1523010 – IPA user able to authenticate with revoked cert on smart card

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1523010 - IPA user able to authenticate with revoked cert on smart card

Summary: IPA user able to authenticate with revoked cert on smart card

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-07 02:17 UTC by Scott Poore
Modified:	2020-05-02 18:50 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.16.0-13.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 17:20:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4585	0	None	None	None	2020-05-02 18:50:00 UTC
Red Hat Product Errata	RHEA-2018:0929	0	None	None	None	2018-04-10 17:21:33 UTC

Description Scott Poore 2017-12-07 02:17:42 UTC

Description of problem:

On IPA client with Smart Card authentication enabled, I'm trying to check authentication failure with a revoked certificate.  I'm not seeing it fail, though:

[root@seceng-idm-1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
Object 0:
	URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0C0A548021220224;token=ipauser1-01%20%28OpenSC%20Card%29;id=%01;object=cert.01;type=cert
	Type: X.509 Certificate
	Label: cert.01
	ID: 01

[root@seceng-idm-1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --outfile /tmp/cert1 --export 'pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0C0A548021220224;token=ipauser1-01%20%28OpenSC%20Card%29;id=%01;object=cert.01;type=cert'

[root@seceng-idm-1 ~]# openssl x509 -in /tmp/cert1 -noout -serial
serial=17

[root@seceng-idm-1 ~]# ipa cert-show 0x17
  Issuing CA: ipa
  Certificate: MIID...
  Subject: CN=ipauser1,O=TESTRELM.TEST
  Subject email address: ipauser1
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu Dec 07 01:47:21 2017 UTC
  Not After: Sun Dec 08 01:47:21 2019 UTC
  Serial number: 23
  Serial number (hex): 0x17
  Revoked: True
  Revocation reason: 6

[root@seceng-idm-1 ~]# su - ipauser1 -c "su - ipauser1 -c whoami"
su: warning: cannot change directory to /home/ipauser1: No such file or directory
PIN for ipauser1-01 (OpenSC Card)
su: warning: cannot change directory to /home/ipauser1: No such file or directory
ipauser1


Version-Release number of selected component (if applicable):

ipa-client-4.5.4-6.el7.x86_64
sssd-1.16.0-9.el7.x86_64

How reproducible:

Unknown.

Steps to Reproduce:
1.  Setup IPA Server and Client for Smart Card Authentication
2.  Add user and certificate and revoke cert with reason 6.
3.  test auth with su

su - ipauser -c "su - ipauser -c whoami"

Actual results:

The su command is not failing as expected.

Expected results:

The su command should fail when authenticating with a revoked certificate.

Additional info:

Comment 5 Jakub Hrozek 2017-12-07 16:58:22 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3560

Comment 6 Lukas Slebodnik 2017-12-08 13:05:15 UTC

master:
* 2297cc7d6cd5c38a7d64027165e4e82ca497f418

Comment 8 Scott Poore 2017-12-11 17:11:37 UTC

FailedQA.

Seeing a problem with verification of AD certs without OCSP attributes set.  SSSD appears to be allowing the use of a certificate when OCSP checking is disabled even when issuing cert is not in /etc/pki/nssdb.

1. AD CA Certificate is missing from /etc/pki/nssdb
2. sssd.conf is configured to default for certificate_verification (meaning commented out or not set).
3. AD User Certificate does not have OCSP data, just CRL and "Authority Information Access".
4. authentication results in an OCSP error in p11_child.log

Certificate [singleuser1-01 (OpenSC Card):cert.01][CN=adcertsingleuser1] failed OCSP check [-8179][Peer's Certificate issuer is not recognized.], skipping.

If I set certificate_verification = no_ocsp, though, it works and I can authenticate with the Card and PIN.



[root@seceng-idm-1 test_certs]# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Smart Card CA 9b41ad38-4373-4d74-a7be-2bc8269432b1           CT,C,C
IPA CA                                                       CT,C,C


^^^ the "Smart Card..." one isn't the AD cert


########## Fails with certificate_verification defaulting #######################

[root@seceng-idm-1 test_certs]# vim /etc/sssd/sssd.conf

[root@seceng-idm-1 test_certs]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 

[root@seceng-idm-1 test_certs]# grep verification /etc/sssd/sssd.conf
# certificate_verification = no_ocsp

