Smart card logon in Windows in domain FreeIPA - windows

I create domain with FreeIPA.
I connected Windows 10 to it. Login to Windows by login-password is successful.
I create a profile in the FreeIPA settings to create certificates for Smart Card Login in Windows.
auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=Enroll user certificates with smartcardlogon.
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=(UID|CN)=.*
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=FREEIPA.RED, DC=FREEIPA, DC=RED, E=$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.12.default.name=IECUserRoles Extension Default
policyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.freeipa.red/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=true
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4,1.3.6.1.4.1.311.20.2.2,1.3.6.1.5.2.3.5
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.freeipa.red/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.13.default.name=Subject Alt Name Constraint
policyset.serverCertSet.13.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.13.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.13.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.13.default.params.subjAltExtType_1=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_1=true
set.serverCertSet.13.default.params.subjAltExtType_2=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_2=(UTF8String)1.3.6.1.5.2.2,$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_2=true
policyset.serverCertSet.13.default.params.subjAltNameNumGNs=3
policyset.serverCertSet.14.constraint.class_id=noConstraintImpl
policyset.serverCertSet.14.constraint.name=No Constraint
policyset.serverCertSet.14.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.14.default.name=Copy Common Name to Subject Alternative Name
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13,14
profileId=SmartCardLogon
visible=false
Created a key and a certificate request via openssl:
#openssl genrsa -out test.pem 2048
#openssl req -new -out test.req -key test.pem
Issued a certificate to the user via FreeIPA.
I collected the key and certificate into a pfx container and imported this container to a smart card.
Winlogon return error:
The remote procedure call failed
In System Event log Windows:
The security package Kerberos generated an exception. The exception information is the data.
Tell me, maybe someone has faced a similar problem?

Just to make clear: what you are trying to achieve is not supported by FreeIPA. You cannot join Windows systems to FreeIPA because FreeIPA itself is not an Active Directory. While simple things might appear working (password-based logon, for example), the rest is not and will not be working. FreeIPA is not designed to be an Active Directory domain controller. You can use Samba AD for that purpose.

Related

Having problems getting electron builder to sign a mac build

I don't know why electron-builder cannot find a valid identity.
Using the environment variable to debug, I always end up with the same problem where it says there is no valid identity despite listing there to be 1 valid identity underneath.
I have tried specifying the cert name as the "identity" property of the top level key "mac" in package json and leaving it out.
I have tried specifying the keychain (CSC_KEYCHAIN) to login.
I have tried adding the "Developer ID Application: ****" cert to login, System, and custom keychains (I don't know why electron builder keeps making extra keychains called "1").
I have tried adding an "Apple Root CA" to all those keychains from the previous line.
I have tried specifying and omitting CSC_NAME, CSC_LINK + CSC_KEY_PASSWORD.
I have tried CSC_IDENTITY_AUTO_DISCOVERY as false.
Running the command line from this page appears to work (as running spctl -a -t exec -vv 'Appname.dmg' gives back "source=Unnotarized Developer ID" ), but I would like to follow the automatic notarization process suggested here which is based off of electron-builder #3870
When I specify the identity in package json, the closest I get to is saying
Identity name is specified, but no valid identity with this name in the keychain identity=***** allIdentities=
1) BBBBBBBBB "Developer ID Application: ***** (XXXXX)"
1 identities found
Valid identities only
1) BBBBBBBBBB "Developer ID Application: ***** (XXXXX)" <---lists the exact one above
1 valid identities found
at/........
When I run security find-identity -v, or security find-identity -v -p codesigning, the exact same cert appears again.
Have I missed anything?

macOS kext with invalid signature

We have a kext-enabled Developer ID which we are using for code signing and I have verified that the certificate contains the 1.2.840.113635.100.6.1.18 extension required. However, kextutil -tn still shows:
Untrusted kexts are not allowed
Kext with invalid signature (-67050) denied: /Library/StagedExtensions/Library/Extensions/A0587A5A-52FC-46DC-832E-81919195902C.kext
After signing, I re-extracted the signature using 'codesign -d --extract-certificates' to verify that the correct kext-enabled Developer ID certificate was indeed used during the signing process.
I have "Apple Worldwide Developer Relations Certification Authority" and "Developer ID Certification Authority" certs in both the login and System keychains.
Any suggestions on where to go from here? Thanks!
I've figured it out. Turns out macOS 10.13+ denies kexts by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note (and alluded to in the comments above):
https://developer.apple.com/library/archive/technotes/tn2459/_index.html
The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.
$ csrutil status
System Integrity Protection status: enabled.
$ sudo kextutil -v /Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext
Defaulting to kernel file '/System/Library/Kernels/kernel'
/Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext appears to be loadable (not including linkage for on-disk libraries).
Loading /Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext.
/Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext successfully loaded (or already loaded).
$ kextstat | grep xxxxxx
161 0 0xffffff7f83af6000 0x3c9000 0x3c9000 com.xxxxxx.driver.zzzz (1) 230E04D6-5C15-373F-8F73-E23566AE3C22 <22 15 5 4 3 1>

