Hello,
I successfuly added the CRL list into nssdb. CRL list is in DER format.
So, I tested the last scenario, which was vaidation of the revoked user certificate used
for authenticatiion using offline CRL list instead of using OCSP. So, just giving info
about this:
In the [sssd] section of the sssd.conf file, option certificate_validation has value
"no_ocsp" and in the log file recorded using strace, this lines were generated:
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_verification]
(0x0040): Certificate [(null)][CN=test_sssd_revoked.....] not valid [-8102][Certificate
key usage inadequate for attempted operation.].\n", 228) = 228
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_work] (0x0400):
Certificate is NOT valid.\n", 100) = 100
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main] (0x0040):
do_work failed.\n", 87) = 87
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main] (0x0020):
p11_child failed!\n", 89) = 89
close(1) = 0
exit_group(1) = ?
+++ exited with 1 +++
So, the authentication did not pass, which was excpected.
Please confirm that this is the answer that the p11_child should give in case of revoked
user certificate.
If it is like that, by this step I can confirm that SSSD PKI authentication works properly
i.e successfuly verifies trust/time validity/revocation status of the user certificate.
BR,
Hristina