revocation

Hristina Marosevic Thu, 05 Mar 2020 06:25:09 -0800

I added the content between -----BEGIN CERTIFICATE----- and -----END 
CERTIFICATE----- from the base64 user certificate and during authentication in 
the logs I saw that the user certificate was stored in the user certificate 
SSSD option but there was no public key derived. 
This time I deleted the public key and during authentication I was using only 
userCertificate;binary attrbiute wit hthe default SSSD configuration for 
mapping the certificate.



This is from the SSSD_LDAP.log

(Thu Mar  5 15:16:19 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding userCertificate 
[0\82\0610\82\04\19\A0\03\02\01\02\02\14}\85\99\DB]\B02\D7\8A\D28\E7\9Dwzv\A9j\90\890\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\000-1\0B0\09\06\03U\04\06\13\02KZ1\1E0\1C\06\03U\04\03\0C\15\D2\B0\D0\9A\D0\9E\203.0\20\28RSA\20TEST\290\1E\17\0D190404085454Z\17\0D210403085454Z0\81\AF1\220\20\06\03U\04\03\0C\19\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\20\D0\A2\D0\95\D0\A1\D0\A2\D0\A21\170\15\06\03U\04\04\0C\0E\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\921\180\16\06\03U\04\05\13\0FIIN1234567890121\0B0\09\06\03U\04\06\13\02KZ1\150\13\06\03U\04\07\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\150\13\06\03U\04\08\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\1B0\19\06\03U\04\2A\0C\12\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\D0\98\D0\A70\82\01\220\0D\06\09\2A\86H\86\F7\0D\01\01\01\05\00\03\82\01\0F\000\82\01\0A\02\82\01\01\00\8Fd^\DA\B927N?\EE\AEzW\ED\86\C6\DE8P\AB\8C\F4\1D\CA\96\F0\908\08\A1\AB4\E7\81I
 
\BC\A1\E0}\7FZ\A5Q\EFl\CA\CD+\BF\DA\B4S\1B~\BB\F5\83\16\CB\A8Y\07>\CE\7F\BBgC\A3\81\96ff\03\1C\85\92E\14\D5\95Q\28TrU`s\99?\18\A8\E8\DE\B5\D6\98\12\BE\1F\F5\C8\CEWm\84J\D3\C9\0A\17\99\9B,\8CD\C3\AD\9507\D9\D4;\AD`Kr:d,T\19\84\89\DB\9C~IPA.\89T\CA]\9Eq\0D\1C\E9,%M\C7\F5E\C8\BCG\80\F8\DF\BFI\968jw\B5P\81E\89\E6[\FF6\A4\E7/`d-H\96\EC/\D2\F2\22\CB\89YSs%d\1A\DA\FE\20\AC\D7\F78+\96;\AC\08\88\F6\89rv\0D\B6\F4m4p\AD{\13\E2p\9E\E2h\29\A0\8F\18\16\B1B\82\C9\A5H\14\D9\FEI8\11\F3\5C\E5\E7\D9k\99\F0\C3\02\03\01\00\01\A3\82\01\C40\82\01\C00\0E\06\03U\1D\0F\01\01\FF\04\04\03\02\05\A00\1D\06\03U\1D%\04\160\14\06\08+\06\01\05\05\07\03\02\06\08\2A\83\0E\03\03\04\01\010\1F\06\03U\1D#\04\180\16\80\14\A6\8C\163\7C\B8\E85g\06>^AWU\A2\AF4Ph0\1D\06\03U\1D\0E\04\16\04\14\BA\09\EF~j\9DMP\E3/\00\12\D3\DD$\8D\A5\A9\05_0^\06\03U\1D\20\04W0U0S\06\07\2A\83\0E\03\03\02\040H0\21\06\08+\06\01\05\05\07\02\01\16\15http://pki.gov.kz/cps0#\06\08+\06\01\05\05\07\02\020\17\0C\15http://pki.gov.kz/cps0<\06\03U\1D\1F\045030
 
