pam_pkcs11 unable to process CRL's
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opensc (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Relates to:
Ubuntu 19.10, Ubuntu 20.04
libpam_pkcs11 0.6.11-2
opensc 0.20.0-3
libssl 1.1.1f (tried on the latest testing version 1.1.1g-1 also)
Background:
Using a smart card (PIV) to log in to Ubuntu, utilising a Yubikey. Certificate is read, PIN prompts and logs in which is expected behavior. There is however no method for checking CRL's (Certificate Revocation Lists) reliably. This is needed for security in the event someone lost their smart card/Yubikey, it was compromised somehow, or just renewed with a new certificate. A CRL should be checked at each authentication attempt to validate that the certificate being presented is valid.
Issue:
When attempting to read a CRL, it either fails to download or causes a segfault.
Online CRL's (crl_online in pam_pkcs11.conf) fail with the following error message:
ERROR:pkcs11_
Offline CRL's (crl_offline in pam_pkcs11.conf) fail with a segfault which seems to point at an issue with libcrypto:
[ 1563.825006] pkcs11_
[ 1563.825013] Code: 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 20 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 28 c3 66 66 2e 0f 1f 84 00 00 00 00 00 <48> 8b 47 18 c3 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 47 38 c3 66
Workaround:
None - disabling CRL checking defeats the point and is highly insecure.
ocsp should be another potential workaround however this doesn't appear to have been included in the package(s).
Last tested on:
Description: Ubuntu 20.04 LTS
Release: 20.04
Wrong package initially selected