URL: https://github.com/SSSD/sssd/pull/837 Title: #837: p11_child: make OCSP digest configurable
jhrozek commented: """ Sorry it took me almost four weeks to test the PR. I think OSCP in general works fine. With a valid certificate I was getting: ``` (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_card] (0x4000): Found [tuser] in slot [Yubico YubiKey OTP+FIDO+CCID 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so]. (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_card] (0x4000): Login required. (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [read_certs] (0x4000): found cert[Certificate for PIV Authentication][/C=SE/ST=Sweden/O=SSSD Intermediate/CN=tuser/emailAddress=tu...@ipa.test] (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_ocsp] (0x4000): Using OCSP URL [http://localhost:8888]. (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_ocsp] (0x4000): OCSP check was successful. (Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so tuser tuser 01 01. ``` With a revoked certificate I get: ``` (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_card] (0x4000): Found [tuser] in slot [Yubico YubiKey OTP+FIDO+CCID 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so]. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_card] (0x4000): Login NOT required. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [read_certs] (0x4000): found cert[Certificate for PIV Authentication][/C=SE/ST=Sweden/O=SSSD Intermediate/CN=tuser/emailAddress=tu...@ipa.test] (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x4000): Using OCSP URL [http://localhost:8888]. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x0020): OCSP check failed with [1][revoked]. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x0020): Certificate is revoked [-1][(UNKNOWN)]. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_verification] (0x0040): do_ocsp failed. (Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [read_certs] (0x0040): Certificate [Certificate for PIV Authentication][/C=SE/ST=Sweden/O=SSSD Intermediate/CN=tuser/emailAddress=tu...@ipa.test] not valid, skipping ``` This was with an openssl ocsp and: ``` certificate_verification=ocsp_default_responder=http://localhost:8888 ``` """ See the full comment at https://github.com/SSSD/sssd/pull/837#issuecomment-516857056
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
