URL:
https://github.com/SSSD/sssd/pull/5558
Author: 3v1n0
Title: #5558: p11_child: Add partial verification support
Action: opened
PR body:
"""
From the main commit:
<blockquote>
As per the switch to libcrypto by default, the CA certificates DB needs
to contain the whole certificates key-chain in order to verify a leaf
certificate. This means that if an intermediate CA authority signed a
leaf certificate the CA DB we provide to SSSD needs to contain the whole
key-chain, up to the root CA cert in order to verify the leaf one.
Now, while this is indeed more secure, it may break previous
configurations that were based on an NSS database that contained only
trusted intermediate CA certificates.
To allow such setups to continue working (once the NSS db is migrated)
we need to permit a "weaker" setup where an x509 certificate is verified
when the CA database we test against contains only the intermediate CA
certificate that was used to sign it.
As per this, support `partial_chain` value to be used as
`certification_verification` parameter that will add the
`X509_V_FLAG_PARTIAL_CHAIN` verify param flag to the store, as the
openssl's verify `-partial-chain` parameter works.
This setup can still be considered secure as it's still needed to have
configured the SSSD ca db to contain the trusted certs.
Add tests to check that we can verify a leaf certificate against its
parent (only) when using such option.
</blockquote>
In particular in Ubuntu we [switched to use libcrypto by default in our current
LTS](https://bugs.launchpad.net/ubuntu/focal/+source/sssd/+bug/1905790), even if we never
supported properly the usage of NSS system DB, it was possible to setup one and so we did
a [simple migration
tool](https://github.com/3v1n0/nss-database-pem-exporter) to export
all the trusted NSS certificates to the SSSD's `ca_db`.
However, there are still some custom setups in which [may break when using openssl based
implementation](https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563), because
their NSS db was only containing the issuing CA certificates (and no their parent certs)
and so it's not possible to verify their certificate.
So using `pam_cert_verification = partial_chain` on upgrades (only and only if migrated)
we can ensure that no such system will be broken.
"""
To pull the PR as Git branch:
git remote add ghsssd
https://github.com/SSSD/sssd
git fetch ghsssd pull/5558/head:pr5558
git checkout pr5558