From f42477d27dc4f6c482a23a8c29d416d830277d04 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 10 Jan 2013 18:30:04 -0500 Subject: [PATCH] Add various client-authenticating PKINIT tests Add tests for non-anonymous PKINIT: * FILE: with no password * FILE: with a password * DIR: with no password * DIR: with a password * PKCS12: with no password * PKCS12: with a password * PKCS11: with a password, if soft-pkcs11.so is found via ctypes [ghudson@mit.edu: reformatted to 79 columns; removed intermediate success() calls] --- src/tests/Makefile.in | 1 + .../dejagnu/pkinit-certs/privkey-enc.pem | 30 ++++ src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 0 -> 3029 bytes src/tests/dejagnu/pkinit-certs/user.p12 | Bin 0 -> 3104 bytes src/tests/dejagnu/pkinit-certs/user.pem | 32 ++++ src/tests/t_authpkinit.py | 140 ++++++++++++++++++ 6 files changed, 203 insertions(+) create mode 100644 src/tests/dejagnu/pkinit-certs/privkey-enc.pem create mode 100644 src/tests/dejagnu/pkinit-certs/user-enc.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user.pem create mode 100644 src/tests/t_authpkinit.py diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 45f3e8f1e3..55a3237896 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -82,6 +82,7 @@ check-pytests:: gcred hist kdbtest t_localauth $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_authpkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem new file mode 100644 index 0000000000..9f7816f179 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,91CA660D6286E453 + +DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7 +Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU +AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX +z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL +EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO +rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH +8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn +593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld +rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd ++n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM +LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37 +bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644 +RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT +H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V +DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi +Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn +foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw +WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV +xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f +PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe +/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU +Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy +BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d +mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE +UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh +-----END RSA PRIVATE KEY----- diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 new file mode 100644 index 0000000000000000000000000000000000000000..107480c6d2564a2e60655f29a9984f3009c35a11 GIT binary patch literal 3029 zc-mE!cQ_P|AIFWmGcK}abuPjgbvAvuIvi(S&XyH9l@aNX?TpOqGs@j@W@J`IWR$(j zj0z_!q-2v{-{<+Q?;oG%^L$?K=kxFT1t)+<8R!