Bug 1300024 - Check next certificate on smart card if first is not valid
Check next certificate on smart card if first is not valid
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.2
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
:
Depends On: 1266108
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-19 14:01 EST by Roshni
Modified: 2016-11-04 03:14 EDT (History)
12 users (show)

See Also:
Fixed In Version: sssd-1.14.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1266108
Environment:
Last Closed: 2016-11-04 03:14:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Mike McCune 2016-03-28 19:37:25 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 4 Roshni 2016-09-07 15:07:46 EDT
[root@dhcp129-88 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 34.el7
Architecture: x86_64
Install Date: Wed 07 Sep 2016 09:57:46 AM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-34.el7.src.rpm
Build Date  : Fri 02 Sep 2016 07:27:36 AM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

When there is a revoked cert and a valid cert on the smartcards, login is successful.

When there is an expired cert and a valid cert on the smartcard, the login prompts for pin but authentication fails. This is how I tested with expired cert:

1. IPA issues a 1 day cert which is stored into the card.
2. I forward the system date to 2 days ahead.
3. Login using smartcard fails

the following are the messages in the log

(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x0400): p11_child started.
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running in [auth] mode.
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with real IDs [0][0].
(Fri Sep  9 14:51:17 2016) [[sssd[p11_child[10239]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Default Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [Opensc module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [/usr/lib64/opensc-pkcs11.so].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Dead Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): DB Module List:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ^A] Manufacturer [Mozilla Foundation              ^A] flags [1].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation              ^A] Manufacturer [Mozilla Foundation              ^A] flags [1].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [OMNIKEY AG CardMan 3021 00 00                                   OpenSC (www.opensc-project.org) ^G] Manufacturer [OpenSC (www.opensc-project.org) ^G] flags [7].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Found [OpenSC Card (ipasmartcarduser)] in slot [OMNIKEY AG CardMan 3021 00 00][1] of module [2].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Token is NOT friendly.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Login required.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Filtered certificates:
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST]
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): Certificate [OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] not valid [-8181], skipping.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): VFY_VerifyData failed [-8182].
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0040): do_work failed.
(Fri Sep  9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0020): p11_child failed
Comment 5 Roshni 2016-09-07 15:09:21 EDT
Missed to mention that I disabled ocsp checking in sssd.conf
Comment 6 Sumit Bose 2016-09-16 12:36:59 EDT
The "VFY_VerifyData failed [-8182]." was caused by the invalid Samrtcard which we fixed recently, please re-test with the proper card.
Comment 7 Roshni 2016-09-18 13:06:00 EDT
Sumit,

I re-tested with a proper card and I was seeing the same issue when there was an expired cert on the card.
Comment 8 Roshni 2016-09-21 09:47:32 EDT
[root@dhcp129-34 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 42.el7
Architecture: x86_64
Install Date: Sun 18 Sep 2016 12:54:23 PM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-42.el7.src.rpm
Build Date  : Fri 16 Sep 2016 09:48:09 AM EDT
Build Host  : x86-039.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Login using smartcard is successful when the smartcard contains one expired/revoked cert and one valid cert.
Comment 10 errata-xmlrpc 2016-11-04 03:14:53 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.