test:heimdal:pkinit fixes for SHA1-PUKEY calculation

The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire
certificate not just the public key.

BUG https://bugzilla.samba.org/show_bug.cgi?id=16001

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

diff --git a/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py b/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
index f8ffed5c4e38e3b49890232b90d2a5101fa6264b..7004478fb6834707b0c0580b00a11b9d9ce21ae1 100755 (executable)
--- a/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
+++ b/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
@@ -434,8 +434,8 @@ class PkInitCertificateMappingTests(KDCBaseTest):
             client_creds, ca_cert, ca_private_key, None, []
         )
 
-        hash = x509.SubjectKeyIdentifier.from_public_key(certificate.public_key())
-        identity = f"X509:<SHA1-PUKEY>{hash.digest.hex()}"
+        fingerprint = certificate.fingerprint(hashes.SHA1())
+        identity = f"X509:<SHA1-PUKEY>{fingerprint.hex()}"
         self._add_altSecurityIdentities(client_creds, identity)
 
         self._pkinit_req(

diff --git a/selftest/knownfail.d/pkinit-bug16001 b/selftest/knownfail.d/pkinit-bug16001
new file mode 100644 (file)
index 0000000..25409d6
--- /dev/null
+++ b/selftest/knownfail.d/pkinit-bug16001
@@ -0,0 +1,8 @@
+#
+# The SHA1 hash for altSecurityIdentities SHA1-PUKEY is calculated over
+# the entire certificate not just the public key
+#
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001
+#
+^samba.tests.krb5.pkinit_certificate_mapping_tests.samba.tests.krb5.pkinit_certificate_mapping_tests.PkInitCertificateMappingTests.test_public_key\(ad_dc_ntvfs\)
+^samba.tests.krb5.pkinit_certificate_mapping_tests.samba.tests.krb5.pkinit_certificate_mapping_tests.PkInitCertificateMappingTests.test_public_key\(ad_dc_smb1\)