[root@seceng-idm-1 test_certs]# su - adcertsingleuser1 -c "su - adcertsingleuser1 -c whoami"
Password: 

su: Authentication failure

############## Works with certificate_verification set to no_ocsp #################

[root@seceng-idm-1 test_certs]# vim /etc/sssd/sssd.conf

[root@seceng-idm-1 test_certs]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 

[root@seceng-idm-1 test_certs]# grep verification /etc/sssd/sssd.conf
certificate_verification = no_ocsp

[root@seceng-idm-1 test_certs]# su - adcertsingleuser1 -c "su - adcertsingleuser1 -c whoami"
PIN for singleuser1-01 (OpenSC Card)

adcertsingleuser1

Comment 9 Lukas Slebodnik 2017-12-14 11:02:11 UTC

(In reply to Lukas Slebodnik from comment #6)
> master:
> * 2297cc7d6cd5c38a7d64027165e4e82ca497f418

that patches was reverter by commit c221b5fb4d3fc511cebcae2f042e43fb1c577bc7

Comment 10 Lukas Slebodnik 2017-12-14 11:02:29 UTC

master:
* 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc

Comment 12 Scott Poore 2017-12-14 17:05:33 UTC

Verified.

Version ::

Results ::

test1:  revoked cert

# ipa cert-show 0xCF
  Issuing CA: ipa
  Certificate: MII...
  Subject: CN=ipauser1,O=TESTRELM.TEST
  Subject email address: ipauser1
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu Dec 14 16:26:35 2017 UTC
  Not After: Sun Dec 15 16:26:35 2019 UTC
  Serial number: 207
  Serial number (hex): 0xCF
  Revoked: True
  Revocation reason: 6

# ipa certmap-match /tmp/cardcert1
--------------
1 user matched
--------------
  Domain: TESTRELM.TEST
  User logins: ipauser1
----------------------------
Number of entries returned 1
----------------------------

# su - ipauser1 -c "su - ipauser1 -c id"
su: warning: cannot change directory to /home/ipauser1: Permission denied
-bash: /home/ipauser1/.bash_profile: Permission denied
Password: 
su: Authentication failure

^^^^ Prompting for Password above instead of PIN indicates expected failure.

We can also double check in /var/log/sssd/p11_child.log:

(Thu Dec 14 16:38:37 2017) [[sssd[p11_child[7012]]]] [do_work] (0x4000): found cert[ipauser1-01 (OpenSC Card):cert.01][CN=ipauser1,O=TESTRELM.TEST]
(Thu Dec 14 16:38:37 2017) [[sssd[p11_child[7012]]]] [do_work] (0x0040): Certificate [ipauser1-01 (OpenSC Card):cert.01][CN=ipauser1,O=TESTRELM.TEST] not valid [-8102][Certificate key usage inadequate for attempted operation.], skipping.



test2: signing cert missing:

# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Smart Card CA 9b41ad38-4373-4d74-a7be-2bc8269432b1           CT,C,C
IPA CA                                                       CT,C,C
AD-ROOT-CA                                                   CT,c,c
nssdb_rootCA                                                 CT,c,c


# certutil -d /etc/pki/nssdb -D -n AD-ROOT-CA

# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Smart Card CA 9b41ad38-4373-4d74-a7be-2bc8269432b1           CT,C,C
IPA CA                                                       CT,C,C
nssdb_rootCA                                                 CT,c,c

# grep certificate_verification /etc/sssd/sssd.conf
# certificate_verification = no_ocsp

# !systemctl
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 

# su - adcertsingleuser1 -c "su - adcertsingleuser1 -c whoami"
Password: 
su: Authentication failure


Then doublecheck /var/log/sssd/p11_child.log for messages:

(Thu Dec 14 17:01:07 2017) [[sssd[p11_child[8255]]]] [do_work] (0x4000): found cert[singleuser1-01 (OpenSC Card):cert.01][CN=adcertsingleuser1]
(Thu Dec 14 17:01:07 2017) [[sssd[p11_child[8255]]]] [do_work] (0x0040): Certificate [singleuser1-01 (OpenSC Card):cert.01][CN=adcertsingleuser1] not valid [-8179][Peer's Certificate issuer is not recognized.], skipping.

Comment 13 Scott Poore 2017-12-14 17:06:26 UTC

Forgot to list the Version for verification.

sssd-1.16.0-13.el7.x86_64

Comment 16 errata-xmlrpc 2018-04-10 17:20:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929

Note You need to log in before you can comment on or make changes to this bug.