diff options
Diffstat (limited to 'third_party/heimdal/tests/kdc/check-pkinit.in')
-rw-r--r-- | third_party/heimdal/tests/kdc/check-pkinit.in | 388 |
1 files changed, 388 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/check-pkinit.in b/third_party/heimdal/tests/kdc/check-pkinit.in new file mode 100644 index 0000000..9f90fd0 --- /dev/null +++ b/third_party/heimdal/tests/kdc/check-pkinit.in @@ -0,0 +1,388 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +top_builddir="@top_builddir@" +env_setup="@env_setup@" +objdir="@objdir@" + +testfailed="echo test failed; cat messages.log; exit 1" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +${have_db} || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +kadmin="${kadmin} -l -r $R" +kdc="${kdc} --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +cache="FILE:${objdir}/cache.krb5" +keyfile="${hx509_data}/key.der" +keyfile2="${hx509_data}/key2.der" + +kinit="${kinit} -c $cache ${afs_no_afslog}" +klistjson="${klist} --json -c $cache" +klistplain="${klist} -c $cache" +klist="${klist} --hidden -v -c $cache" +kgetcred="${kgetcred} -c $cache" +kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" +kx509="${kx509} -c $cache" + +KRB5_CONFIG="${objdir}/krb5-pkinit.conf" +export KRB5_CONFIG + +rsa=yes +pkinit=no +if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then + rsa=no +fi +if ${hxtool} info | grep 'rand: not available' > /dev/null ; then + rsa=no +fi + +if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then + pkinit=yes +fi + +# If we doesn't support pkinit and have RSA, give up +if test "$pkinit" != yes -o "$rsa" != yes ; then + exit 77 +fi + + +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} modify --max-ticket-life=5d krbtgt/${R}@${R} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add -p bar --use-defaults bar@${R} || exit 1 +${kadmin} add -p baz --use-defaults baz@${R} || exit 1 +${kadmin} add -p foo --use-defaults host/server.test.h5l.se@${R} || exit 1 +${kadmin} modify --alias=baz2\\@test.h5l.se@${R} baz@${R} || exit 1 +${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1 + +${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +# XXX Do not use committed, in-tree private keys or certificates! +# XXX Add hxtool command to generate a private key w/o generating a CSR +# XXX Use hxtool to generate a fresh private key +# XXX Use hxtool to generate self-signed CA certs +# XXX Use PEM-FILE and store private key and certificate in same file +# XXX Update krb5.conf.in to use ${objdir}-relative keys and certificates + +echo "Setting up certificates" +${hxtool} request-create \ + --subject="CN=kdc,DC=test,DC=h5l,DC=se" \ + --key=FILE:${keyfile2} \ + req-kdc.der || exit 1 +${hxtool} request-create \ + --subject="CN=bar,DC=test,DC=h5l,DC=se" \ + --key=FILE:${keyfile2} \ + req-pkinit.der || exit 1 +${hxtool} request-create \ + --subject="CN=baz,DC=test,DC=h5l,DC=se" \ + --key=FILE:${keyfile2} \ + req-pkinit2.der || exit 1 + +echo "issue self-signed ca cert" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --ca-private-key=FILE:${keyfile} \ + --subject="CN=CA,DC=test,DC=h5l,DC=se" \ + --certificate="FILE:ca.crt" || exit 1 + +echo "issue kdc certificate" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-kdc" \ + --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ + --req="PKCS10:req-kdc.der" \ + --certificate="FILE:kdc.crt" || exit 1 + +echo "issue user certificate (pkinit san)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="bar@TEST.H5L.SE" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --certificate="FILE:pkinit.crt" || exit 1 + +echo "issue user certificate (pkinit san; synthetic principal)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="synthetized@TEST.H5L.SE" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --certificate="FILE:pkinit-synthetic.crt" || exit 1 + +echo "issue user 2 certificate (no san)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --req="PKCS10:req-pkinit2.der" \ + --certificate="FILE:pkinit2.crt" || exit 1 + +echo "issue user 3 certificate (ms san)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --ms-upn="bar@test.h5l.se" \ + --req="PKCS10:req-pkinit2.der" \ + --certificate="FILE:pkinit3.crt" || exit 1 + +echo "issue user 3 certificate (ms san, baz2)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --ms-upn="baz2\\@test.h5l.se@${R}" \ + --req="PKCS10:req-pkinit2.der" \ + --certificate="FILE:pkinit4.crt" || exit 1 + +echo "issue