||1aKCJMLGr@v&TlyL{A}rV*vzk z)E^uUCxBG{7l9}QkklU}&OlH1XNmmZ6I>X?`tRcmJqXSYV2-0knYi*cb1*P4(}fd& zTR}_e?CvkC8%u3jn$LzT-O<-|{qoMFYSJRxI@NYW#i3W?2lWWHm^>#HNpCIJx>Ass zl0ctAb#p{5@+I~k>=DoLZQXW~B z4?2vN>eb$A{FJ);V01(OFD66K^itbsia!g0SeKUi9(3P1_Z!Bp`9nNOdRjXZwPVE_ zlPCW+o5W`-vv7&(0RjdjG$c#)JcDkWgN!NW7jKPzhpQDxvk7g_qM{2`vHm?=vipb7 zHR>-p?}TS?25C z4?*LsvH8L{MYAm-$Wb4UKzXxqcc>Js)Tl^Eokx#P0$XnimHKtE|Kf0qqB6XO3X=Ql+EL?(h0_7 zZqapBWZf?_J^eb1;!~41tkUXOjRtllT9$>qWv|(RXS}>sRpbi?5Uusy8M@c zCwF{NfeOkqC6%?%5kF_daL(iANBpC#b!eoQQGjQF+N584%zPVQ@s@4MWfA&JE1>Fm zVSj`XFClWC!d$3_(N+T+%ag@LXqm{%vNPXc{H3C2FI6r*2`NkN^>lYBdh+D%!NdD| zqiOT?c&WihN``I)TuA3AG%Iq9ws34SIj=%9lqG5Y=FlO%nwE6S&WT=F-sm>=UQlX$-(=dSs8OCzpBwH8 zMQuh;TsRB)|Kp}mOTS5$9JQCQ4ueg2888l}8( z4X$nq+aZ@7WcFlY3{)6X+j{!Kt0L^{%}jFA6Q=5w7>6we5hBK@N|7nXxOZ#2`Czf^ z1YU}mLtZ@|yH6ZaiR!NA=T~Cr)`9v5oxL(Nv2+$c2Aq_m`X7krRDabj5*E^st50Qn6ih-G0 z#;9IvnbKPKsaVFVPsEF(f0E4Hz@;+J&VSG4Gdy5S&`A|#N+Z9LJ~-v^iDD08e#AU_ zG*nWMmazO*n5jf(!rUk6IPF^2;`_ZB;yc4T=U%1TqV?dUzydD&T?5t0SQaRYbukLW zri2cWDA6`ut6a3oz<}^#m5Dn|4z^05-!HAq?C$%9nNFE5;QWclcb@^)oXB;}aRuj@ zB7mKSa~{gi9p5$&n^=%_Kfk{;gpqf4i#U)|7M6n=HC+;)lP)fik#X#Iez8b-uK2|Z z*@qkpw+)-*BZl~7ffFn8w^q+(6*q)goiB!{^L1^H9+x2c&A-j!1dc9W`|LF?-UR(D zN0_FTLbT)FiXuxP;nleNiWy+1bY6}m>lnGgHD~TNU(R$Aha|@_}NW^zI zlV`!UX!(Jsj4UW6LAlp;rB)o6wrXOg$g#LOXVq~L&uSa za;FHAw6<$#KD>ttitwzOv8m}0!`YRGINEp+xU|s6vO1?agnkLxEdQkwBE%iz@|jmQ zLa@wlE!eP$%#Vi?fXIJX1*iZZ05AQ)(tkz*1pbdMSm_xk1i&Vo09gBnMHv6K2zDLY zceOR5^lys*2!I|fEq4VA(*9FGyuLTMeq;0A`jsx7z9$25t2++D3$FasmJi-NkWQpK z_*zPQp*Ar+h&>sDRNdZb7`f|kRw0x<})qfR%f+pyE^1(pg>4JpAlgUEE}F~wh1 zZmNFf7kKobLFIWL2k>pd>t9>%Chk-Ot$Ii5WlxcNXp)N+PLdM7gfz?eoYLwbH6OOj z_5x=ynR4D9)m@HHq2D{Ovkr9!uuCK${4Mx`H{*Q~L+)sIq^GhO5FMUrnO`nil(Ug%;!hmu-ucoj5b z048xfKeHQU$2d>LHqo-x!X*KG+wj5Yfq{aZr7TX*YlN=}w;ie=sEp9>!H|z59bXp_ zz?X=HGh)88ioxyj!2yNaS9f=8=t6Ibd6c?(%hxtKcvp1?=dHls+Y~?mVT3(K75bXu$y;$Z=uOvD9)!#hg){_gdMjy>QdB=>aEMF z*|v?931im{`-T))*P@=Off|j3e8sNi03VJQSel&GeztOJBM<*hTRd^1?~yVns-|YC zd(;Y#R}$Dhh6Y&+ZPVBb)!lhD^zeMR7EJ&6j4bB@(yIfq?DK$ye75?&$t$YZ_2E6A z7oONe`=9re?^d8@LnyCl&Zrw^>nw+)Jau^)1KUE*&Jaw6)&o~GT=Y5$u=E>*40D5k` zunt+{F&`$z2o>gOJl8Ss?{TxtN7U+t$pU;^R&m(}*!R#+GRiuiT6leGkCGnav4}6( zfUrItt^sk~jzd4$@~9JqStpUO8dffD8b{zzXJ;IPhC4(i@DlkE<*0$226eQ&zu&d3 zZspbDRj!!XD9c}V*SD(Aw=;L%??ib>fbz2HDmgw`MLR7F^ZCU%gQn@SiX`(|(JiL9 zSSwB%=5+SYBfgd&N*qxhe(eryVT;9S_wKQefSzv7tXB3N6@bQTKee z*R{;cOzgSm-cg*+!MWIG(kd~G-qe+UoIvxbU9=b%68CMdX;48`j&)(<>`qG>4kmeR zWF_jdXZmX2o*75#TumK_T}KNLdxiHeSaF&<+Ul@hT*1Yx%3p+w{kI)ic;)#3JX=R?WQ*)ujGd5}$k;-*u^Wu+yBI18L$>Tf zoT-pwDa(W`A>7XM+kg&tNHd8&t$J?