smartcard: Add support for virtsmartcard

jakub-vavra-cz commented 8 months ago

Add a support for virt smartcard to the client.

spoore1 commented 8 months ago

FYI, I ran a test with this code and it works as expected:

First I added a simple sssd stub config to enable smart card authentication locally:

[root@client sssd]# cat /etc/sssd/conf.d/smartcard.conf 
[sssd]
domains = shadowutils

[pam]
pam_cert_auth = True

[domain/shadowutils]
debug_level = 9
id_provider = proxy
proxy_lib_name = files
local_auth_policy = enable:smartcard

[certmap/shadowutils/localuser1]
matchrule = <SUBJECT>.*CN=localuser1*
debug_level = 9

Then I generated a certificate/key pair and added to the virtual smart cards softhsm backing store with the following commands:

TESTDIR=/opt/test_ca
SOFTHSM2_CONF="/opt/test_ca/softhsm2.conf"
NSSDB=$TESTDIR/db
SOPIN=12345678
PIN=123456

export TESTDIR SOFTHSM2_CONF

rm -rf $TESTDIR/tokens
mkdir -p $TESTDIR/tokens
pushd $TESTDIR

NAME=localuser1

useradd -m ${NAME}

rm -rf $TESTDIR/tokens
mkdir -p $TESTDIR/tokens
softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"

openssl req -x509 -newkey rsa:2048 -keyout ${NAME}.key -out ${NAME}.crt \
    -sha256 -days 3650 -nodes -subj "/CN=localuser1"

pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
    --label ${NAME} -p $PIN --set-id 0 -d 0

pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
    --label ${NAME} -p $PIN --set-id 0 -d 0

cat ${NAME}.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem

authselect select sssd with-smartcard --force

systemctl stop pcscd.service pcscd.socket virt_cacard sssd
rm -rf /var/lib/sss/{db,mc}/*
systemctl start pcscd virt_cacard sssd

Finally test that the virtual smart card is visible with p11tool and authentication with su:

[root@client sssd]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
Object 0:                                           
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1;id=%00%01;object=CAC%20ID%20Certificate;type=cert
        Type: X.509 Certificate (RSA-2048)
        Expires: Sun Mar 19 02:59:09 2034
        Label: CAC ID Certificate
        ID: 00:01                                   

[root@client sssd]# su - localuser1 -c "su - localuser1 -c whoami"
PIN for localuser1:                                 
localuser1

jakub-vavra-cz commented 7 months ago

I capitalized task names and changed the phrasing of some of them, the code is the same.

pbrezina commented 7 months ago

Ack to the changes. I added the packages to https://copr.fedorainfracloud.org/coprs/g/sssd/ci-deps/packages/ but there are errors on rhel-8. Do we want it there as well?

pbrezina commented 7 months ago

Ok, it fails to build because softhsm is in module. jjelen only builds it for epel so I set it to build only in epel as well. @jakub-vavra-cz You can switch to ci-deps repo.

jakub-vavra-cz commented 7 months ago

I have commented out the jjelen copr repo. I left it there in case we need to switch back to it for some reason.

SSSD / sssd-ci-containers

smartcard: Add support for virtsmartcard #84