On Mon, Mar 30, 2020 at 02:22:44PM -0000, Hristina Marosevic wrote:
Hello,
I successfuly added the CRL list into nssdb. CRL list is in DER format.
So, I tested the last scenario, which was vaidation of the revoked user certificate used
for authenticatiion using offline CRL list instead of using OCSP. So, just giving info
about this:
In the [sssd] section of the sssd.conf file, option certificate_validation has value
"no_ocsp" and in the log file recorded using strace, this lines were generated:
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_verification]
(0x0040): Certificate [(null)][CN=test_sssd_revoked.....] not valid [-8102][Certificate
key usage inadequate for attempted operation.].\n", 228) = 228
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_work] (0x0400):
Certificate is NOT valid.\n", 100) = 100
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main] (0x0040):
do_work failed.\n", 87) = 87
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main] (0x0020):
p11_child failed!\n", 89) = 89
close(1) = 0
exit_group(1) = ?
+++ exited with 1 +++
So, the authentication did not pass, which was excpected.
Please confirm that this is the answer that the p11_child should give in case of revoked
user certificate.
Hi,
yes, in the way SSSD is using NSS '[-8102][Certificate key usage
inadequate for attempted operation.]' is often returned instead of a
more specific error message when certificate validation fails.
bye,
Sumit
If it is like that, by this step I can confirm that SSSD PKI
authentication works properly i.e successfuly verifies trust/time validity/revocation
status of the user certificate.
BR,
Hristina
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...