On Tue, May 10, 2016 at 06:10:15PM +0200, Sumit Bose wrote:
On Tue, May 10, 2016 at 04:42:17PM +0200, Jakub Hrozek wrote:
> On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote:
> > Hi,
> >
> > the following 3 patches are related to the Smartcard authentication
> > feature but imo can be tested even without having one.
> >
> > The first patch just adds some missing pieces. The second adds a new
> > 'no_verification' switch to the 'certificate_verification'
option, which
> > is already tested by the unit tests.
> >
> > The third adds two new OCSP related switches. With OCSP a certificate
> > can be validates online by talking to a server which is listed in the
> > certificate. Of course it might not always be possible to directly talk
> > to this server. We already have the 'no_ocsp' switch to disable OCSP
> > completely. The two new switches allow SSSD to talk to a different
> > server or a proxy. To see how it is working you can do to following:
> >
> > - call 'make check' to build and rung all the tests
> > - call './pam-srv-tests' to run the PAM responder tests but do not let
> > it complete but stop it with CTRL-C. This is needed to create the test
> > nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be
> > created differently but this way it is most easy :-)
> > - add a OCSP signing cert with
> >
> > echo
"MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw=="
| base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv -t TC,TC,TC -n
ocsp_cert
> >
> > the NSS library call check this certificate first before trying to connect
to
> > the OCSP responder, so a valid one with the right key usage must be added to
> > make NSS try to reach the new OCSP responder
> >
> > - call
> >
> > strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1
--debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb
sql:/dev/shm/tp_pam_srv_tests-test_pam_srv
> >
> > where you should see lines like
> >
> > send(7,
"\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", 34, MSG_NOSIGNAL) =
34
> >
> > from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from the
> > ticket
> >
> > - call
> >
> > strace -s 128 -f -esend ./p11_child --debug-microseconds=1
--debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb
sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify
'ocsp_default_responder=http://oooo.cccc.ssss.pppp:80,ocsp_default_responder_signing_cert=ocsp_cert'
> >
> > where you should now see lines like
> >
> > send(7,
"yO\1\0\0\1\0\0\0\0\0\0\4oooo\4cccc\4ssss\4pppp\0\0\1\0\1", 37, MSG_NOSIGNAL) =
37
> >
> > from the DNS lookups for the OCSP responder from the command line.
> >
> > Of course all the validations will fail with "Certificate [SSSD Test
> > Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071],
> > skipping" because none of the OCSP responders are available but I think
this
> > test is sufficient to see that the patch is working as expected.
>
> Thank you for the patches and the tests. I only have one question about
> the first patch..
>
> > From c2eccab2c12b58a74cdc6fd10efe775dbcd8c1e1 Mon Sep 17 00:00:00 2001
> > From: Sumit Bose <sbose(a)redhat.com>
> > Date: Fri, 18 Mar 2016 16:24:18 +0100
> > Subject: [PATCH 1/3] p11: add missing man page entry and config API
> >
> > The pam_cert_auth and pam_cert_db_path option where missing in the
> > config API and had no man page entries.
>
> Did you also want to document the pam_cert_auth option?
oops, yes I guess this would be a good idea. I'll send a new patch.
new version attached.
bye,
Sumit