~IIm*O(H&|@p)Cw`I z&(b2v&DrwUI_GR4^7wF&!n58NdC=t+fwV8Ad+g-in#B_}$bn&|mV!vZJjKOL2NUh@ zx6@?lc_Sm-*yVwPJ)MkuaR*10SSiKJOw4Z8d@?=>PD4M6^5iIT1At^gBW&c(*&l_& z=)5aN{*zfQr{@lhRq0QLil?xRK<>bj<)Q~B|r<+dOOeeEHSI!X4!yR|9VEyVe4#Mu&xbJI3F7u zC%=(Z(M_McDsAloD@DqmB;QrAZUbqqIj4#P?WFLQW-H6b@wbZZCy$rkaH%3?6<*>b zrN(UAWqAK&{sMg8eSva*CQ4wn4L|R(ISD+zQwZjhkwLt!kh2q#gNi`Zi4}~K}JsVK@p?wTq~l0t8W1Rl3KMHa@d*jthQf zg9-0a#5(ls>HB*!DU1nYrGeq(Q;0fmbltn~cONFLv*R9E6&+Bzn`4LJ+O;5ubB!xf zueW*MP?&EASjyk5`+vu}+Af?Q7>ql^vdf6-P85?7RQ7T5!PPzQ??W+~yejzb8^lYR z1Ycb(oi0tgVN9&cBbd0_JF;Tbt+kmxl_PK-UH}KVGJU{-n3!DK4BVNw)E{$ztEOt|FW~alo&C8dc-yr4!3|iJst;48bjV22<*O zrv6dr$C<9(h*%2ZT=>OZcm|=QCAuk6nWYy`s;;RCzWZ6Z|8t;-v%Nr2_)HPl-omZa zK}*CP!ZkjkN=wUXHQL!6Dyn`sH>S3NvY)P)mFUMl=AOb0n9SX1_l44wZx)TOa<_>l z=De#mJ6t-&dpm)EZq#t>2%AzkS`FpB;)MRD1lcF|CVtJ6E1=i<8uYEj?Fis_hb2d$ zN!J6|ET*I#UA4TpzfR2ELGGvKId!Nk5j7|yM}r+hQv6DYDQGY&#r|~F;u5@b+#QB{ z+vMbipV-QNoDuppRO%4^QZ$lnGsgWx<~t~+;qI@%c8jR{u|03asn*W>wZWH!v&W5R zEg2I}1uL&LZUdLVeK%8an@Wj^5OefyYJp0CMyvF>Y_w!7IHttCEQa+Qk6q6$3`Wuj zwYHRU;&1Qa{9${jB#z2+^dpr|HN$U?mv0tYx$%z$nEq|YlZ3=YO_wYpZWUQcZ8sJSYNd{c>I!AJA((1BjVq*fsi1* z`w}jN#TNK2mVHJ@(xhyga`Ax~sH2}kw4LomleHo*Zw`tzLVM!Tf$vfo;1|ehdQ!yV zLOyU=sy4J2`thNPu<33kjd(DBnEQ}sl-ls1Inh1#npTL<%&d8=T9Jzkf!&}!{%t6q zh<*Prh_I~r`^zfZISj!4j|bKj6}3JoJt^5zlKZ^;#;wSu&%=e9sZs^?1*5&6gqu&Y zKmU6h*9#4#JMmR@?dIp3`gULIW%; zOD_%A`A+DTS(Cr?ZQ3evu;oB!Xu+q(Vc`j<^BZR>H9fb4#E#2^w!O2E?$n$5s_b`P zl9G6+I<3N{WFeg$Lb0M3r+oa8l-1-ARu;x{;(oc^X|Qfhxzsnhga!Bv*+GR}qq&}> zcW2!C#S%6Pmp#-nA^|?jtv}D0+CTO?5VMDRjJ0?D^A1dZ6vpJxj6{i}7He zh4xo?x;ef~e%!H<@T?Z^^f}v_NXF(cSxyXv!m@7WG+LO4tA!wf&)8)7L#?jar<`=u zW!Tb4g_r$Mq|*RsEKfetL#}ni5E`h~2tTV1l^U563RBMYxiQUW@#3SW=r77fbY>v1 zY}H9Vp>xB^_TJN|;rGgs>`2Zwk??l-WsQ~*iq(}|SK0%$n)!;s=8c}nvez=5)+%I! zOyAI9^{s{-#DZV5o@nG^(Oucn0!H*>W3B0wjI`C{aOS3h(U;A+Ru0j9SgVI`elD)d z=q{n|$*0STduy4ITLY78k@eK~CQrK(*`!%+RA#v3x!3D^SOu@CMiNLik2P<*_5#&t z(YL*PdQ>8eAyyhEDczFbS2drGVZr)-+LBtO7rs00&)-wwf}!uV8w~#;S$OwEgpQg< zfqaYxjuft?C^CDAa8=tN#>12%0D+;7buxY3u`-XRsXfw1V|51igcyGwfJhrcm{v{L$uyaR_uf7;8B6-u5OeT zFwJ+-kB*Vz#W*^%;F6 z3jq5KCDKb;S`@E*vHQ#vR!A;`wbAzQ(lR)V_Gt>wOE6Ovt?F%h}`FD~23kTY}{Qv*} literal 0 Hc-jL100001 diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem new file mode 100644 index 0000000000..e6beefcde7 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/user.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFkjCCBHqgAwIBAgIIYo5oQQ6iySowDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNV +BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk +Z2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMgSW5zZWN1cmUgUGtpbml0IEtlcmJl +cm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBu +b3QgdXNlIG90aGVyd2lzZTAeFw0xMzAxMTcxODU5MDVaFw0yMzEyMzExODU5MDVa +MIGhMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE +BxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBr +aW5pdCBLZXJiZXJvcyB0ZXN0IENBMS0wKwYDVQQDFCRwa2luaXQgdGVzdCBzdWl0 +ZSBjbGllbnQ7IGRvIG5vdCB1c2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCdgsx7nyfLTQyCyQk/u1nc8hBGlCRcYslkojQd+e0JFsi6+adl6M9Ip00z +J6PNEjKN3DUUMlQCeldhyJzdMPnzXsbkfrdSuWUAa7L6WFBY3MTpzoq556t69Hek +xqodeidp+VVqxS7l7YABZWcVvPjHTi4uVB6Oo/CbmxHXFN4tSdV9Jjvk1tcYgTjz +yINXTBbyeoahVaf9OxF37sq5BQiQmm3z5XomTqE8hw+p7qHuZc0ayBzl0FKoHBVy +NT0Nt5PjHHESaBB0u3up03BXVk8tCdNCmiA2tPm5/ehJs5OzIzTYY5auIhGayqrz +Wx8yum+JNFEPCipNQSGgJKivRSZzAgMBAAGjggHEMIIBwDAdBgNVHQ4EFgQUWfzZ +FQqBO+QWfRyDDIJCk15YLFgwgdwGA1UdIwSB1DCB0YAUWfzZFQqBO+QWfRyDDIJC +k15YLFihga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl +dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMg +SW5zZWN1cmUgUGtpbml0IEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5p +dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIJANsFDWp1HgAa +MA4GA1UdDwEB/wQEAwIE8DB9BgNVHREEdjB0oC4GBisGAQUCAqAkMCKgDRsLS1JC +VEVTVC5DT02hETAPoAMCAQGhCDAGGwR1c2VyoCAGCisGAQQBgjcUAgOgEgwQdXNl +ckBrcmJ0ZXN0LmNvbaAgBgorBgEEAYI3FAIDoBIMEHVzZXJAS1JCVEVTVC5DT00w +JgYDVR0lBB8wHQYHKwYBBQIDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMAkGA1UdEwQC +MAAwDQYJKoZIhvcNAQEFBQADggEBAJZ+5CMbEj9anyH/b/jxUT8yGgYB3KGj7qL+ +RdU2zjgsQUMSdnlqQzpuEcY3z1wK94dYQVsPaYBv+zHl0rXFMfKlm97nVdCJi0ep +vplNAaUlhkma3D8rkPN5LmIdHslpJD6pwbV+o69aCEsrwm38flmEnBX0OUynULod +icDvxOxhmYG2kXmUmF7wZXI+XWX8b/TloDNLAnYfjKytMa3SQdp6wtj76BCk+ZZQ +GAF3D0BS36lkNQ/8buHFhVv/tC/rFvql8DRbFzk6W02Ymq2OhcP0uz67rFZ2KjZ5 +Z0WP1REC8Cv7yoqOKPk8S+1FK+8RdKHjT1n/n+Mws72F72bxQWQ= +-----END CERTIFICATE----- diff --git a/src/tests/t_authpkinit.py b/src/tests/t_authpkinit.py new file mode 100644 index 0000000000..41c10f580e --- /dev/null +++ b/src/tests/t_authpkinit.py @@ -0,0 +1,140 @@ +#!/usr/bin/python +from k5test import * + +# Skip this test if pkinit wasn't built. +if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): + success('Warning: not testing pkinit because it is not built') + exit(0) + +# Check if soft-pkcs11.so is available. +have_soft_pkcs11 = False +try: + import ctypes + lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so') + del lib + have_soft_pkcs11 = True +except: + have_soft_pkcs11 = False + +# Construct a krb5.conf fragment configuring pkinit. +certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') +ca_pem = os.path.join(certs, 'ca.pem') +kdc_pem = os.path.join(certs, 'kdc.pem') +user_pem = os.path.join(certs, 'user.pem') +privkey_pem = os.path.join(certs, 'privkey.pem') +privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem') +user_p12 = os.path.join(certs, 'user.p12') +user_enc_p12 = os.path.join(certs, 'user-enc.p12') +path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') +path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') + +pkinit_krb5_conf = { + 'realms': {'$realm': { + 'pkinit_anchors': 