self-signed kx509 template cert" +${hxtool} issue-certificate \ + --self-signed \ + --ca-private-key=FILE:${keyfile} \ + --subject='CN=${principal-component0},DC=test,DC=h5l,DC=se' \ + --certificate="FILE:kx509-template.crt" || exit 1 + +echo foo > ${objdir}/foopassword + +echo Starting kdc ; > messages.log +KRB5_CONFIG="${objdir}/krb5-pkinit2.conf" +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt; exit 1;' EXIT + +ec=0 + +echo "Trying pk-init (principal in cert; longer max_life)"; > messages.log +base="${objdir}" +${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} +if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then + ${klistjson} | + jq -e '(((.tickets[0].Expires| + strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) | + (floor < 4)' >/dev/null && + { ec=1 ; eval "${testfailed}"; } +fi +${kdestroy} + +echo "Trying pk-init (principal in cert; synthetic)"; > messages.log +base="${objdir}" +${kinit} --lifetime=5d -C FILE:${base}/pkinit-synthetic.crt,${keyfile2} synthetized@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} +${kdestroy} + +echo "Restarting kdc ($kdcpid)" +sh ${leaks_kill} kdc $kdcpid || ec=1 +KRB5_CONFIG="${objdir}/krb5-pkinit.conf" +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +echo "Trying pk-init (principal in cert)"; > messages.log +base="${objdir}" +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} +if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then + ${klistjson} | + jq -e '(((.tickets[0].Expires| + strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) | + (floor > 1)' >/dev/null && + { ec=1 ; eval "${testfailed}"; } +fi +${kdestroy} + +echo "Trying pk-init (principal in cert; longer max_life from cert ext)"; > messages.log +# Re-issue cert with --pkinit-max-life=7d +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="bar@TEST.H5L.SE" \ + --req="PKCS10:req-pkinit.der" \ + --lifetime=7d \ + --pkinit-max-life=7d \ + --certificate="FILE:pkinit.crt" || exit 1 +base="${objdir}" +${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} +if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then + ${klistjson} | + jq -e '(((.tickets[0].Expires| + strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) | + (floor < 4)' >/dev/null && + { ec=1 ; eval "${testfailed}"; } +fi + +echo "Check kx509 certificate acquisition" +${kx509} -s || { ec=1 ; eval "${testfailed}"; } +${kx509} -o PEM-FILE:${objdir}/kx509.pem || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Check PKINIT w/ kx509 certificate" +${kinit} -C PEM-FILE:${objdir}/kx509.pem bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Trying pk-init (principal in pki-mapping file) "; > messages.log +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal subject in DB)"; > messages.log +${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (ms upn)"; > messages.log +${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (ms upn, enterprise)"; > messages.log +${kinit} --canonicalize --enterprise \ + -C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (ms upn, enterprise, pk-enterprise)"; > messages.log +${kinit} --canonicalize \ + --pk-enterprise \ + -C FILE:${base}/pkinit4.crt,${keyfile2} ${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf" +export KRB5_CONFIG + +echo "Duplicated tests, now in windows 2000 mode" + +echo "Trying pk-init (principal in cert)"; > messages.log +base="${objdir}" +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal in pki-mapping file) "; > messages.log +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal subject in DB)"; > messages.log +${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (ms upn)"; > messages.log +${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +KRB5_CONFIG="${objdir}/krb5-pkinit.conf" +export KRB5_CONFIG + +echo "Trying PKCS11 support" + +cat > test-rc-file.rc <<EOF +certificate cert User certificate FILE:${base}/pkinit.crt,${keyfile2} +app-fatal true +EOF + +SOFTPKCS11RC="test-rc-file.rc" +export SOFTPKCS11RC + +dir=${base}/../../lib/hx509 +file= + +for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do + if [ -f $dir/$a ] ; then + file=$dir/$a + break + fi +done + +if [ X"$file" != X -a @DLOPEN@ ] ; then + + echo "Trying pk-init (principal in pki-mapping file) "; > messages.log + ${kinit} -C PKCS11:${file} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + +fi + + +echo "killing kdc (${kdcpid})" +sh ${leaks_kill} kdc $kdcpid || ec=1 + +trap "" EXIT + +exit $ec |