On Tue, May 10, 2016 at 04:42:17PM +0200, Jakub Hrozek wrote: > On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote: > > Hi, > > > > the following 3 patches are related to the Smartcard authentication > > feature but imo can be tested even without having one. > > > > The first patch just adds some missing pieces. The second adds a new > > 'no_verification' switch to the 'certificate_verification' option, which > > is already tested by the unit tests. > > > > The third adds two new OCSP related switches. With OCSP a certificate > > can be validates online by talking to a server which is listed in the > > certificate. Of course it might not always be possible to directly talk > > to this server. We already have the 'no_ocsp' switch to disable OCSP > > completely. The two new switches allow SSSD to talk to a different > > server or a proxy. To see how it is working you can do to following: > > > > - call 'make check' to build and rung all the tests > > - call './pam-srv-tests' to run the PAM responder tests but do not let > > it complete but stop it with CTRL-C. This is needed to create the test > > nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be > > created differently but this way it is most easy :-) > > - add a OCSP signing cert with > > > > echo > > "MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw==" > > | base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv -t > > TC,TC,TC -n ocsp_cert > > > > the NSS library call check this certificate first before trying to > > connect to > > the OCSP responder, so a valid one with the right key usage must be added > > to > > make NSS try to reach the new OCSP responder > > > > - call > > > > strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1 > > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv > > > > where you should see lines like > > > > send(7, "\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", 34, > > MSG_NOSIGNAL) = 34 > > > > from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from > > the > > ticket > > > > - call > > > > strace -s 128 -f -esend ./p11_child --debug-microseconds=1 > > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify > > 'ocsp_default_responder=http://oooo.cccc.ssss.pppp:80,ocsp_default_responder_signing_cert=ocsp_cert' > > > > where you should now see lines like > > > > send(7, "yO\1\0\0\1\0\0\0\0\0\0\4oooo\4cccc\4ssss\4pppp\0\0\1\0\1", 37, > > MSG_NOSIGNAL) = 37 > > > > from the DNS lookups for the OCSP responder from the command line. > > > > Of course all the validations will fail with "Certificate [SSSD Test > > Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071], > > skipping" because none of the OCSP responders are available but I think this > > test is sufficient to see that the patch is working as expected. > > Thank you for the patches and the tests. I only have one question about > the first patch.. > > > From c2eccab2c12b58a74cdc6fd10efe775dbcd8c1e1 Mon Sep 17 00:00:00 2001 > > From: Sumit Bose <sb...@redhat.com> > > Date: Fri, 18 Mar 2016 16:24:18 +0100 > > Subject: [PATCH 1/3] p11: add missing man page entry and config API > > > > The pam_cert_auth and pam_cert_db_path option where missing in the > > config API and had no man page entries. > > Did you also want to document the pam_cert_auth option?
oops, yes I guess this would be a good idea. I'll send a new patch. bye, Sumit > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org