iOS app: manually copy .mobileprovision file to keychain without xcode

I want to manually add .mobileprovision to the keychain access without using xCode because I didn't develop the app with xCode. Any suggestions?
I found a YouTube video by Kotobee to be immensely helpful.
You will need an OpenSSL. All necessary info is within this video.
My personal notes from this video:
Step 1: Need Open SSL folder
Step 2:
Process of making the KEYS
https://youtu.be/yCvbbIfMnxI?t=6m
https://youtu.be/yCvbbIfMnxI?t=8m4s
1ST KEY
certificate signing request file (CSR)
open SSL file in COMMAND PROMPT (cmd)
openssl genrsa -out [keyname].key 2048
// optional change [keyname]
(NOTE: if issues locating openssl.cfg type at command prmpt
set OPENSSL_conf-d:\OpenSSL-Win64\bin\openssl.cfg
nothing will show on command prmpt, but continue)
2ND KEY
making the CertificateSigningRequest.certSigningRequest KEY
//// video timestamp around 13:00 //////
openssl req -new -key [keyname].key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourEmail#whatever.com, CN= companyName, C=US"
C=US is about the country of origin. So you may need to change this if not US.
NOTE: SEEMS LIKE ONCE YOU HAVE THE KEY FROM OPENSSL, don't need to do this process again. Not positive though, but so far seems true.
3RD KEY
https://youtu.be/yCvbbIfMnxI?t=14m52s
log into developer.apple.com account
3 steps:
STEP A:
Certificates
there's a DIFFERENCE between DEVELOPMENT & PRODUCTION/DISTRIBUTION
Click the PLUS sign in upper right corner of web page.
You can likely reUPLOAD the SAME key created under name:
CertificateSigningRequest.certSigningRequest
dev site will return "Your certificate is ready" to download
file name will be
ios_distribution.cer for DISTRIBUTION KEY
ios_development.cer for DEVELOPMENT KEY
/// NOTE: SO FAR LOOKS LIKE YOU CAN USE SAME KEY ONCE MADE!
Put your .cer file into the OpenSSL bin folder
STEP B:
Make your APP ID via the developer.apple.com site
https://youtu.be/yCvbbIfMnxI?t=16m58s
THIS SECTION appears to need to change per app, especially for DISTRIBUTION
could just use the wildcard key and be done with it for DEVELOPMENT
STEP C: Create .mobileprovision file
(note: this will include your registered devices)
Make an APP ID
click on Identifiers > App IDs >
Explicit App: Dev Prov Profile
App Bundle: id="com.domain.app"
Enabled: Push Notifications (can exclude this line)
Download new .mobileprovision file from developer.apple.com into
D:\OpenSSL-Win64\bin
Make sure latest CertificateSigningRequest.certSigningRequest file in
D:\OpenSSL-Win64\bin
Along with .key file in D:\OpenSSL-Win64\bin
STEP D: Create .pem file
In Command Prompt type:
openssl x509 -in [developer_certificate].cer -inform DER -out [app_pem_file].pem -outform PEM
ios_distribution.cer OR ios_development.cer
rename the [app_pem_file].pem file if you like -- make it similar (my thought)
to bundle app ID name or Explicit App name
OR
make it same as the .key name (if recreating & not using a previous one)
this creates the .PEM file
STEP E: Create .p12 file (final task)
In Command Prompt type:
openssl pkcs12 -export -inkey [keyname].key -in [app_pem_file].pem -out [app_p12].p12
As I said, all this information is on the video. You don't need my personal notes to get the key. :)

Decoding Mac App Store designated requirements

I have the following designated requirement in my app:
(
anchor apple generic
and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
or
anchor apple generic
and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = <redacted_team_id>
)
and identifier "com.company.app"
Now I’m trying to validate a development build of my app against this DR. The “apple generic” root certificate check works fine, the bundle identifier check works fine. The certificate check in the first branch (6.1.9) looks for a “Apple Mac App Signing (Release)” certificate, so it fails. That’s expected with a development build.
As I understand the DR, the second branch (checking for certificate fields 6.2.6 and 6.1.13) should apply to development builds, but both certificate field checks fail:
$ codesign --verify -R="certificate 1[field.1.2.840.113635.100.6.2.6]" MyApp.app
test-requirement: code failed to satisfy specified code requirement(s)
$ codesign --verify -R="certificate leaf[field.1.2.840.113635.100.6.1.13]" MyApp.app
test-requirement: code failed to satisfy specified code requirement(s)
My question is: what exactly are the 6.2.6 and 6.1.13 certificate fields and why doesn’t my (properly signed) development build match them?
The 6.2.6 and 6.1.13 certificate fields are related to apps signed with the Developer ID certificate. The development build doesn’t match them because it was signed with the plain Mac development certificate.

How to compare a primary key fingerprint after verifying a signature with gpg?

I am new to cryptography in general, I have a question about the primary key fingerprint:
I have downloaded Apache Maven and, as they say in the download page, have verified the signature of the public key, using gpg:
user$ gpg --verify apache-maven-3.2.3-bin.tar.gz.asc apache-maven-3.2.3-bin.tar.gz
gpg: Signature made Tue Aug 12 00:59:35 2014 MSK using DSA key ID BB617866
gpg: Good signature from "Someone <email#maven.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866
Now, I read from http://www.apache.org/dev/release-signing#fingerprint that the primary key fingerprint is a digest of the key, easier to read and compare, but my question is:
How should I compare it? I mean, where should I found the counterpart against whom I should compare the fingerprint "FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866"?
The public keys of the Maven developers are linked on top of the download page.
It only contains the short IDs, which are not sufficient to verify keys, but help you at looking up which key was used. To do so, delete this key (it probably already was fetched from the key servers during verifying the signature):
gpg --delete-keys [keyid]
Now prepare importing this key, by copying the public key block matching to the key ID given above to a file of your choice. This file should afterwards contain:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[snip]
-----END PGP PUBLIC KEY BLOCK-----
Now import using gpg --import [file]. Now run gpg --fingerprint [keyid], it should print the same fingerprint given in the output of the signature verification.

Resources