URL:
https://github.com/SSSD/sssd/pull/837
Title: #837: p11_child: make OCSP digest configurable
jhrozek commented:
"""
Sorry it took me almost four weeks to test the PR. I think OSCP in general works fine.
With a valid certificate I was getting:
```
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_card] (0x4000): Found [tuser] in
slot [Yubico YubiKey OTP+FIDO+CCID 00 00][0] of module
[1][/usr/lib64/pkcs11/opensc-pkcs11.so].
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_card] (0x4000): Login required.
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [read_certs] (0x4000): found
cert[Certificate for PIV Authentication][/C=SE/ST=Sweden/O=SSSD
Intermediate/CN=tuser/emailAddress=tuser(a)ipa.test]
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_ocsp] (0x4000): Using OCSP URL
[
http://localhost:8888].
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_ocsp] (0x4000): Nonce in OCSP
response is the same as the one used in the request.
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_ocsp] (0x4000): OCSP check was
successful.
(Wed Jul 31 15:34:44 2019) [[sssd[p11_child[23202]]]] [do_card] (0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so tuser tuser 01 01.
```
With a revoked certificate I get:
```
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_card] (0x4000): Found [tuser] in
slot [Yubico YubiKey OTP+FIDO+CCID 00 00][0] of module
[1][/usr/lib64/pkcs11/opensc-pkcs11.so].
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_card] (0x4000): Login NOT
required.
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [read_certs] (0x4000): found
cert[Certificate for PIV Authentication][/C=SE/ST=Sweden/O=SSSD
Intermediate/CN=tuser/emailAddress=tuser(a)ipa.test]
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x4000): Using OCSP URL
[
http://localhost:8888].
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x4000): Nonce in OCSP
response is the same as the one used in the request.
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x0020): OCSP check
failed with [1][revoked].
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_ocsp] (0x0020): Certificate is
revoked [-1][(UNKNOWN)].
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [do_verification] (0x0040): do_ocsp
failed.
(Wed Jul 31 15:36:25 2019) [[sssd[p11_child[23274]]]] [read_certs] (0x0040): Certificate
[Certificate for PIV Authentication][/C=SE/ST=Sweden/O=SSSD
Intermediate/CN=tuser/emailAddress=tuser(a)ipa.test] not valid, skipping
```
This was with an openssl ocsp and:
```
certificate_verification=ocsp_default_responder=http://localhost:8888
```
"""
See the full comment at
https://github.com/SSSD/sssd/pull/837#issuecomment-516857056