diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 05:31:47 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 05:31:47 +0000 |
| commit | f2f4f7c4b42b0eed0f9f81610e7ef4e93f943dfb (patch) | |
| tree | 9cca076b3df5ba0f64e1338da8ea5dcbf5fa5713 /debian/tests | |
| parent | Adding upstream version 2.9.4. (diff) | |
| download | sssd-f2f4f7c4b42b0eed0f9f81610e7ef4e93f943dfb.tar.xz sssd-f2f4f7c4b42b0eed0f9f81610e7ef4e93f943dfb.zip | |
Adding debian version 2.9.4-1.debian/2.9.4-1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/tests')
| -rw-r--r-- | debian/tests/common-tests | 28 | ||||
| -rw-r--r-- | debian/tests/control | 37 | ||||
| -rwxr-xr-x | debian/tests/ldap-user-group-krb5-auth | 35 | ||||
| -rwxr-xr-x | debian/tests/ldap-user-group-ldap-auth | 29 | ||||
| -rwxr-xr-x | debian/tests/login.exp | 74 | ||||
| -rw-r--r-- | debian/tests/sssd-smart-card-pam-auth-configs-tester.sh | 247 | ||||
| -rw-r--r-- | debian/tests/sssd-softhism2-certificates-tests.sh | 902 | ||||
| -rw-r--r-- | debian/tests/util | 264 |
8 files changed, 1616 insertions, 0 deletions
diff --git a/debian/tests/common-tests b/debian/tests/common-tests new file mode 100644 index 0000000..1bb8e1a --- /dev/null +++ b/debian/tests/common-tests @@ -0,0 +1,28 @@ +#!/bin/sh + +run_common_tests() { + echo "Assert local user databases do not have our LDAP test data" + check_local_user "${ldap_user}" + check_local_group "${ldap_user}" + check_local_group "${ldap_group}" + + echo "The LDAP user is known to the system via getent" + check_getent_user "${ldap_user}" + + echo "The LDAP user's private group is known to the system via getent" + check_getent_group "${ldap_user}" + + echo "The LDAP group ${ldap_group} is known to the system via getent" + check_getent_group "${ldap_group}" + + echo "The id(1) command can resolve the group membership of the LDAP user" + #$ id -Gn testuser1 + #testuser1 ldapusers + output=$(id -Gn ${ldap_user}) + # XXX couldn't find a better way to make this comparison using just /bin/sh + if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then + if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then + die "Output doesn't match expected group membership: ${output}" + fi + fi +} diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..0d94a73 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,37 @@ +Tests: ldap-user-group-ldap-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release +Restrictions: isolation-container, needs-root, allow-stderr + +Tests: ldap-user-group-krb5-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc +Restrictions: isolation-container, needs-root, allow-stderr + +Tests: sssd-softhism2-certificates-tests.sh +Depends: bash, + gnutls-bin, + openssl, + passwd, + softhsm2, + sssd, + util-linux +Restrictions: needs-root, + allow-stderr + +Test-Command: env + OFFLINE_MODE=1 + bash debian/tests/sssd-smart-card-pam-auth-configs-tester.sh +Features: test-name=sssd-smart-card-pam-auth-configs +Depends: bash, + gnutls-bin, + libpam-sss, + openssl, + pamtester, + passwd, + softhsm2, + sssd, + util-linux +Restrictions: breaks-testbed, + isolation-container, + needs-root, + allow-stderr + diff --git a/debian/tests/ldap-user-group-krb5-auth b/debian/tests/ldap-user-group-krb5-auth new file mode 100755 index 0000000..5792279 --- /dev/null +++ b/debian/tests/ldap-user-group-krb5-auth @@ -0,0 +1,35 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +myrealm="EXAMPLE.COM" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +kerberos_principal_pw="testuser1kerberos" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +create_realm "${myrealm}" "${myhostname}" +create_krb_principal "${ldap_user}" "${kerberos_principal_pw}" +configure_sssd_ldap_rfc2307_krb5_auth +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +# login works with the kerberos password +echo "The Kerberos principal can login on a terminal" +kdestroy > /dev/null 2>&1 || /bin/true +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}" diff --git a/debian/tests/ldap-user-group-ldap-auth b/debian/tests/ldap-user-group-ldap-auth new file mode 100755 index 0000000..c25cff0 --- /dev/null +++ b/debian/tests/ldap-user-group-ldap-auth @@ -0,0 +1,29 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +configure_sssd_ldap_rfc2307 +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +echo "The LDAP user can login on a terminal" +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}" diff --git a/debian/tests/login.exp b/debian/tests/login.exp new file mode 100755 index 0000000..63c25ab --- /dev/null +++ b/debian/tests/login.exp @@ -0,0 +1,74 @@ +#!/usr/bin/expect + +set timeout 10 +set user [lindex $argv 0] +set password [lindex $argv 1] +set principal [lindex $argv 2] + +set distribution [exec "lsb_release" "-is"] + +if { $distribution == "Ubuntu" } { + set welcome "Welcome to" +} elseif { $distribution == "Debian" } { + set welcome "Debian GNU/Linux comes" +} else { + puts "Unsupported linux distribution $distribution" + exit 1 +} + +spawn login +expect "login:" +send "$user\r" +expect "Password:" +send "$password\r" +expect { + timeout + { + puts "Expect error: timeout after password\r\r" + exit 1 + } + "Login incorrect" + { + puts "Expect error: incorrect credentials\r\r" + exit 1 + } + "$welcome" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +send "id -un\r" +expect { + timeout + { + puts "Expect error: timeout waiting for 'id' result\r\r" + exit 1 + } + "$user" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +if { $principal != "" } { + send "klist\r" + expect { + timeout + { + puts "Expect error: timeout waiting for klist output\r\r" + exit 1 + } + "Default principal: $principal" + } +} +send "logout\r" +exit 0 diff --git a/debian/tests/sssd-smart-card-pam-auth-configs-tester.sh b/debian/tests/sssd-smart-card-pam-auth-configs-tester.sh new file mode 100644 index 0000000..df63833 --- /dev/null +++ b/debian/tests/sssd-smart-card-pam-auth-configs-tester.sh @@ -0,0 +1,247 @@ +#!/usr/bin/env bash +# Copyright 2023 - Marco Trevisan +# Released under the GPLv3 terms +# +# A simple tool to simulate PAM authentication using SSSD smartcard settings. +# +# To be used with softhsm2 smart cards generators from +# https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a +# +# Origin: https://gist.github.com/3v1n0/d7bc0f10cf44a11288648ae9d228430d + +set -xe + +if [ -z "${AUTOPKGTEST_NORMAL_USER}" ]; then + adduser --quiet --disable-password _sssduser + AUTOPKGTEST_NORMAL_USER="_sssduser" +fi + +export DEBIAN_FRONTEND=noninteractive + +required_tools=( + pamtester # debian package: pamtester + softhsm2-util # debian package: softhsm2 + sssd # debian package: sssd +) + +if [[ ! -v OFFLINE_MODE ]]; then + required_tools+=( + wget # debian package: wget + ) +fi + +for cmd in "${required_tools[@]}"; do + if ! command -v "$cmd" > /dev/null; then + echo "Tool $cmd missing" + exit 1 + fi +done + +PIN=${PIN:-123456} +tmpdir=${TEST_TMPDIR:-$(mktemp -d -t "sssd-softhsm2-certs-XXXXXX")} +backupsdir= + +alternative_pam_configs=( + sss-smart-card-optional + sss-smart-card-required +) + +declare -a restore_paths +declare -a delete_paths + +function restore_changes() { + for path in "${restore_paths[@]}"; do + local original_path + original_path="/$(realpath --strip --relative-base="$backupsdir" "$path")" + rm "$original_path" && mv "$path" "$original_path" || true + done + + for path in "${delete_paths[@]}"; do + rm -f "$path" + #find "$(dirname "$path")" -empty -delete || true + done + + pam-auth-update --disable "${alternative_pam_configs[@]}" || return 2 + + if [ -e /etc/sssd/sssd.conf ]; then + chmod 600 /etc/sssd/sssd.conf || return 1 + systemctl restart sssd || true + else + systemctl stop sssd || true + fi + + if [ -e /etc/softhsm/softhsm2.conf ]; then + chmod 600 /etc/softhsm/softhsm2.conf || return 1 + fi + + rm -rf "$tmpdir" +} + +function backup_file() { + if [ -z "$backupsdir" ]; then + backupsdir=$(mktemp -d -t "sssd-softhsm2-backups-XXXXXX") + fi + + if [ -e "$1" ]; then + local back_dir="$backupsdir/$(dirname "$1")" + local back_path="$back_dir/$(basename "$1")" + [ ! -e "$back_path" ] || return 1 + + mkdir -p "$back_dir" || return 1 + cp -a "$1" "$back_path" || return 1 + + restore_paths+=("$back_path") + else + delete_paths+=("$1") + fi +} + +function handle_exit() { + exit_code=$? + + restore_changes || return 1 + + if [ $exit_code = 0 ]; then + rm -rf "$backupsdir" + set +x + echo "Script completed successfully!" + else + set +x + echo "Script failed, check the log!" + echo " Backup preserved at $backupsdir" + echo " PAM Log: /var/log/auth.log" + echo " SSSD PAM Log: /var/log/sssd/sssd_pam.log" + echo " SSSD p11_child Log: /var/log/sssd/p11_child.log" + fi +} + +trap 'handle_exit' EXIT + +tester="$(dirname "$0")"/sssd-softhism2-certificates-tests.sh +if [ ! -e "$tester" ] && [[ ! -v OFFLINE_MODE ]]; then + echo "Required $tester missing, we're downloading it..." + tester="$tmpdir/sssd-softhism2-certificates-tests.sh" + wget -q -c https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh \ + -O "$tester" + [ -e "$tester" ] || exit 1 +elif [ ! -e "$tester" ] && [[ -v OFFLINE_MODE ]]; then + echo "Required $tester missing" + exit 1 +fi + +export PIN TEST_TMPDIR="$tmpdir" GENERATE_SMART_CARDS=1 KEEP_TEMPORARY_FILES=1 NO_SSSD_TESTS=1 +bash "$tester" + +find "$tmpdir" -type d -exec chmod 777 {} \; +find "$tmpdir" -type f -exec chmod 666 {} \; + +backup_file /etc/sssd/sssd.conf +rm -f /etc/sssd/sssd.conf + +user_home="$(runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- sh -c 'echo ~')" +mkdir -p "$user_home" +chown "${AUTOPKGTEST_NORMAL_USER}:${AUTOPKGTEST_NORMAL_USER}" "$user_home" + +user_config="$(runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- sh -c 'echo ${XDG_CONFIG_HOME:-~/.config}')" +system_config="/etc" + +softhsm2_conf_paths=( + "${AUTOPKGTEST_NORMAL_USER}:$user_config/softhsm2/softhsm2.conf" + "root:$system_config/softhsm/softhsm2.conf" +) + +for path_pair in "${softhsm2_conf_paths[@]}"; do + IFS=":" read -r -a path <<< "${path_pair}" + path="${path[1]}" + backup_file "$path" + rm -f "$path" +done + +function test_authentication() { + pam_service="$1" + certificate_config="$2" + ca_db="$3" + verification_options="$4" + + mkdir -p -m 700 /etc/sssd + + echo "Using CA DB '$ca_db' with verification options: '$verification_options'" + + cat <<EOF > /etc/sssd/sssd.conf || return 2 +[sssd] +enable_files_domain = True +services = pam +#certificate_verification = $verification_options + +[certmap/implicit_files/${AUTOPKGTEST_NORMAL_USER}] +matchrule = <SUBJECT>.*Test Organization.* + +[pam] +pam_cert_db_path = $ca_db +pam_cert_verification = $verification_options +pam_cert_auth = True +pam_verbosity = 10 +debug_level = 10 +EOF + + chmod 600 /etc/sssd/sssd.conf || return 2 + + for path_pair in "${softhsm2_conf_paths[@]}"; do + IFS=":" read -r -a path <<< "${path_pair}" + user="${path[0]}" + path="${path[1]}" + + runuser -u "$user" -- mkdir -p "$(dirname "$path")" || return 2 + runuser -u "$user" -- ln -sf "$certificate_config" "$path" || return 2 + runuser -u "$user" -- softhsm2-util --show-slots | grep "Test Organization" \ + || return 2 + done + + systemctl restart sssd || return 2 + + pam-auth-update --disable "${alternative_pam_configs[@]}" || return 2 + + for alternative in "${alternative_pam_configs[@]}"; do + pam-auth-update --enable "$alternative" || return 2 + cat /etc/pam.d/common-auth + + echo -n -e "$PIN" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "${AUTOPKGTEST_NORMAL_USER}" authenticate || return 2 + echo -n -e "$PIN" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "" authenticate || return 2 + + if echo -n -e "wrong${PIN}" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "${AUTOPKGTEST_NORMAL_USER}" authenticate; then + echo "Unexpected pass!" + return 2 + fi + + if echo -n -e "wrong${PIN}" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "" authenticate; then + echo "Unexpected pass!" + return 2 + fi + + if echo -n -e "$PIN" | pamtester -v "$pam_service" root authenticate; then + echo "Unexpected pass!" + return 2 + fi + done +} + +test_authentication \ + login \ + "$tmpdir/softhsm2-test-root-CA-trusted-certificate-0001.conf" \ + "$tmpdir/test-full-chain-CA.pem" + +test_authentication \ + login \ + "$tmpdir/softhsm2-test-sub-intermediate-CA-trusted-certificate-0001.conf" \ + "$tmpdir/test-full-chain-CA.pem" + +test_authentication \ + login \ + "$tmpdir/softhsm2-test-sub-intermediate-CA-trusted-certificate-0001.conf" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + "partial_chain" + diff --git a/debian/tests/sssd-softhism2-certificates-tests.sh b/debian/tests/sssd-softhism2-certificates-tests.sh new file mode 100644 index 0000000..a067674 --- /dev/null +++ b/debian/tests/sssd-softhism2-certificates-tests.sh @@ -0,0 +1,902 @@ +#!/usr/bin/env bash +# Copyright 2023 - Marco Trevisan +# Released under the GPLv3 terms +# +# A simple tool to generate CA certificates signed by both a root cert authority +# and by an intermediate one, to verify smartcard usage using softhism2. +# Used to verify p11_child usage in SSSD. +set -xe + +if [ -z "${AUTOPKGTEST_NORMAL_USER}" ]; then + adduser --quiet --disable-password _sssduser + AUTOPKGTEST_NORMAL_USER="_sssduser" +fi + +required_tools=( + p11tool # debian package: gnutls-bin + openssl # debian package: openssl + softhsm2-util # debian package: softhsm2 +) + +for cmd in "${required_tools[@]}"; do + if ! command -v "$cmd" > /dev/null; then + echo "Tool $cmd missing" + exit 1 + fi +done + +PIN=${PIN:-053350} +SOFTHSM2_MODULE=${SOFTHSM2_MODULE:-$(realpath "$(find /usr/lib/*softhsm/libsofthsm2.so | head -n 1)")} +SSSD_P11_CHILD=${SSSD_P11_CHILD:-/usr/libexec/sssd/p11_child} +TOKEN_ID=${TOKEN_ID:-00112233445566778899FFAABBCCDDEEFF012345} + +if [ ! -v NO_SSSD_TESTS ]; then + if [ ! -x "$SSSD_P11_CHILD" ]; then + if [ ! -e "$SSSD_P11_CHILD" ]; then + echo "Cannot find $SSSD_P11_CHILD" + else + echo "Cannot execute $SSSD_P11_CHILD, try using sudo..." + fi + exit 1 + else + ca_db_arg="ca_db" + p11_child_help=$("$SSSD_P11_CHILD" --help &>/dev/stdout) + if echo "$p11_child_help" | grep nssdb -qs; then + ca_db_arg=nssdb + fi + + echo "$p11_child_help" | grep -qs -- "--${ca_db_arg}" + fi +fi + +if [ ! -e "$SOFTHSM2_MODULE" ]; then + echo "Cannot find softhsm2-module at $SOFTHSM2_MODULE" + exit 1 +fi + +tmpdir=${TEST_TMPDIR:-$(mktemp -d -t "sssd-softhsm2-XXXXXX")} +keys_size=1024 + +if [[ ! -v KEEP_TEMPORARY_FILES ]]; then + trap 'rm -rf "$tmpdir"' EXIT +fi +trap 'set +x; echo -e "\nUnexpected failure!!!"' ERR + +echo -n 01 > "$tmpdir/serial" +touch "$tmpdir/index.txt" +mkdir -p "$tmpdir/new_certs" + +function expect_fail() { + local cmd="$1" + shift + + if "$cmd" "$@"; then + echo "Unexpected failure!" + exit 1 + fi +} + + +## Root CA certificate generation + +cat <<EOF > "$tmpdir/test-root-CA.config" +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = $tmpdir +database = \$dir/index.txt +new_certs_dir = \$dir/new_certs + +certificate = \$dir/test-root-CA.pem +serial = \$dir/serial +private_key = \$dir/test-root-CA-key.pem +RANDFILE = \$dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Root CA +EOF + +root_ca_key_pass="pass:random-root-CA-password-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-root-CA-key.pem" \ + -passout "$root_ca_key_pass" \ + "$keys_size" + +openssl req -passin "$root_ca_key_pass" \ + -batch -config "$tmpdir/test-root-CA.config" -x509 -new -nodes \ + -key "$tmpdir/test-root-CA-key.pem" -sha256 -days 1024 -set_serial 0 \ + -extensions v3_ca -out "$tmpdir/test-root-CA.pem" + +openssl x509 -noout -in "$tmpdir/test-root-CA.pem" + + +## Intermediate CA certificate generation + +cat <<EOF > "$tmpdir/test-intermediate-CA.config" +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = $tmpdir +database = \$dir/index.txt +new_certs_dir = \$dir/new_certs + +certificate = \$dir/test-intermediate-CA.pem +serial = \$dir/serial +private_key = \$dir/test-intermediate-CA-key.pem +RANDFILE = \$dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Intermediate CA +EOF + +intermediate_ca_key_pass="pass:random-intermediate-CA-password-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-intermediate-CA-key.pem" \ + -passout "$intermediate_ca_key_pass" \ + "$keys_size" + +openssl req \ + -batch -new -nodes \ + -passin "$intermediate_ca_key_pass" \ + -config "$tmpdir/test-intermediate-CA.config" \ + -key "$tmpdir/test-intermediate-CA-key.pem" \ + -passout "$root_ca_key_pass" \ + -sha256 \ + -extensions v3_ca \ + -out "$tmpdir/test-intermediate-CA-certificate-request.pem" + +openssl req -text -noout -in "$tmpdir/test-intermediate-CA-certificate-request.pem" + +openssl ca \ + -batch -notext \ + -config "$tmpdir/test-root-CA.config" \ + -passin "$root_ca_key_pass"\ + -keyfile "$tmpdir/test-root-CA-key.pem" \ + -in "$tmpdir/test-intermediate-CA-certificate-request.pem" \ + -days 365 -extensions v3_intermediate_ca -out "$tmpdir/test-intermediate-CA.pem" + +openssl x509 -noout -in "$tmpdir/test-intermediate-CA.pem" +openssl verify -CAfile "$tmpdir/test-root-CA.pem" "$tmpdir/test-intermediate-CA.pem" + + +## Sub-Intermediate CA certificate generation + +cat <<EOF > "$tmpdir/test-sub-intermediate-CA.config" +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = $tmpdir +database = \$dir/index.txt +new_certs_dir = \$dir/new_certs + +certificate = \$dir/test-sub-intermediate-CA.pem +serial = \$dir/serial +private_key = \$dir/test-sub-intermediate-CA-key.pem +RANDFILE = \$dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Sub Intermediate CA +EOF + +sub_intermediate_ca_key_pass="pass:random-sub-intermediate-CA-password-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-sub-intermediate-CA-key.pem" \ + -passout "$sub_intermediate_ca_key_pass" \ + "$keys_size" + +openssl req \ + -batch -new -nodes \ + -passin "$sub_intermediate_ca_key_pass" \ + -config "$tmpdir/test-sub-intermediate-CA.config" \ + -key "$tmpdir/test-sub-intermediate-CA-key.pem" \ + -passout "$intermediate_ca_key_pass" \ + -sha256 \ + -extensions v3_ca \ + -out "$tmpdir/test-sub-intermediate-CA-certificate-request.pem" + +openssl req -text -noout -in "$tmpdir/test-sub-intermediate-CA-certificate-request.pem" + +openssl ca \ + -batch -notext \ + -config "$tmpdir/test-intermediate-CA.config" \ + -passin "$intermediate_ca_key_pass"\ + -keyfile "$tmpdir/test-intermediate-CA-key.pem" \ + -in "$tmpdir/test-sub-intermediate-CA-certificate-request.pem" \ + -days 365 -extensions v3_intermediate_ca -out "$tmpdir/test-sub-intermediate-CA.pem" + +openssl x509 -noout -in "$tmpdir/test-sub-intermediate-CA.pem" +openssl verify \ + -partial_chain \ + -CAfile "$tmpdir/test-intermediate-CA.pem" "$tmpdir/test-sub-intermediate-CA.pem" + +expect_fail\ + openssl verify \ + -CAfile "$tmpdir/test-root-CA.pem" "$tmpdir/test-sub-intermediate-CA.pem" + + +## Root CA Trusted Certificate generation + +cat <<"EOF" > "$tmpdir/test-root-CA-trusted-certificate-0001.config" +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Root Trusted Certificate 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "Test Organization Root CA trusted Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:mail@3v1n0.net,URI:https://github.com/3v1n0/ +EOF + +root_ca_trusted_cert_0001_key_pass="pass:random-root-ca-trusted-cert-0001-${RANDOM}" +openssl genrsa -aes256 \ + -out "$tmpdir/test-root-CA-trusted-certificate-0001-key.pem" \ + -passout "$root_ca_trusted_cert_0001_key_pass" \ + "$keys_size" + +openssl req \ + -new -nodes \ + -reqexts req_exts \ + -passin "$root_ca_trusted_cert_0001_key_pass" \ + -key "$tmpdir/test-root-CA-trusted-certificate-0001-key.pem" \ + -config "$tmpdir/test-root-CA-trusted-certificate-0001.config" \ + -out "$tmpdir/test-root-CA-trusted-certificate-0001-request.pem" + +openssl req -text -noout \ + -in "$tmpdir/test-root-CA-trusted-certificate-0001-request.pem" + +openssl ca \ + -batch -notext \ + -config "$tmpdir/test-root-CA.config" \ + -passin "$root_ca_key_pass" \ + -keyfile "$tmpdir/test-root-CA-key.pem" \ + -in "$tmpdir/test-root-CA-trusted-certificate-0001-request.pem" \ + -days 365 -extensions usr_cert \ + -out "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +openssl x509 -noout \ + -in "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +openssl verify -CAfile \ + "$tmpdir/test-root-CA.pem" \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +expect_fail \ + openssl verify -CAfile \ + "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + + +## Intermediate CA Trusted Certificate generation + +cat <<"EOF" > "$tmpdir/test-intermediate-CA-trusted-certificate-0001.config" +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Intermediate Trusted Certificate 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "Test Organization Intermediate CA trusted Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:mail@3v1n0.net,URI:https://github.com/3v1n0/ +EOF + +intermediate_ca_trusted_cert_0001_key_pass="pass:random-intermediate-ca-trusted-cert-0001-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-intermediate-CA-trusted-certificate-0001-key.pem" \ + -passout "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$keys_size" + +openssl req \ + -new -nodes \ + -reqexts req_exts \ + -passin "$intermediate_ca_trusted_cert_0001_key_pass" \ + -key "$tmpdir/test-intermediate-CA-trusted-certificate-0001-key.pem" \ + -config "$tmpdir/test-intermediate-CA-trusted-certificate-0001.config" \ + -out "$tmpdir/test-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl req -text -noout \ + -in "$tmpdir/test-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl ca \ + -passin "$intermediate_ca_key_pass" \ + -config "$tmpdir/test-intermediate-CA.config" -batch -notext \ + -keyfile "$tmpdir/test-intermediate-CA-key.pem" \ + -in "$tmpdir/test-intermediate-CA-trusted-certificate-0001-request.pem" \ + -days 365 -extensions usr_cert \ + -out "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +openssl x509 -noout \ + -in "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +echo "This certificate should not be trusted fully" +expect_fail \ + openssl verify \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +openssl verify -partial_chain \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + + +## Sub Intermediate CA Trusted Certificate generation + +cat <<"EOF" > "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.config" +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Sub Intermediate Trusted Certificate 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "Test Organization Sub Intermediate CA trusted Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:mail@3v1n0.net,URI:https://github.com/3v1n0/ +EOF + +sub_intermediate_ca_trusted_cert_0001_key_pass="pass:random-sub-intermediate-ca-trusted-cert-0001-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-key.pem" \ + -passout "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$keys_size" + +openssl req \ + -new -nodes \ + -reqexts req_exts \ + -passin "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + -key "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-key.pem" \ + -config "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.config" \ + -out "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl req -text -noout \ + -in "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl ca \ + -passin "$sub_intermediate_ca_key_pass" \ + -config "$tmpdir/test-sub-intermediate-CA.config" -batch -notext \ + -keyfile "$tmpdir/test-sub-intermediate-CA-key.pem" \ + -in "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-request.pem" \ + -days 365 -extensions usr_cert \ + -out "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +openssl