1\A0/\A0-\86+http://test.pki.gov.kz/crl/nca_rsa_test.crl0>\06\03U\1D.\0470503\A01\A0/\86-http://test.pki.gov.kz/crl/nca_d_rsa_test.crl0q\06\08+\06\01\05\05\07\01\01\04e0c08\06\08+\06\01\05\05\070\02\86,http://test.pki.gov.kz/cert/nca_rsa_test.cer0'\06\08+\06\01\05\05\070\01\86\1Bhttp://test.pki.gov.kz/ocsp0\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\00\03\82\02\01\00\0Av\29\CA\D8\DB\CA\E5w\B1\1A#\9E\5C\B1\10.\C7\1B\B0`p0\F2\EA\B4\BF\91\F3\AD+\A5\F9\F8\C1\82O\FC\EF\C2K\19:\E9\8D\E4\989L\F7I\B8\ABwy\B2\89\18\80U\AF\8E\F8\98qd\EC\DA\B4\17\C5\B1\B8\05\8D}\F8\E8/B\EFr\EA'\E1\9C\2A\FDo\21\E2\DE\8Fb\EBC\E0\D1\1A\B8\83\C4k\C5\FC\04c\E02\7F\98\A8\E77\B1\F1+\B9x\7C\AEg\12'\FC\EEO\BB\B0\D7\00\FAe\09M\B2x\A2\A1\E9\E0\28\88\1A\A45C\1E\EC\E8W\FA\FF\FE\B1\007\02\29\9E\D02\8Dqa\F9\F8\F1\F8\20\C2\C7k\0B\C5\88\E5V\0C\B174\F9\DE`\FAf\AB\0C\96\0E\8D\AD\A8\C9{\F1\AFK@7\F22\8D\CB\15\BF\0C\F5\F4\E8\D4\E8X\FF\E1\BB\B38?o\D6\8A\C9#\29X\0E\C6\A4\1Cs\8C\B3M\F2\95\E3P\E6\12a\86\0B\BB\13\D6\BD\D8y\9E\1D\1F\F2\90F\98\
 
E8\C0\13\92\2Ae\19\AB\8F\D7GL\97^\1AS\0E\D8\A2G\05\E4B\035\A7\84\8A\13_[\06\A1\AEs\BE\A5\0E\09\9F\7C\F3\CF\8F\80~\DCvjj\9A\C8\201\B7`\0D\FF[\8A\F0R\85\81@\F1\86\09zN\06\F1\84B\9BD\1C\8Bq\E1\88\84e4.\BD\D0\AD\95n\7C\E6E2\A2]\FD\B0\AB\F6\B8\8A?\16\0C\9C\05\DF\0D\B9\F3\88\9C`\8BR\0AYy\CE3T\B6M\F5\28c\F8\CD\B4\04\C5\21\F9\28\86\A0\BF\E4$\08\B6]\D3=\DBe7\A6\8FZ\D8V\D4.\F2_:[\05cfz\9F\E4\D4e\95W\04%\08\10N\84\93\8BS\20h\C7Z>\EEAQ\8B\8F\0D\0Fpw\F5\D4+k1\93\BBc\E3\93\05\BF\D8\D2\8C\94c\D2N\CB4\AA\86>+\B7\89\CD\934u\BC\C1\95`\C3HJ\85\DB\0E\06\01h\02\AE\BFj\12\A4n\B2A\D9n}/\0C\FD\85\B1\01l]
 to attributes of [IIN32000000001@ldap].

before, the content of the certificate was not like this, but: 

(Tue Mar  3 17:08:15 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding userCertificate 
[MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUp
 
owWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZT
 
QuvdCtlW585kUyol39sKv2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
 to attributes of [IIN32000000001@ldap].


Regarding this I think that now the format stored in userCertificate;binary 
attribute is ok. Am I right?
Wat remains is to make sssd derive the public key from it...


BR,
Hristina
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

Reply via email to