Cross posting this to sssd-users.
rob
Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users wrote:
Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD. The OCSP responder CA is not in the trust chain of the CA that issued the smart card certificates. I was able to get openssl ocsp verification to work using -verify_other and -trust_other options.
[root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem -url http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text WARNING: no nonce in response Response verify OK /home/alvareza/alvarez.pem: good This Update: May 9 00:00:00 2024 GMT Next Update: May 15 06:16:18 2024 GMT
I tried to perform OCSP verification with the SSSD p11_child helper, but it does not work. Does anyone know if the Direct Trust model for OCSP works with RHEL 8 SSSD? [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22 --debug-level=9 --verification --verify ocsp_dgst=sha1,ocsp_default_responder=http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n") set_debug_file_from_fd failed. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child started. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in [verify] mode. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with effective IDs: [0][0]. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with real IDs [0][0]. (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] (0x4000): Using sha1 for OCSP. (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] (0x4000): Using OCSP default responder [http://repeater1.prlh.nadsuswe.nads.navy.mil] (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using OCSP URL [http://repeater1.prlh.nadsuswe.nads.navy.mil]. (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce in OCSP response. This might indicate a replay attack or an OCSP responder which does not support nonces. Accepting response. (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): OCSP_basic_verify() failed to verify OCSP response. (2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040): do_ocsp failed. (2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400): Certificate is NOT valid. 22 (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child failed (22)
v/r
Angelo Alvarez, CISSP
N6
Joint Typhoon Warning Center
Work: 808.471.3645
Mobile: 808.389.9474
Email: angelo.alvarez@navy.mil mailto:angelo.alvarez@navy.mil
SiPR Email: angelo.alvarez@navy.smil.mil mailto:angelo.alvarez@navy.smil.mil
!No contaban on mi astucia! El Chapulin Colorado
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
https://github.com/SSSD/sssd/blob/ca684cd156debbdf3d95776271e7020b883b1e81/s... : ``` status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0); ``` -- 'p11_child' doesn't supply neither 'certs' nor 'flags' (like OCSP_TRUSTOTHER etc)
So IIUC the only case when a response signature is considered valid is when the signer's certificate can be validated using the store.
On Fri, May 10, 2024 at 2:43 PM Rob Crittenden rcritten@redhat.com wrote:
Cross posting this to sssd-users.
rob
Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users wrote:
Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD. The OCSP responder CA is not in the trust chain of the CA that issued the smart card certificates. I was able to get openssl ocsp verification to work using “-verify_other” and “-trust_other” options.
[root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem -url http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text WARNING: no nonce in response Response verify OK /home/alvareza/alvarez.pem: good This Update: May 9 00:00:00 2024 GMT Next Update: May 15 06:16:18 2024 GMT
I tried to perform OCSP verification with the SSSD p11_child helper, but it does not work. Does anyone know if the “Direct Trust” model for OCSP works with RHEL 8 SSSD? [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22 --debug-level=9 --verification --verify ocsp_dgst=sha1,ocsp_default_responder=
http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx
--ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n") set_debug_file_from_fd failed. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child started. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in [verify] mode. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with effective IDs: [0][0]. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with real IDs [0][0]. (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] (0x4000): Using sha1 for OCSP. (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] (0x4000): Using OCSP default responder [http://repeater1.prlh.nadsuswe.nads.navy.mil] (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using OCSP URL [http://repeater1.prlh.nadsuswe.nads.navy.mil]. (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce in OCSP response. This might indicate a replay attack or an OCSP responder which does not support nonces. Accepting response. (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): OCSP_basic_verify() failed to verify OCSP response. (2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040): do_ocsp failed. (2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400): Certificate is NOT valid. 22 (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child failed (22)
v/r
Angelo Alvarez, CISSP
N6
Joint Typhoon Warning Center
Work: 808.471.3645
Mobile: 808.389.9474
Email: angelo.alvarez@navy.mil mailto:angelo.alvarez@navy.mil
SiPR Email: angelo.alvarez@navy.smil.mil mailto:angelo.alvarez@navy.smil.mil
“!No contaban on mi astucia!” – El Chapulin Colorado
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org