[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child

Valters Jansons Sat, 27 Feb 2021 06:41:03 -0800

Performing verification on Focal (20.04) as described in test steps.

Local test system has a 4th generation Yubikey attached.
The Yubikey is a smartcard reader with an integrated card.
There's a certificate on card, issued from internal non-default CA.


 # # Install `p11-kit` for test case use.
 # apt install p11-kit
 # apt-cache policy p11-kit | grep Installed:
  Installed: 0.23.20-1ubuntu0.1

 # # Install `ykcs11` for Yubikey smartcard use on system.
 # # This could also be `opensc` or any other module package.
 # apt install ykcs11
 # apt-cache policy ykcs11 | grep Installed:
  Installed: 2.0.0-2
 # # Allow auto-discovery of ykcs11 PKCS#11 module:
 # echo 'module: ../libykcs11.so' > \
   /usr/share/p11-kit/modules/ykcs11.module

 # # Install SSSD from -updates.
 # apt install sssd/focal-updates
 # apt-cache policy sssd | grep Installed:
  Installed: 2.2.3-3ubuntu0.3

 # # Execute described test case.
 # p11-kit list-modules | grep -Eve '^     '
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
ykcs11: ../libykcs11.so
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 2.0
    token: YubiKey PIV #1234567
 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
   --nssdb=/etc/ssl/certs/ca-certificates.crt
(Sat Feb 27 14:21:22:579260 2021) [[sssd[p11_child[3511]]]] [main] (0x0400): 
p11_child started.
(Sat Feb 27 14:21:22:579307 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): 
Running in [pre-auth] mode.
(Sat Feb 27 14:21:22:579315 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): 
Running with effective IDs: [0][0].
(Sat Feb 27 14:21:22:579322 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): 
Running with real IDs [0][0].
(Sat Feb 27 14:21:22:581129 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
Default Module List:
(Sat Feb 27 14:21:22:581145 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
common name: [NSS Internal PKCS #11 Module].
(Sat Feb 27 14:21:22:581151 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
dll name: [(null)].
(Sat Feb 27 14:21:22:581156 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
Dead Module List:
(Sat Feb 27 14:21:22:581160 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
DB Module List:
(Sat Feb 27 14:21:22:581165 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
common name: [NSS Internal Module].
(Sat Feb 27 14:21:22:581170 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
dll name: [(null)].
(Sat Feb 27 14:21:22:581175 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
Description [NSS Internal Cryptographic Services                             
Mozilla Foundation                 ] Manufacturer [Mozilla Foundation           
     ] flags [9] removable [false] token present [true].
(Sat Feb 27 14:21:22:581182 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): 
Description [NSS User Private Key and Certificate Services                   
Mozilla Foundation                 ] Manufacturer [Mozilla Foundation           
     ] flags [9] removable [false] token present [true].
(Sat Feb 27 14:21:22:581188 2021) [[sssd[p11_child[3511]]]] [do_card] (0x0040): 
No removable slots found.
(Sat Feb 27 14:21:22:581193 2021) [[sssd[p11_child[3511]]]] [main] (0x0040): 
do_work failed.
(Sat Feb 27 14:21:22:581198 2021) [[sssd[p11_child[3511]]]] [main] (0x0020): 
p11_child failed!

 # # In-place upgrade SSSD from -proposed.
 # apt install sssd/focal-proposed
 # apt-cache policy sssd | grep Installed:
  Installed: 2.2.3-3ubuntu0.4

