Bug 1300024

Summary: Check next certificate on smart card if first is not valid
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: grajaiya, jgalipea, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, rpattath, sbose, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-0.1.alpha.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1266108 Environment:
Last Closed: 2016-11-04 07:14:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1266108    
Bug Blocks:    

Comment 2 Mike McCune 2016-03-28 23:37:25 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 4 Roshni 2016-09-07 19:07:46 UTC 
[root@dhcp129-88 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 34.el7
Architecture: x86_64
Install Date: Wed 07 Sep 2016 09:57:46 AM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-34.el7.src.rpm
Build Date  : Fri 02 Sep 2016 07:27:36 AM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

When there is a revoked cert and a valid cert on the smartcards, login is successful.

When there is an expired cert and a valid cert on the smartcard, the login prompts for pin but authentication fails. This is how I tested with expired cert:

1. IPA issues a 1 day cert which is stored into the card.
2. I forward the system date to 2 days ahead.
3. Login using smartcard fails

the following are the messages in the log

(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x0400): p11_child started.
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running in [auth] mode.
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with real IDs [0][0].
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Default Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [Opensc module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [/usr/lib64/opensc-pkcs11.so].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Dead Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): DB Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ^A] Manufacturer [Mozilla Foundation              ^A] flags [1].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation              ^A] Manufacturer [Mozilla Foundation              ^A] flags [1].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [OMNIKEY AG CardMan 3021 00 00                                   OpenSC (www.opensc-project.org) ^G] Manufacturer [OpenSC (www.opensc-project.org) ^G] flags [7].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Found [OpenSC Card (ipasmartcarduser)] in slot [OMNIKEY AG CardMan 3021 00 00][1] of module [2].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Token is NOT friendly.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Login required.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Filtered certificates:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): Certificate [OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] not valid [-8181], skipping.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): VFY_VerifyData failed [-8182].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0040): do_work failed.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0020): p11_child failed
Comment 5 Roshni 2016-09-07 19:09:21 UTC 
Missed to mention that I disabled ocsp checking in sssd.conf
Comment 6 Sumit Bose 2016-09-16 16:36:59 UTC 
The "VFY_VerifyData failed [-8182]." was caused by the invalid Samrtcard which we fixed recently, please re-test with the proper card.
Comment 7 Roshni 2016-09-18 17:06:00 UTC 
Sumit,

I re-tested with a proper card and I was seeing the same issue when there was an expired cert on the card.
Comment 8 Roshni 2016-09-21 13:47:32 UTC 
[root@dhcp129-34 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 42.el7
Architecture: x86_64
Install Date: Sun 18 Sep 2016 12:54:23 PM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-42.el7.src.rpm
Build Date  : Fri 16 Sep 2016 09:48:09 AM EDT
Build Host  : x86-039.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Login using smartcard is successful when the smartcard contains one expired/revoked cert and one valid cert.
Comment 10 errata-xmlrpc 2016-11-04 07:14:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html