[Freeipa-users] Re: [SSSD-users] Re: SSSD OCSP verfification failed

Fri, 10 May 2024 13:01:47 -0700 

Hi,

int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                      X509_STORE *st, unsigned long flags);

https://github.com/SSSD/sssd/blob/ca684cd156debbdf3d95776271e7020b883b1e81/src/p11_child/p11_child_openssl.c#L458
:
```
status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
```
  --  'p11_child' doesn't supply neither 'certs' nor 'flags' (like
OCSP_TRUSTOTHER etc)

So IIUC the only case when a response signature is considered valid is when
the signer's certificate can be validated using the store.


On Fri, May 10, 2024 at 2:43 PM Rob Crittenden <rcrit...@redhat.com> wrote:

> Cross posting this to sssd-users.
>
> rob
>
> Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users wrote:
> > Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD.
> > The OCSP responder CA is not in the trust chain of the CA that issued
> > the smart card certificates.  I was able to get openssl ocsp
> > verification to work using “-verify_other” and “-trust_other” options.
> >
> > [root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem
> > -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem
> > -url http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text
> > WARNING: no nonce in response
> > Response verify OK
> > /home/alvareza/alvarez.pem: good
> >         This Update: May  9 00:00:00 2024 GMT
> >         Next Update: May 15 06:16:18 2024 GMT
> >
> >
> >
> > I tried to perform OCSP verification with the SSSD p11_child helper, but
> > it does not work.  Does anyone know if the “Direct Trust” model for OCSP
> > works with RHEL 8 SSSD?
> >  [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1
> > --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22
> > --debug-level=9 --verification --verify
> > ocsp_dgst=sha1,ocsp_default_responder=
> http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx
> > --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat
> > /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n")
> > set_debug_file_from_fd failed.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child
> > started.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [main] (0x2000): Running in
> > [verify] mode.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [main] (0x2000): Running
> > with effective IDs: [0][0].
> > (2024-05-09  8:07:24): [p11_child[2817468]] [main] (0x2000): Running
> > with real IDs [0][0].
> > (2024-05-09  8:07:24): [p11_child[2817468]] [parse_cert_verify_opts]
> > (0x4000): Using sha1 for OCSP.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [parse_cert_verify_opts]
> > (0x4000): Using OCSP default responder
> > [http://repeater1.prlh.nadsuswe.nads.navy.mil]
> > (2024-05-09  8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using
> > OCSP URL [http://repeater1.prlh.nadsuswe.nads.navy.mil].
> > (2024-05-09  8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce
> > in OCSP response. This might indicate a replay attack or an OCSP
> > responder which does not support nonces.  Accepting response.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020):
> > OCSP_basic_verify() failed to verify OCSP response.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [do_verification] (0x0040):
> > do_ocsp failed.
> > (2024-05-09  8:07:24): [p11_child[2817468]] [do_work] (0x0400):
> > Certificate is NOT valid.
> > 22
> > (2024-05-09  8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child
> > failed (22)
> >
> >
> >
> > v/r
> >
> >
> >
> > Angelo Alvarez, CISSP
> >
> > N6
> >
> > Joint Typhoon Warning Center
> >
> > Work: 808.471.3645
> >
> > Mobile: 808.389.9474
> >
> > Email: angelo.alva...@navy.mil <mailto:angelo.alva...@navy.mil>
> >
> > SiPR Email: angelo.alva...@navy.smil.mil
> > <mailto:angelo.alva...@navy.smil.mil>
> >
> >
> >
> > “!No contaban on mi astucia!” – El Chapulin Colorado
> >
> >
> >
> >
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
> --
> _______________________________________________
> sssd-users mailing list -- sssd-us...@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
  • [Free... Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users
    • ... Sumit Bose via FreeIPA-users
    • ... Rob Crittenden via FreeIPA-users
      • ... Alexey Tikhonov via FreeIPA-users

Reply via email to