Ubuntu
opensc package

pam_pkcs11 unable to process CRL's

Bug #1879710 reported by Neil Webster
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
opensc (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Relates to:

Ubuntu 19.10, Ubuntu 20.04
libpam_pkcs11 0.6.11-2
opensc 0.20.0-3
libssl 1.1.1f (tried on the latest testing version 1.1.1g-1 also)

Background:

Using a smart card (PIV) to log in to Ubuntu, utilising a Yubikey. Certificate is read, PIN prompts and logs in which is expected behavior. There is however no method for checking CRL's (Certificate Revocation Lists) reliably. This is needed for security in the event someone lost their smart card/Yubikey, it was compromised somehow, or just renewed with a new certificate. A CRL should be checked at each authentication attempt to validate that the certificate being presented is valid.

Issue:

When attempting to read a CRL, it either fails to download or causes a segfault.

Online CRL's (crl_online in pam_pkcs11.conf) fail with the following error message:
ERROR:pkcs11_inspect.c:137: verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed

Offline CRL's (crl_offline in pam_pkcs11.conf) fail with a segfault which seems to point at an issue with libcrypto:

[ 1563.825006] pkcs11_inspect[3820]: segfault at 18 ip 00007ff8e1a95300 sp 00007ffd6db03088 error 4 in libcrypto.so.1.1[7ff8e190e000+19f000]
[ 1563.825013] Code: 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 20 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 28 c3 66 66 2e 0f 1f 84 00 00 00 00 00 <48> 8b 47 18 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 38 c3 66

Workaround:

None - disabling CRL checking defeats the point and is highly insecure.

ocsp should be another potential workaround however this doesn't appear to have been included in the package(s).

Last tested on:

Description: Ubuntu 20.04 LTS
Release: 20.04

Revision history for this message
Neil Webster (neilw-nmw) wrote :

Wrong package initially selected

affects: coolkey (Ubuntu) → opensc (Ubuntu)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi, Could you give an example configuration on how you are setting the CRL servers?

Changed in opensc (Ubuntu):
status: New → Incomplete
Revision history for this message
Neil Webster (neilw-nmw) wrote :

Hi, see attachment pam_pkcs11.conf - it's pretty much the generic 0.4 package demo file with some small changes. Below I've pasted the ls/cat outputs for other files in the pam_pkcs11 folder

/etc/pam_pkcs11$ cat subject_mapping
/DC=com/DC=removedforsecurity/DC=xxx/OU=xxxxxxxx/CN=Neil xxxxxxx -> neil
/CN=Neilxxxxxxxx -> neil

/etc/pam_pkcs11/crls$ ls -l
total 8
-rw-r--r-- 1 root root 934 May 20 14:12 crl1.crl
-rw-r--r-- 1 root root 652 May 14 19:12 crlrevlist.crl
lrwxrwxrwx 1 root root 8 May 20 14:14 d283dc31.r0 -> crl1.crl
lrwxrwxrwx 1 root root 14 May 20 14:14 d283dc31.r1 -> crlrevlist.crl

/etc/pam_pkcs11/cacerts$ ls -l
total 4
lrwxrwxrwx 1 root root 16 May 19 13:47 d283dc31.0 -> nmwcacertb64.cer
-rw-r--r-- 1 root root 1261 May 19 13:46 nmwcacertb64.cer

Revision history for this message
Neil Webster (neilw-nmw) wrote :

This is fixed with the following patch:

https://github.com/OpenSC/pam_pkcs11/pull/45

It looks like OpenSSL 1.1.0 handling for CRL's hadn't been implemented in cert_vfy.c

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for opensc (Ubuntu) because there has been no activity for 60 days.]

Changed in opensc (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.