From: Greg Hudson Date: Sun, 4 Jan 2015 22:30:45 +0000 (-0500) Subject: Clean up PKINIT tests X-Git-Tag: krb5-1.14-alpha1~180 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b547063dafe7af4082b00efd4b5636ac5604f42e;p=thirdparty%2Fkrb5.git Clean up PKINIT tests Use realm.user_princ where appropriate. Re-wrap some overwrapped function calls. De-indent the PKCS11 tests using skip_rest. --- diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index 23889c4ab6..52123e14e7 100644 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -53,12 +53,10 @@ realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, get_creds=False) # Sanity check - password-based preauth should still work. -realm.run(['./responder', - '-r', 'password=%s' % password('user'), - 'user@%s' % realm.realm]) -realm.kinit('user@%s' % realm.realm, - password=password('user')) -realm.klist('user@%s' % realm.realm) +realm.run(['./responder', '-r', 'password=%s' % password('user'), + realm.user_princ]) +realm.kinit(realm.user_princ, password=password('user')) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # Test anonymous PKINIT. @@ -99,52 +97,36 @@ realm.start_kdc() realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS') # Run the basic test - PKINIT with FILE: identity, with no password on the key. -realm.run(['./responder', - '-x', - 'pkinit=', - '-X', - 'X509_user_identity=%s' % file_identity, - 'user@%s' % realm.realm]) -realm.kinit('user@%s' % realm.realm, +realm.run(['./responder', '-x', 'pkinit=', + '-X', 'X509_user_identity=%s' % file_identity, realm.user_princ]) +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % file_identity]) -realm.klist('user@%s' % realm.realm) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # Run the basic test - PKINIT with FILE: identity, with a password on the key, # supplied by the prompter. # Expect failure if the responder does nothing, and we have no prompter. -realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % file_enc_identity, - '-X', - 'X509_user_identity=%s' % file_enc_identity, - 'user@%s' % realm.realm], +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity, + '-X', 'X509_user_identity=%s' % file_enc_identity, realm.user_princ], expected_code=2) -realm.kinit('user@%s' % realm.realm, +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % file_enc_identity], password='encrypted') -realm.klist('user@%s' % realm.realm) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # Run the basic test - PKINIT with FILE: identity, with a password on the key, # supplied by the responder. # Supply the response in raw form. -realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % file_enc_identity, - '-r', - 'pkinit={"%s": "encrypted"}' % file_enc_identity, - '-X', - 'X509_user_identity=%s' % file_enc_identity, - 'user@%s' % realm.realm]) +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity, + '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity, + '-X', 'X509_user_identity=%s' % file_enc_identity, + realm.user_princ]) # Supply the response through the convenience API. -realm.run(['./responder', - '-X', - 'X509_user_identity=%s' % file_enc_identity, - '-p', - '%s=%s' % (file_enc_identity, 'encrypted'), - 'user@%s' % realm.realm]) -realm.klist('user@%s' % realm.realm) +realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity, + '-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ]) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with DIR: identity, with no password on the key. @@ -154,167 +136,115 @@ shutil.copy(privkey_pem, os.path.join(path, 'user.key')) shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key')) shutil.copy(user_pem, os.path.join(path, 'user.crt')) shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) -realm.run(['./responder', - '-x', - 'pkinit=', - '-X', - 'X509_user_identity=%s' % dir_identity, - 'user@%s' % realm.realm]) -realm.kinit('user@%s' % realm.realm, +realm.run(['./responder', '-x', 'pkinit=', '-X', + 'X509_user_identity=%s' % dir_identity, realm.user_princ]) +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % dir_identity]) -realm.klist('user@%s' % realm.realm) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with DIR: identity, with a password on the key, supplied by the # prompter. # Expect failure if the responder does nothing, and we have no prompter. -realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % - dir_file_enc_identity, - '-X', - 'X509_user_identity=%s' % dir_enc_identity, - 'user@%s' % realm.realm], +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity, + '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ], expected_code=2) -realm.kinit('user@%s' % realm.realm, +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % dir_enc_identity], password='encrypted') -realm.klist('user@%s' % realm.realm) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with DIR: identity, with a password on the key, supplied by the # responder. # Supply the response in raw form. -realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % - dir_file_enc_identity, - '-r', - 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity, - '-X', - 'X509_user_identity=%s' % dir_enc_identity, - 'user@%s' % realm.realm]) +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity, + '-r', 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity, + '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ]) # Supply the response through the convenience API. -realm.run(['./responder', - '-X', - 'X509_user_identity=%s' % dir_enc_identity, - '-p', - '%s=%s' % (dir_file_enc_identity, 'encrypted'), - 'user@%s' % realm.realm]) -realm.klist('user@%s' % realm.realm) +realm.run(['./responder', '-X', 'X509_user_identity=%s' % dir_enc_identity, + '-p', '%s=%s' % (dir_file_enc_identity, 'encrypted'), + realm.user_princ]) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with