Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1523010 - IPA user able to authenticate with revoked cert on smart card
IPA user able to authenticate with revoked cert on smart card
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.5
Unspecified Unspecified
unspecified Severity low
: rc
: ---
Assigned To: Sumit Bose
sssd-qe
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-06 21:17 EST by Scott Poore
Modified: 2018-04-10 13:21 EDT (History)
10 users (show)

See Also:
Fixed In Version: sssd-1.16.0-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 13:20:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0929 None None None 2018-04-10 13:21 EDT

  None (edit)
Description Scott Poore 2017-12-06 21:17:42 EST 
Description of problem:

On IPA client with Smart Card authentication enabled, I'm trying to check authentication failure with a revoked certificate.  I'm not seeing it fail, though:

[root@seceng-idm-1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
Object 0:
	URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0C0A548021220224;token=ipauser1-01%20%28OpenSC%20Card%29;id=%01;object=cert.01;type=cert
	Type: X.509 Certificate
	Label: cert.01
	ID: 01

[root@seceng-idm-1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --outfile /tmp/cert1 --export 'pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0C0A548021220224;token=ipauser1-01%20%28OpenSC%20Card%29;id=%01;object=cert.01;type=cert'

[root@seceng-idm-1 ~]# openssl x509 -in /tmp/cert1 -noout -serial
serial=17

[root@seceng-idm-1 ~]# ipa cert-show 0x17
  Issuing CA: ipa
  Certificate: MIID...
  Subject: CN=ipauser1,O=TESTRELM.TEST
  Subject email address: ipauser1@testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu Dec 07 01:47:21 2017 UTC
  Not After: Sun Dec 08 01:47:21 2019 UTC
  Serial number: 23
  Serial number (hex): 0x17
  Revoked: True
  Revocation reason: 6

[root@seceng-idm-1 ~]# su - ipauser1 -c "su - ipauser1 -c whoami"
su: warning: cannot change directory to /home/ipauser1: No such file or directory
PIN for ipauser1-01 (OpenSC Card)
su: warning: cannot change directory to /home/ipauser1: No such file or directory
ipauser1


Version-Release number of selected component (if applicable):

ipa-client-4.5.4-6.el7.x86_64
sssd-1.16.0-9.el7.x86_64

How reproducible:

Unknown.

Steps to Reproduce:
1.  Setup IPA Server and Client for Smart Card Authentication
2.  Add user and certificate and revoke cert with reason 6.
3.  test auth with su

su - ipauser -c "su - ipauser -c whoami"

Actual results:

The su command is not failing as expected.

Expected results:

The su command should fail when authenticating with a revoked certificate.

Additional info:
Comment 5 Jakub Hrozek 2017-12-07 11:58:22 EST 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3560
Comment 6 Lukas Slebodnik 2017-12-08 08:05:15 EST 
master:
* 2297cc7d6cd5c38a7d64027165e4e82ca497f418
Comment 8 Scott Poore 2017-12-11 12:11:37 EST 
FailedQA.

Seeing a problem with verification of AD certs without OCSP attributes set.  SSSD appears to be allowing the use of a certificate when OCSP checking is disabled even when issuing cert is not in /etc/pki/nssdb.

1. AD CA Certificate is missing from /etc/pki/nssdb
2. sssd.conf is configured to default for certificate_verification (meaning commented out or not set).
3. AD User Certificate does not have OCSP data, just CRL and "Authority Information Access".
4. authentication results in an OCSP error in p11_child.log

Certificate [singleuser1-01 (OpenSC Card):cert.01][CN=adcertsingleuser1] failed OCSP check [-8179][Peer's Certificate issuer is not recognized.], skipping.

If I set certificate_verification = no_ocsp, though, it works and I can authenticate with the Card and PIN.



[root@seceng-idm-1 test_certs]# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Smart Card CA 9b41ad38-4373-4d74-a7be-2bc8269432b1           CT,C,C
IPA CA                                                       CT,C,C


^^^ the "Smart Card..." one isn't the AD cert


########## Fails with certificate_verification defaulting #######################

[root@seceng-idm-1 test_certs]# vim /etc/sssd/sssd.conf

[root@seceng-idm-1 test_certs]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 

[root@seceng-idm-1 test_certs]# grep verification /etc/sssd/sssd.conf
# certificate_verification = no_ocsp

[root@seceng-idm-1 test_certs]# su - adcertsingleuser1@ipaadcs12r2.test -c "su - adcertsingleuser1@ipaadcs12r2.test -c whoami"
Password: 

su: Authentication failure

############## Works with certificate_verification set to no_ocsp #################

