Ubuntu
sssd package

  1. Bug #1905790
  2. Comment #20

Comment 20 for bug 1905790

Revision history for this message
Valters Jansons (sigv) wrote :

Performing verification on Focal (20.04) as described in test steps.

Local test system has a 4th generation Yubikey attached.
The Yubikey is a smartcard reader with an integrated card.
There's a certificate on card, issued from internal non-default CA.

 # # Install `p11-kit` for test case use.
 # apt install p11-kit
 # apt-cache policy p11-kit | grep Installed:
  Installed: 0.23.20-1ubuntu0.1

 # # Install `ykcs11` for Yubikey smartcard use on system.
 # # This could also be `opensc` or any other module package.
 # apt install ykcs11
 # apt-cache policy ykcs11 | grep Installed:
  Installed: 2.0.0-2
 # # Allow auto-discovery of ykcs11 PKCS#11 module:
 # echo 'module: ../libykcs11.so' > \
   /usr/share/p11-kit/modules/ykcs11.module

 # # Install SSSD from -updates.
 # apt install sssd/focal-updates
 # apt-cache policy sssd | grep Installed:
  Installed: 2.2.3-3ubuntu0.3

 # # Execute described test case.
 # p11-kit list-modules | grep -Eve '^ '
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
ykcs11: ../libykcs11.so
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 2.0
    token: YubiKey PIV #1234567
 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
   --nssdb=/etc/ssl/certs/ca-certificates.crt
(Sat Feb 27 14:21:22:579260 2021) [[sssd[p11_child[3511]]]] [main] (0x0400): p11_child started.
(Sat Feb 27 14:21:22:579307 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): Running in [pre-auth] mode.
(Sat Feb 27 14:21:22:579315 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Sat Feb 27 14:21:22:579322 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): Running with real IDs [0][0].
(Sat Feb 27 14:21:22:581129 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Default Module List:
(Sat Feb 27 14:21:22:581145 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Sat Feb 27 14:21:22:581151 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): dll name: [(null)].
(Sat Feb 27 14:21:22:581156 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Dead Module List:
(Sat Feb 27 14:21:22:581160 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): DB Module List:
(Sat Feb 27 14:21:22:581165 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): common name: [NSS Internal Module].
(Sat Feb 27 14:21:22:581170 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): dll name: [(null)].
(Sat Feb 27 14:21:22:581175 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true].
(Sat Feb 27 14:21:22:581182 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true].
(Sat Feb 27 14:21:22:581188 2021) [[sssd[p11_child[3511]]]] [do_card] (0x0040): No removable slots found.
(Sat Feb 27 14:21:22:581193 2021) [[sssd[p11_child[3511]]]] [main] (0x0040): do_work failed.
(Sat Feb 27 14:21:22:581198 2021) [[sssd[p11_child[3511]]]] [main] (0x0020): p11_child failed!

 # # In-place upgrade SSSD from -proposed.
 # apt install sssd/focal-proposed
 # apt-cache policy sssd | grep Installed:
  Installed: 2.2.3-3ubuntu0.4

 # # Execute described test case.
 # p11-kit list-modules | grep -Eve '^ '
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
ykcs11: ../libykcs11.so
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 2.0
    token: YubiKey PIV #1234567
 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
   --nssdb=/etc/ssl/certs/ca-certificates.crt
(Sat Feb 27 14:23:47:854078 2021) [p11_child[4287]] [main] (0x0400): p11_child started.
(Sat Feb 27 14:23:47:854240 2021) [p11_child[4287]] [main] (0x2000): Running in [pre-auth] mode.
(Sat Feb 27 14:23:47:854267 2021) [p11_child[4287]] [main] (0x2000): Running with effective IDs: [0][0].
(Sat Feb 27 14:23:47:854275 2021) [p11_child[4287]] [main] (0x2000): Running with real IDs [0][0].
(Sat Feb 27 14:23:47:864786 2021) [p11_child[4287]] [do_card] (0x4000): Module List:
(Sat Feb 27 14:23:47:878057 2021) [p11_child[4287]] [do_card] (0x4000): common name: [p11-kit-trust].
(Sat Feb 27 14:23:47:879047 2021) [p11_child[4287]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(Sat Feb 27 14:23:47:879072 2021) [p11_child[4287]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true].
(Sat Feb 27 14:23:47:879084 2021) [p11_child[4287]] [do_card] (0x4000): common name: [ykcs11].
(Sat Feb 27 14:23:47:879090 2021) [p11_child[4287]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so].
(Sat Feb 27 14:23:48:000140 2021) [p11_child[4287]] [do_card] (0x4000): Description [Yubico YubiKey CCID 00 00 Yubico (www.yubico.com) ] Manufacturer [Yubico (www.yubico.com) ] flags [7] removable [true] token present [true].
(Sat Feb 27 14:23:48:001134 2021) [p11_child[4287]] [do_card] (0x4000): Found [YubiKey PIV #1234567] in slot [Yubico YubiKey CCID 00 00][0] of module [1][/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so].
(Sat Feb 27 14:23:49:076508 2021) [p11_child[4287]] [do_card] (0x4000): Login NOT required.
(Sat Feb 27 14:23:49:076640 2021) [p11_child[4287]] [read_certs] (0x4000): found cert[X.509 Certificate for PIV Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons]
(Sat Feb 27 14:23:49:076706 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076715 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076722 2021) [p11_child[4287]] [read_certs] (0x0040): Certificate [X.509 Certificate for PIV Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons] not valid, skipping.
(Sat Feb 27 14:23:49:076766 2021) [p11_child[4287]] [read_certs] (0x4000): found cert[X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation]
(Sat Feb 27 14:23:49:076781 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076787 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076793 2021) [p11_child[4287]] [read_certs] (0x0040): Certificate [X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation] not valid, skipping.
(Sat Feb 27 14:23:49:076823 2021) [p11_child[4287]] [read_certs] (0x4000): found cert[X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV Attestation 9a]
(Sat Feb 27 14:23:49:076837 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076843 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076849 2021) [p11_child[4287]] [read_certs] (0x0040): Certificate [X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV Attestation 9a] not valid, skipping.
(Sat Feb 27 14:23:49:076859 2021) [p11_child[4287]] [do_card] (0x4000): No certificate found.

As described in test case outcome 2, trust of the card is outside of the verification scope -- what matters here is the card and certificate are seen, when p11-kit identifies the token is there.

As a result, even though the certificate is considered invalid/unusable, this verifies the focal-proposed package finds the card and certificate slots on it.