Bug 1300024 - Check next certificate on smart card if first is not valid
Summary: Check next certificate on smart card if first is not valid
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
URL:
Whiteboard:
Depends On: 1266108
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-19 19:01 UTC by Roshni
Modified: 2020-05-04 10:53 UTC (History)
12 users (show)

Fixed In Version: sssd-1.14.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1266108
Environment:
Last Closed: 2016-11-04 07:14:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3842 None None None 2020-05-04 10:53:21 UTC
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Comment 2 Mike McCune 2016-03-28 23:37:25 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 4 Roshni 2016-09-07 19:07:46 UTC
[root@dhcp129-88 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 34.el7
Architecture: x86_64
Install Date: Wed 07 Sep 2016 09:57:46 AM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-34.el7.src.rpm
Build Date  : Fri 02 Sep 2016 07:27:36 AM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

When there is a revoked cert and a valid cert on the smartcards, login is successful.

When there is an expired cert and a valid cert on the smartcard, the login prompts for pin but authentication fails. This is how I tested with expired cert:

1. IPA issues a 1 day cert which is stored into the card.
2. I forward the system date to 2 days ahead.
3. Login using smartcard fails

the following are the messages in the log

(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x0400): p11_child started.
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running in [auth] mode.
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with real IDs [0][0].
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Default Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [Opensc module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [/usr/lib64/opensc-pkcs11.so].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Dead Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): DB Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ^A] Manufacturer [Mozilla Foundation              ^A] flags [1].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation              ^A] Manufacturer [Mozilla Foundation              ^A] flags [1].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [OMNIKEY AG CardMan 3021 00 00                                   OpenSC (www.opensc-project.org) ^G] Manufacturer [OpenSC (www.opensc-project.org) ^G] flags [7].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Found [OpenSC Card (ipasmartcarduser)] in slot [OMNIKEY AG CardMan 3021 00 00][1] of module [2].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Token is NOT friendly.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Login required.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Filtered certificates:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): Certificate [OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] not valid [-8181], skipping.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): VFY_VerifyData failed [-8182].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0040): do_work failed.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0020): p11_child failed

Comment 5 Roshni 2016-09-07 19:09:21 UTC
Missed to mention that I disabled ocsp checking in sssd.conf

Comment 6 Sumit Bose 2016-09-16 16:36:59 UTC
The "VFY_VerifyData failed [-8182]." was caused by the invalid Samrtcard which we fixed recently, please re-test with the proper card.

Comment 7 Roshni 2016-09-18 17:06:00 UTC
Sumit,

I re-tested with a proper card and I was seeing the same issue when there was an expired cert on the card.

Comment 8 Roshni 2016-09-21 13:47:32 UTC
[root@dhcp129-34 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 42.el7
Architecture: x86_64
Install Date: Sun 18 Sep 2016 12:54:23 PM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-42.el7.src.rpm
Build Date  : Fri 16 Sep 2016 09:48:09 AM EDT
Build Host  : x86-039.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Login using smartcard is successful when the smartcard contains one expired/revoked cert and one valid cert.

Comment 10 errata-xmlrpc 2016-11-04 07:14:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html


Note You need to log in before you can comment on or make changes to this bug.