On Mon, Mar 30, 2020 at 02:22:44PM -0000, Hristina Marosevic wrote:
> Hello,
>
> I successfuly added the CRL list into nssdb. CRL list is in DER format.
> So, I tested the last scenario, which was vaidation of the revoked user
> certificate used for authenticatiion using offline CRL list instead of using
> OCSP. So, just giving info about this:
> In the [sssd] section of the sssd.conf file, option certificate_validation
> has value "no_ocsp" and in the log file recorded using strace, this lines
> were generated:
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]]
> [do_verification] (0x0040): Certificate [(null)][CN=test_sssd_revoked.....]
> not valid [-8102][Certificate key usage inadequate for attempted
> operation.].\n", 228) = 228
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_work]
> (0x0400): Certificate is NOT valid.\n", 100) = 100
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main]
> (0x0040): do_work failed.\n", 87) = 87
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main]
> (0x0020): p11_child failed!\n", 89) = 89
> close(1) = 0
> exit_group(1) = ?
> +++ exited with 1 +++
>
>
> So, the authentication did not pass, which was excpected.
> Please confirm that this is the answer that the p11_child should give in case
> of revoked user certificate.
Hi,
yes, in the way SSSD is using NSS '[-8102][Certificate key usage
inadequate for attempted operation.]' is often returned instead of a
more specific error message when certificate validation fails.
bye,
Sumit
> If it is like that, by this step I can confirm that SSSD PKI authentication
> works properly i.e successfuly verifies trust/time validity/revocation status
> of the user certificate.
>
> BR,
> Hristina
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
