Performing verification on Focal (20.04) as described in test steps. Local test system has a 4th generation Yubikey attached. The Yubikey is a smartcard reader with an integrated card. There's a certificate on card, issued from internal non-default CA. # # Install `p11-kit` for test case use. # apt install p11-kit # apt-cache policy p11-kit | grep Installed: Installed: 0.23.20-1ubuntu0.1 # # Install `ykcs11` for Yubikey smartcard use on system. # # This could also be `opensc` or any other module package. # apt install ykcs11 # apt-cache policy ykcs11 | grep Installed: Installed: 2.0.0-2 # # Allow auto-discovery of ykcs11 PKCS#11 module: # echo 'module: ../libykcs11.so' > \ /usr/share/p11-kit/modules/ykcs11.module # # Install SSSD from -updates. # apt install sssd/focal-updates # apt-cache policy sssd | grep Installed: Installed: 2.2.3-3ubuntu0.3 # # Execute described test case. # p11-kit list-modules | grep -Eve '^ ' p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust ykcs11: ../libykcs11.so library-description: PKCS#11 PIV Library (SP-800-73) library-manufacturer: Yubico (www.yubico.com) library-version: 2.0 token: YubiKey PIV #1234567 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt (Sat Feb 27 14:21:22:579260 2021) [[sssd[p11_child[3511]]]] [main] (0x0400): p11_child started. (Sat Feb 27 14:21:22:579307 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): Running in [pre-auth] mode. (Sat Feb 27 14:21:22:579315 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Sat Feb 27 14:21:22:579322 2021) [[sssd[p11_child[3511]]]] [main] (0x2000): Running with real IDs [0][0]. (Sat Feb 27 14:21:22:581129 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Default Module List: (Sat Feb 27 14:21:22:581145 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Sat Feb 27 14:21:22:581151 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): dll name: [(null)]. (Sat Feb 27 14:21:22:581156 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Dead Module List: (Sat Feb 27 14:21:22:581160 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): DB Module List: (Sat Feb 27 14:21:22:581165 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): common name: [NSS Internal Module]. (Sat Feb 27 14:21:22:581170 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): dll name: [(null)]. (Sat Feb 27 14:21:22:581175 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true]. (Sat Feb 27 14:21:22:581182 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true]. (Sat Feb 27 14:21:22:581188 2021) [[sssd[p11_child[3511]]]] [do_card] (0x0040): No removable slots found. (Sat Feb 27 14:21:22:581193 2021) [[sssd[p11_child[3511]]]] [main] (0x0040): do_work failed. (Sat Feb 27 14:21:22:581198 2021) [[sssd[p11_child[3511]]]] [main] (0x0020): p11_child failed! # # In-place upgrade SSSD from -proposed. # apt install sssd/focal-proposed # apt-cache policy sssd | grep Installed: Installed: 2.2.3-3ubuntu0.4 # # Execute described test case. # p11-kit list-modules | grep -Eve '^ ' p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust ykcs11: ../libykcs11.so library-description: PKCS#11 PIV Library (SP-800-73) library-manufacturer: Yubico (www.yubico.com) library-version: 2.0 token: YubiKey PIV #1234567 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt (Sat Feb 27 14:23:47:854078 2021) [p11_child[4287]] [main] (0x0400): p11_child started. (Sat Feb 27 14:23:47:854240 2021) [p11_child[4287]] [main] (0x2000): Running in [pre-auth] mode. (Sat Feb 27 14:23:47:854267 2021) [p11_child[4287]] [main] (0x2000): Running with effective IDs: [0][0]. (Sat Feb 27 14:23:47:854275 2021) [p11_child[4287]] [main] (0x2000): Running with real IDs [0][0]. (Sat Feb 27 14:23:47:864786 2021) [p11_child[4287]] [do_card] (0x4000): Module List: (Sat Feb 27 14:23:47:878057 2021) [p11_child[4287]] [do_card] (0x4000): common name: [p11-kit-trust]. (Sat Feb 27 14:23:47:879047 2021) [p11_child[4287]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so]. (Sat Feb 27 14:23:47:879072 2021) [p11_child[4287]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Sat Feb 27 14:23:47:879084 2021) [p11_child[4287]] [do_card] (0x4000): common name: [ykcs11]. (Sat Feb 27 14:23:47:879090 2021) [p11_child[4287]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so]. (Sat Feb 27 14:23:48:000140 2021) [p11_child[4287]] [do_card] (0x4000): Description [Yubico YubiKey CCID 00 00 Yubico (www.yubico.com) ] Manufacturer [Yubico (www.yubico.com) ] flags [7] removable [true] token present [true]. (Sat Feb 27 14:23:48:001134 2021) [p11_child[4287]] [do_card] (0x4000): Found [YubiKey PIV #1234567] in slot [Yubico YubiKey CCID 00 00][0] of module [1][/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so]. (Sat Feb 27 14:23:49:076508 2021) [p11_child[4287]] [do_card] (0x4000): Login NOT required. (Sat Feb 27 14:23:49:076640 2021) [p11_child[4287]] [read_certs] (0x4000): found cert[X.509 Certificate for PIV Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons] (Sat Feb 27 14:23:49:076706 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [0]. (Sat Feb 27 14:23:49:076715 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate]. (Sat Feb 27 14:23:49:076722 2021) [p11_child[4287]] [read_certs] (0x0040): Certificate [X.509 Certificate for PIV Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons] not valid, skipping. (Sat Feb 27 14:23:49:076766 2021) [p11_child[4287]] [read_certs] (0x4000): found cert[X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation] (Sat Feb 27 14:23:49:076781 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [0]. (Sat Feb 27 14:23:49:076787 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate]. (Sat Feb 27 14:23:49:076793 2021) [p11_child[4287]] [read_certs] (0x0040): Certificate [X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation] not valid, skipping. (Sat Feb 27 14:23:49:076823 2021) [p11_child[4287]] [read_certs] (0x4000): found cert[X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV Attestation 9a] (Sat Feb 27 14:23:49:076837 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [0]. (Sat Feb 27 14:23:49:076843 2021) [p11_child[4287]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate]. (Sat Feb 27 14:23:49:076849 2021) [p11_child[4287]] [read_certs] (0x0040): Certificate [X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV Attestation 9a] not valid, skipping. (Sat Feb 27 14:23:49:076859 2021) [p11_child[4287]] [do_card] (0x4000): No certificate found. As described in test case outcome 2, trust of the card is outside of the verification scope -- what matters here is the card and certificate are seen, when p11-kit identifies the token is there. As a result, even though the certificate is considered invalid/unusable, this verifies the focal-proposed package finds the card and certificate slots on it.