no password on the bundle. -realm.run(['./responder', - '-x', - 'pkinit=', - '-X', - 'X509_user_identity=%s' % p12_identity, - 'user@%s' % realm.realm]) -realm.kinit('user@%s' % realm.realm, +realm.run(['./responder', '-x', 'pkinit=', + '-X', 'X509_user_identity=%s' % p12_identity, realm.user_princ]) +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % p12_identity]) -realm.klist('user@%s' % realm.realm) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the # prompter. # Expect failure if the responder does nothing, and we have no prompter. -realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % p12_enc_identity, - '-X', - 'X509_user_identity=%s' % p12_enc_identity, - 'user@%s' % realm.realm], +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity, + '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ], expected_code=2) -realm.kinit('user@%s' % realm.realm, +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % p12_enc_identity], password='encrypted') -realm.klist('user@%s' % realm.realm) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the # responder. # Supply the response in raw form. -realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % p12_enc_identity, - '-r', - 'pkinit={"%s": "encrypted"}' % p12_enc_identity, - '-X', - 'X509_user_identity=%s' % p12_enc_identity, - 'user@%s' % realm.realm]) +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity, + '-r', 'pkinit={"%s": "encrypted"}' % p12_enc_identity, + '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ]) # Supply the response through the convenience API. -realm.run(['./responder', - '-X', - 'X509_user_identity=%s' % p12_enc_identity, - '-p', - '%s=%s' % (p12_enc_identity, 'encrypted'), - 'user@%s' % realm.realm]) -realm.klist('user@%s' % realm.realm) +realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, + '-p', '%s=%s' % (p12_enc_identity, 'encrypted'), + realm.user_princ]) +realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) -if have_soft_pkcs11: - softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') - realm.env['SOFTPKCS11RC'] = softpkcs11rc - - # PKINIT with PKCS11: identity, with no need for a PIN. - conf = open(softpkcs11rc, 'w') - conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, - privkey_pem)) - conf.close() - # Expect to succeed without having to supply any more information. - realm.run(['./responder', - '-x', - 'pkinit=', - '-X', - 'X509_user_identity=%s' % p11_identity, - 'user@%s' % realm.realm]) - realm.kinit('user@%s' % realm.realm, - flags=['-X', 'X509_user_identity=%s' % p11_identity]) - realm.klist('user@%s' % realm.realm) - realm.run([kvno, realm.host_princ]) +if not have_soft_pkcs11: + skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') + +softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') +realm.env['SOFTPKCS11RC'] = softpkcs11rc + +# PKINIT with PKCS11: identity, with no need for a PIN. +conf = open(softpkcs11rc, 'w') +conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, privkey_pem)) +conf.close() +# Expect to succeed without having to supply any more information. +realm.run(['./responder', '-x', 'pkinit=', + '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p11_identity]) +realm.klist(realm.user_princ) +realm.run([kvno, realm.host_princ]) - # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. - os.remove(softpkcs11rc) - conf = open(softpkcs11rc, 'w') - conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, - privkey_enc_pem)) - conf.close() - # Expect failure if the responder does nothing, and there's no prompter - realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % p11_token_identity, - '-X', - 'X509_user_identity=%s' % p11_identity, - 'user@%s' % realm.realm], - expected_code=2) - realm.kinit('user@%s' % realm.realm, - flags=['-X', 'X509_user_identity=%s' % p11_identity], - password='encrypted') - realm.klist('user@%s' % realm.realm) - realm.run([kvno, realm.host_princ]) +# PKINIT with PKCS11: identity, with a PIN supplied by the prompter. +os.remove(softpkcs11rc) +conf = open(softpkcs11rc, 'w') +conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, + privkey_enc_pem)) +conf.close() +# Expect failure if the responder does nothing, and there's no prompter +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity, + '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ], + expected_code=2) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p11_identity], + password='encrypted') +realm.klist(realm.user_princ) +realm.run([kvno, realm.host_princ]) - # PKINIT with PKCS11: identity, with a PIN supplied by the responder. - # Supply the response in raw form. - realm.run(['./responder', - '-x', - 'pkinit={"%s": 0}' % p11_token_identity, - '-r', - 'pkinit={"%s": "encrypted"}' % - p11_token_identity, - '-X', - 'X509_user_identity=%s' % p11_identity, - 'user@%s' % realm.realm]) - # Supply the response through the convenience API. - realm.run(['./responder', - '-X', - 'X509_user_identity=%s' % p11_identity, - '-p', - '%s=%s' % (p11_token_identity, 'encrypted'), - 'user@%s' % realm.realm]) - realm.klist('user@%s' % realm.realm) - realm.run([kvno, realm.host_princ]) -else: - skipped('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') +# PKINIT with PKCS11: identity, with a PIN supplied by the responder. +# Supply the response in raw form. +realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity, + '-r', 'pkinit={"%s": "encrypted"}' % p11_token_identity, + '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ]) +# Supply the response through the convenience API. +realm.run(['./responder', '-X', 'X509_user_identity=%s' % p11_identity, + '-p', '%s=%s' % (p11_token_identity, 'encrypted'), + realm.user_princ]) +realm.klist(realm.user_princ) +realm.run([kvno, realm.host_princ]) -success('Authenticated PKINIT') +success('PKINIT tests')