[root@seceng-idm-1 test_certs]# vim /etc/sssd/sssd.conf

[root@seceng-idm-1 test_certs]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 

[root@seceng-idm-1 test_certs]# grep verification /etc/sssd/sssd.conf
certificate_verification = no_ocsp

[root@seceng-idm-1 test_certs]# su - adcertsingleuser1@ipaadcs12r2.test -c "su - adcertsingleuser1@ipaadcs12r2.test -c whoami"
PIN for singleuser1-01 (OpenSC Card)

adcertsingleuser1@ipaadcs12r2.test
Comment 9 Lukas Slebodnik 2017-12-14 06:02:11 EST 
(In reply to Lukas Slebodnik from comment #6)
> master:
> * 2297cc7d6cd5c38a7d64027165e4e82ca497f418

that patches was reverter by commit c221b5fb4d3fc511cebcae2f042e43fb1c577bc7
Comment 10 Lukas Slebodnik 2017-12-14 06:02:29 EST 
master:
* 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc
Comment 12 Scott Poore 2017-12-14 12:05:33 EST 
Verified.

Version ::

Results ::

test1:  revoked cert

# ipa cert-show 0xCF
  Issuing CA: ipa
  Certificate: MII...
  Subject: CN=ipauser1,O=TESTRELM.TEST
  Subject email address: ipauser1@testrelm.test
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu Dec 14 16:26:35 2017 UTC
  Not After: Sun Dec 15 16:26:35 2019 UTC
  Serial number: 207
  Serial number (hex): 0xCF
  Revoked: True
  Revocation reason: 6

# ipa certmap-match /tmp/cardcert1
--------------
1 user matched
--------------
  Domain: TESTRELM.TEST
  User logins: ipauser1
----------------------------
Number of entries returned 1
----------------------------

# su - ipauser1 -c "su - ipauser1 -c id"
su: warning: cannot change directory to /home/ipauser1: Permission denied
-bash: /home/ipauser1/.bash_profile: Permission denied
Password: 
su: Authentication failure

^^^^ Prompting for Password above instead of PIN indicates expected failure.

We can also double check in /var/log/sssd/p11_child.log:

(Thu Dec 14 16:38:37 2017) [[sssd[p11_child[7012]]]] [do_work] (0x4000): found cert[ipauser1-01 (OpenSC Card):cert.01][CN=ipauser1,O=TESTRELM.TEST]
(Thu Dec 14 16:38:37 2017) [[sssd[p11_child[7012]]]] [do_work] (0x0040): Certificate [ipauser1-01 (OpenSC Card):cert.01][CN=ipauser1,O=TESTRELM.TEST] not valid [-8102][Certificate key usage inadequate for attempted operation.], skipping.



test2: signing cert missing:

# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Smart Card CA 9b41ad38-4373-4d74-a7be-2bc8269432b1           CT,C,C
IPA CA                                                       CT,C,C
AD-ROOT-CA                                                   CT,c,c
nssdb_rootCA                                                 CT,c,c


# certutil -d /etc/pki/nssdb -D -n AD-ROOT-CA

# certutil -d /etc/pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Smart Card CA 9b41ad38-4373-4d74-a7be-2bc8269432b1           CT,C,C
IPA CA                                                       CT,C,C
nssdb_rootCA                                                 CT,c,c

# grep certificate_verification /etc/sssd/sssd.conf
# certificate_verification = no_ocsp

# !systemctl
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 

# su - adcertsingleuser1@ipaadcs12r2.test -c "su - adcertsingleuser1@ipaadcs12r2.test -c whoami"
Password: 
su: Authentication failure


Then doublecheck /var/log/sssd/p11_child.log for messages:

(Thu Dec 14 17:01:07 2017) [[sssd[p11_child[8255]]]] [do_work] (0x4000): found cert[singleuser1-01 (OpenSC Card):cert.01][CN=adcertsingleuser1]
(Thu Dec 14 17:01:07 2017) [[sssd[p11_child[8255]]]] [do_work] (0x0040): Certificate [singleuser1-01 (OpenSC Card):cert.01][CN=adcertsingleuser1] not valid [-8179][Peer's Certificate issuer is not recognized.], skipping.
Comment 13 Scott Poore 2017-12-14 12:06:26 EST 
Forgot to list the Version for verification.

sssd-1.16.0-13.el7.x86_64
Comment 16 errata-xmlrpc 2018-04-10 13:20:30 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.