On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote: > Hi, > > the following 3 patches are related to the Smartcard authentication > feature but imo can be tested even without having one. > > The first patch just adds some missing pieces. The second adds a new > 'no_verification' switch to the 'certificate_verification' option, which > is already tested by the unit tests. > > The third adds two new OCSP related switches. With OCSP a certificate > can be validates online by talking to a server which is listed in the > certificate. Of course it might not always be possible to directly talk > to this server. We already have the 'no_ocsp' switch to disable OCSP > completely. The two new switches allow SSSD to talk to a different > server or a proxy. To see how it is working you can do to following: > > - call 'make check' to build and rung all the tests > - call './pam-srv-tests' to run the PAM responder tests but do not let > it complete but stop it with CTRL-C. This is needed to create the test > nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be > created differently but this way it is most easy :-) > - add a OCSP signing cert with > > echo > "MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw==" > | base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv -t > TC,TC,TC -n ocsp_cert > > the NSS library call check this certificate first before trying to connect > to > the OCSP responder, so a valid one with the right key usage must be added to > make NSS try to reach the new OCSP responder > > - call > > strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1 > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv > > where you should see lines like > > send(7, "\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", 34, > MSG_NOSIGNAL) = 34 > > from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from the > ticket > > - call > > strace -s 128 -f -esend ./p11_child --debug-microseconds=1 > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify > 'ocsp_default_responder=http://oooo.cccc.ssss.pppp:80,ocsp_default_responder_signing_cert=ocsp_cert' > > where you should now see lines like > > send(7, "yO\1\0\0\1\0\0\0\0\0\0\4oooo\4cccc\4ssss\4pppp\0\0\1\0\1", 37, > MSG_NOSIGNAL) = 37 > > from the DNS lookups for the OCSP responder from the command line. > > Of course all the validations will fail with "Certificate [SSSD Test > Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071], > skipping" because none of the OCSP responders are available but I think this > test is sufficient to see that the patch is working as expected.
Thank you for the patches and the tests. I only have one question about the first patch.. > From c2eccab2c12b58a74cdc6fd10efe775dbcd8c1e1 Mon Sep 17 00:00:00 2001 > From: Sumit Bose <sb...@redhat.com> > Date: Fri, 18 Mar 2016 16:24:18 +0100 > Subject: [PATCH 1/3] p11: add missing man page entry and config API > > The pam_cert_auth and pam_cert_db_path option where missing in the > config API and had no man page entries. Did you also want to document the pam_cert_auth option? _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