 # # Execute described test case.
 # p11-kit list-modules | grep -Eve '^     '
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
ykcs11: ../libykcs11.so
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 2.0
    token: YubiKey PIV #1234567
 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
   --nssdb=/etc/ssl/certs/ca-certificates.crt
(Sat Feb 27 14:23:47:854078 2021) [p11_child[4287]] [main] (0x0400): p11_child 
started.
(Sat Feb 27 14:23:47:854240 2021) [p11_child[4287]] [main] (0x2000): Running in 
[pre-auth] mode.
(Sat Feb 27 14:23:47:854267 2021) [p11_child[4287]] [main] (0x2000): Running 
with effective IDs: [0][0].
(Sat Feb 27 14:23:47:854275 2021) [p11_child[4287]] [main] (0x2000): Running 
with real IDs [0][0].
(Sat Feb 27 14:23:47:864786 2021) [p11_child[4287]] [do_card] (0x4000): Module 
List:
(Sat Feb 27 14:23:47:878057 2021) [p11_child[4287]] [do_card] (0x4000): common 
name: [p11-kit-trust].
(Sat Feb 27 14:23:47:879047 2021) [p11_child[4287]] [do_card] (0x4000): dll 
name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(Sat Feb 27 14:23:47:879072 2021) [p11_child[4287]] [do_card] (0x4000): 
Description [/etc/ssl/certs/ca-certificates.crt                              
PKCS#11 Kit                     ] Manufacturer [PKCS#11 Kit                    
 ] flags [1] removable [false] token present [true].
(Sat Feb 27 14:23:47:879084 2021) [p11_child[4287]] [do_card] (0x4000): common 
name: [ykcs11].
(Sat Feb 27 14:23:47:879090 2021) [p11_child[4287]] [do_card] (0x4000): dll 
name: [/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so].
(Sat Feb 27 14:23:48:000140 2021) [p11_child[4287]] [do_card] (0x4000): 
Description [Yubico YubiKey CCID 00 00                                       
Yubico (www.yubico.com)         ] Manufacturer [Yubico (www.yubico.com)         
] flags [7] removable [true] token present [true].
(Sat Feb 27 14:23:48:001134 2021) [p11_child[4287]] [do_card] (0x4000): Found 
[YubiKey PIV #1234567] in slot [Yubico YubiKey CCID 00 00][0] of module 
[1][/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so].
(Sat Feb 27 14:23:49:076508 2021) [p11_child[4287]] [do_card] (0x4000): Login 
NOT required.
(Sat Feb 27 14:23:49:076640 2021) [p11_child[4287]] [read_certs] (0x4000): 
found cert[X.509 Certificate for PIV 
Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons]
(Sat Feb 27 14:23:49:076706 2021) [p11_child[4287]] [do_verification] (0x0040): 
X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076715 2021) [p11_child[4287]] [do_verification] (0x0040): 
X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076722 2021) [p11_child[4287]] [read_certs] (0x0040): 
Certificate [X.509 Certificate for PIV 
Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons] not valid, 
skipping.
(Sat Feb 27 14:23:49:076766 2021) [p11_child[4287]] [read_certs] (0x4000): 
found cert[X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation]
(Sat Feb 27 14:23:49:076781 2021) [p11_child[4287]] [do_verification] (0x0040): 
X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076787 2021) [p11_child[4287]] [do_verification] (0x0040): 
X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076793 2021) [p11_child[4287]] [read_certs] (0x0040): 
Certificate [X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation] 
not valid, skipping.
(Sat Feb 27 14:23:49:076823 2021) [p11_child[4287]] [read_certs] (0x4000): 
found cert[X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV 
Attestation 9a]
(Sat Feb 27 14:23:49:076837 2021) [p11_child[4287]] [do_verification] (0x0040): 
X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076843 2021) [p11_child[4287]] [do_verification] (0x0040): 
X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076849 2021) [p11_child[4287]] [read_certs] (0x0040): 
Certificate [X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV 
Attestation 9a] not valid, skipping.
(Sat Feb 27 14:23:49:076859 2021) [p11_child[4287]] [do_card] (0x4000): No 
certificate found.

As described in test case outcome 2, trust of the card is outside of the
verification scope -- what matters here is the card and certificate are
seen, when p11-kit identifies the token is there.

As a result, even though the certificate is considered invalid/unusable,
this verifies the focal-proposed package finds the card and certificate
slots on it.


** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790

Title:
  Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for
  p11_child

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child

Reply via email to