manufacturer: unknown
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057: - label: CNS
DEBUG:pkcs11_lib.c:1058: - manufacturer: ST Incard
DEBUG:pkcs11_lib.c:1059: - model: T&S DS/2048 (L)
DEBUG:pkcs11_lib.c:1060: - serial: ***51090000***26
DEBUG:pkcs11_lib.c:1061: - flags: 040d
Smart card found.
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
Welcome CNS!
Smart card PIN:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: 44
DEBUG:pkcs11_lib.c:1577: Saving Certificate #2:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id: 41
DEBUG:pkcs11_lib.c:1612: Found 2 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:mapper_mgr.c:196: Inserting mapper [pwent] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT
checks
ERROR:pam_pkcs11.c:559: verify_certificate() failed: certificate is
invalid: unable to get local issuer certificate
Error 2328: Certificate signature invalid
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
Post by Ludovic RousseauHello,
Post by Mario Di TureI'm unable to authenticate sudo against a smart card when checking the
CA.
Post by Mario Di Turecert_policy = signature;
cert_policy = ca,signature;
ERROR:pkcs11_inspect.c:137: verify_certificate() failed: certificate is
invalid: unable to get local issuer certificate
Obviously, in the /etc/pam_pkcs11/cacerts there are the CA certificates
in
Post by Mario Di Tureder and pem format (hash linked with pkcs11_make_hash_link).
Thank you very much for your help.
You should activate the debug to know why you get "certificate is
invalid: unable to get local issuer certificate"
Look for "debug = " in your /etc/pam_pkcs11.conf file
Bye
--
Dr. Ludovic Rousseau
_______________________________________________
Muscle mailing list
http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
--
Dott. Mario Di Ture
Centro di Ateneo per i Servizi Informatici
Universita' degli Studi di Cassino e del Lazio Meridionale
tel. +39-0776-2993471
fax +39-0776-2993908
sip:***@voip.unicas.it <sip%***@voip.unicas.it>
skype mario.diture
e-mail ***@unicas.it
Via S. Angelo in Theodice localita' Folcara
03043 Cassino FR - Italy