Fix minor spelling mistakes Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

p11_child: properly check results of CERT_VerifyCertificateNow With certificateUsageCheckAllUsages not only the return code of CERT_VerifyCertificateNow() should be checked but also the usages for which the certificate was verified. The usages checked here will all involve CA signature checks and OCSP checks if OCSP is enabled. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Revert "p11_child: make sure OCSP checks are done" This reverts commit 2297cc7d6cd5c38a7d64027165e4e82ca497f418. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

p11_child: make sure OCSP checks are done If CERT_VerifyCertificateNow() is used with 'certificateUsageCheckAllUsages' OCSP checks are skipped even if OCSP was enabled. This patch calls CERT_CheckOCSPStatus() explicitly if OCSP checks are enabled. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: add certificate's label to the selection prompt Some types of Smartcards contain multiple certificate with the same subject-DN for different usages. To make it easier to choose between them in case the matching rules allow more than one of them for authentication the label assigned to the certificate on the Smartcard is shown in the selection prompt as well. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

pam: filter certificates in the responder not in the child With the new selection option and the handling of multiple certificates in the PAM responder it is not needed anymore to filter the certificates in p11_child but the matching rules can be applied by the PAM responder directly. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

p11_child: add descriptions for error codes to debug messages Additionally to the NSS erro code a text message describing the error is added. This will help to see why p11_child ignores specific certificates. For example it would be more obvious why the certificate is not valid (expired, missing CA cert, failed OCSP etc). Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

p11_child: use options to select certificate for authentication New options are added to p11_child to select a specific certificate during authentication. The related unit tests are updated by adding the needed attributes to the requests. The was not necessary before because although the attribute were already send by pam_sss they were not used in the PAM responder but only forwarded to the back where they were used by the PKINIT code to select the expected certificate. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

p11_child: return multiple certs This patch refactors the handling of certificates in p11_child. Not only the first but all certificates suitable for authentication are returned. The PAM responder component calling p11_child is refactored to handle multiple certificate returned by p11_child but so far only returns the first one to its callers. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

CHILD: Pass information about logger to children Variables debug_to_file or debug_to_stderr were not set because back-end already user parameter --logger=%s. And therefore logs were not sent to files. It could only work in case of direct usage of --debug-to-files in back-end via command configuration option. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Add parameter --logger to daemons Different binary handled information about logging differently e,g, --debug-to-files --debug-to-stderr And logging to journald was a special case of previous options (!debug_file && !debug_to_stderr). It was also tied to the monitor option "--daemon" and therefore loggind to stderr was used in interactive mode + systemd Type=notify. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

p11: return name of PKCS#11 module and key id to pam_sss Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

p11: add OCSP default responder options Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add no_verification option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DEBUG: Add missing new lines Reviewed-by: Petr Cech <pcech@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: check if cert is valid before selecting it Currently the first certificate was selected and if it was not valid p11_child just returned an error. With this patch the validity is checked first and the first valid certificate is selected. Resolves https://fedorahosted.org/sssd/ticket/2801 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: allow p11_child to run completely unprivileged To only operation of p11_child which requires special privileges is the communication to pcscd which handles the Smartcard access. pcscd uses policy-kit for access control so access can easily be configured by dropping config snippets into the right directory. If SSSD is configured to run as un-privileged user this patch creates the needed config snippet for policy-kit and installs it in a suitable directory. As a result p11_child does not have to be installed with SETUID or SETGID bits set. Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

P11_CHILD_NSS: More restrictive permissions p11_child_nss runs as root and we must be carefull about security. This patch adds more restrictive permissions on it. There is no reason for 0077, so we use 0177 umask. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11child: set restrictive umask and clear environment https://fedorahosted.org/sssd/ticket/2754 Before doing any calls, set a very restrictive umask and clear environment variables to harden p11child execution. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add NSS version of p11_child Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>