revocation

Hristina Marosevic Tue, 24 Mar 2020 07:21:10 -0700

> On Wed, Mar 18, 2020 at 10:42:52AM -0000, Hristina Marosevic wrote:
> 
> Hi,
> 
> can you send the output of
> 
>     ls -al /etc/pki/nssdb
> 
> and
> 
>     certutil -L -d /etc/pki/nssdb -h all
> 
> bye,
> Sumit



Hello Sumit,

Somehow, today I didn't get any error when executing certutil command. In 
meanwhile I didn't do anything different, except for the sssd and sshd restart.
Few days ago, I couldn't add nor list the existing certificates in the nssdb 
using certutil.
Now, when this is working, I added the two CA certs in the chain of the user's 
public certificate. One is intermediate, and one is root CA.
Too add the intermediate and root CA certs in the nssdb, I used der fomrats of 
the certificates and the following command for each one of them:
certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d 
/etc/pki/nssdb

You asked me to list the nssdb directory. Here is the result:
$ ls -al /etc/pki/nssdb
total 132
drwxr-xr-x.  2 root root  4096 Mar  6 10:34 .
drwxr-xr-x. 10 root root  4096 Jan 24  2019 ..
-rw-r--r--   1 root root 65536 Aug  7  2019 cert8.db
-rw-r--r--.  1 root root  9216 Jan 24  2019 cert9.db
-rw-r--r--   1 root root     0 Mar  6 10:34 i#uiap
-rw-r--r--   1 root root 16384 Aug  7  2019 key3.db
-rw-r--r--.  1 root root 11264 Jan 24  2019 key4.db
-rw-r--r--   1 root root   451 Aug  7  2019 pkcs11.txt
-rw-r--r--   1 root root 16384 Aug  7  2019 secmod.db

After adding the certificates from the chain of the user's public certificate, 
following command:
certutil -L -d /etc/pki/nssdb -h all
resulted with:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root_KZ                                                           C,C,C
intermediate_KZ                                              C,C,C


In the sssd section of the sssd.conf file the value for 
certificate_verification is no_ocsp. Using strace, recorded log of the 
p11_child about the pki authentication attempt  is:

.....
stat("/home/oracle/secmod.db", 0x7ffcf6ee2350) = -1 ENOENT (No such file or 
directory)
open("/home/oracle/secmod.db", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "0\n", 1024)                    = 2
close(4)                                = 0
munmap(0x7f2379ad3000, 4096)            = 0
stat("/home/oracle/cert8.db", 0x7ffcf6ee1f30) = -1 ENOENT (No such file or 
directory)
open("/home/oracle/cert8.db", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/home/oracle/cert7.db", 0x7ffcf6ee1f50) = -1 ENOENT (No such file or 
directory)
open("/home/oracle/cert7.db", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/etc/pki/nss-legacy/nss-rhel7.config", R_OK) = 0
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "0\n", 1024)                    = 2
close(4)                                = 0
munmap(0x7f2379ad3000, 4096)            = 0
open("/etc/pki/nss-legacy/nss-rhel7.config", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=257, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the last 
empty line in this file must be 
preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n", 
4096) = 257
stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 
{st_mode=S_IFREG|0644, st_size=0, ...}) = 0
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0x7f2379ad3000, 4096)            = 0
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "0\n", 1024)                    = 2
close(4)                                = 0
munmap(0x7f2379ad3000, 4096)            = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] 
[do_verification] (0x0040): Certificate 
[(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222
 \320\242\320\225\320\241\320\242\320\242] not valid [-8179][Peer's Certificate 
issuer is not recognized.].\n", 309) = 309
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [do_work] 
(0x0400): Certificate is NOT valid.\n", 99) = 99
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [main] (0x0040): 
do_work failed.\n", 86) = 86
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [main] (0x0020): 
p11_child failed!\n", 88) = 88
close(1)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++


"Peer's Certificate issuer is not recognized" - why is this appearing in the 
logs if the CA certs are already imported in the nssdb? 

This line is also not clear to me: 
"mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the last 
empty line in this file must be 
preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n", 
4096) = 257"
What is it about?


Thank you for your help!
Hristina M.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

Reply via email to