]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
Add PKINIT test case for generic client cert 694/head
authorGreg Hudson <ghudson@mit.edu>
Fri, 25 Aug 2017 16:39:14 +0000 (12:39 -0400)
committerGreg Hudson <ghudson@mit.edu>
Tue, 29 Aug 2017 20:41:45 +0000 (16:41 -0400)
In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.

ticket: 8562

src/tests/t_pkinit.py

index 898dafb48a4ba607628d58ff2fa386c6e6cbf85d..b790a7cda071264f8eef0ec910a39387cd8f074d 100755 (executable)
@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12')
 user_upn_p12 = os.path.join(certs, 'user-upn.p12')
 user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
 user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
+generic_p12 = os.path.join(certs, 'generic.p12')
 path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
 path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
 
@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12
 p12_upn_identity = 'PKCS12:%s' % user_upn_p12
 p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
 p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
+p12_generic_identity = 'PKCS12:%s' % generic_p12
 p12_enc_identity = 'PKCS12:%s' % user_enc_p12
 p11_identity = 'PKCS11:soft-pkcs11.so'
 p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
@@ -329,6 +331,14 @@ realm.kinit(realm.user_princ,
             flags=['-X', 'X509_user_identity=%s' % p12_identity],
             expected_code=1, expected_msg=msg)
 
+# Authorize a client cert with no PKINIT extensions using subject and
+# issuer.  (Relies on EKU checking being turned off.)
+rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_generic_identity])
+realm.klist(realm.user_princ)
+
 if not have_soft_pkcs11:
     skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')