'FILE:%s' % ca_pem, + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}} +pkinit_kdc_conf = { + 'realms': {'$realm': { + 'default_principal_flags': '+preauth', + 'pkinit_eku_checking': 'none'}}} + +file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) +file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem) +dir_identity = 'DIR:%s' % path +dir_enc_identity = 'DIR:%s' % path_enc +p12_identity = 'PKCS12:%s' % user_p12 +p12_enc_identity = 'PKCS12:%s' % user_enc_p12 +p11_identity = 'PKCS11:soft-pkcs11.so' +# Set up the DIR: identities. They go away as a side-effect of reinitializing +# the realm testdir, so we don't have a specific cleanup method. +def setup_dir_identities(realm): + os.mkdir(path) + os.mkdir(path_enc) + shutil.copy(privkey_pem, os.path.join(path, 'user.key')) + shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key')) + shutil.copy(user_pem, os.path.join(path, 'user.crt')) + shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) + +# Run the basic test - PKINIT with FILE: identity, with no password on the key. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % file_identity]) +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# Run the basic test - PKINIT with FILE: identity, with a password on the key, +# supplied by the prompter. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % file_enc_identity], + password='encrypted') +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with DIR: identity, with no password on the key. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +setup_dir_identities(realm) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with DIR: identity, with a password on the key, supplied by the +# prompter. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +setup_dir_identities(realm) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % dir_enc_identity], + password='encrypted') +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with PKCS12: identity, with no password on the bundle. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the +# prompter. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p12_enc_identity], + password='encrypted') +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +if have_soft_pkcs11: + os.environ['SOFTPKCS11RC'] = os.path.join(os.getcwd(), 'testdir', + 'soft-pkcs11.rc') + + # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. + realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) + conf = open(os.environ['SOFTPKCS11RC'], 'w') + conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, + privkey_enc_pem)) + conf.close() + realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p11_identity], + password='encrypted') + realm.klist('user@%s' % realm.realm) + realm.run([kvno, realm.host_princ]) + realm.stop() +else: + output('soft-pkcs11.so not found: ' + 'skipping tests with PKCS11 identities\n') + +success('Authenticated PKINIT') -- 2.47.3