x509 -noout \ + -in "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +echo "This certificate should not be trusted fully" +expect_fail \ + openssl verify \ + -CAfile "$tmpdir/test-sub-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +expect_fail \ + openssl verify \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +openssl verify -partial_chain \ + -CAfile "$tmpdir/test-sub-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +expect_fail \ + openssl verify -partial_chain \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + + +## Full chain verification tests + +echo "Building a the full-chain CA file..." +cat \ + "$tmpdir/test-root-CA.pem" \ + "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + > "$tmpdir/test-full-chain-CA.pem" + +cat \ + "$tmpdir/test-root-CA.pem" \ + "$tmpdir/test-intermediate-CA.pem" \ + > "$tmpdir/test-root-intermediate-chain-CA.pem" + +cat \ + "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + > "$tmpdir/test-intermediate-sub-chain-CA.pem" + +openssl crl2pkcs7 \ + -nocrl -certfile "$tmpdir/test-full-chain-CA.pem" \ + | openssl pkcs7 -print_certs -noout + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-intermediate-CA.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-root-intermediate-chain-CA.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +echo "Certificates generation completed!" + +function prepare_softhsm2_card() { + local certificate="$1" + local key_pass="$2" + + local key_cn + local key_name + local tokens_dir + local output_cert_file + + token_name= + key_name="$(basename "$certificate" .pem)" + key_cn="$(openssl x509 -noout -subject -nameopt multiline -in "$certificate" \ + | sed -n 's/ *commonName *= //p')" + + if [ -v SOFTHSM2_ISOLATED_CONFIGS ]; then + key_name+="-${RANDOM}" + fi + + export SOFTHSM2_CONF="$tmpdir/softhsm2-${key_name}.conf" + + tokens_dir="$tmpdir/$(basename "$SOFTHSM2_CONF" .conf)" + token_name="${key_cn:0:25} Token" + + if [ ! -e "$SOFTHSM2_CONF" ] || [ ! -d "$tokens_dir" ]; then + local key_file + local decrypted_key + + mkdir -p "$tokens_dir" + + key_file="$tmpdir/${key_name}-key.pem" + decrypted_key="$tmpdir/${key_name}-key-decrypted.pem" + + cat <<EOF > "$SOFTHSM2_CONF" +directories.tokendir = $tokens_dir +objectstore.backend = file +slots.removable = true +EOF + + softhsm2-util --init-token \ + --label "$token_name" \ + --pin "$PIN" --so-pin "$PIN" --free || return 2 + + softhsm2-util --show-slots || return 2 + + p11tool \ + --provider="$SOFTHSM2_MODULE" \ + --write \ + --no-mark-private \ + --load-certificate="$certificate" \ + --login --set-pin="$PIN" \ + --label "$key_cn" \ + --id "$TOKEN_ID" || return 2 + + openssl rsa \ + -passin "$key_pass" \ + -in "$key_file" \ + -out "$decrypted_key" || return 2 + + p11tool \ + --provider="$SOFTHSM2_MODULE" \ + --write \ + --load-privkey="$decrypted_key" \ + --login --set-pin="$PIN" \ + --label "$key_cn Key" \ + --id "$TOKEN_ID" || return 2 + + rm "$decrypted_key" + + p11tool \ + --provider="$SOFTHSM2_MODULE" \ + --list-all || return 2 + fi + + echo "$token_name" +} + +function check_certificate() { + local certificate="$1" + local key_pass="$2" + local key_ring="$3" + local verify_option="$4" + + prepare_softhsm2_card "$certificate" "$key_pass" || return 2 + + if [ -n "$verify_option" ]; then + local verify_arg="--verify=$verify_option" + fi + + local output_base_name="SSSD-child-${RANDOM}" + local output_file="$tmpdir/$output_base_name.output" + output_cert_file="$tmpdir/$output_base_name.pem" + + "$SSSD_P11_CHILD" \ + --pre -d 10 \ + --logger=stderr \ + --debug-fd=2 \ + --module_name="$SOFTHSM2_MODULE" \ + "$verify_arg" \ + --${ca_db_arg}="$key_ring" > "$output_file" || return 2 + + grep -qs "$TOKEN_ID" "$output_file" || return 2 + + echo "-----BEGIN CERTIFICATE-----" > "$output_cert_file" + tail -n1 "$output_file" >> "$output_cert_file" + echo "-----END CERTIFICATE-----" >> "$output_cert_file" + + openssl x509 -text -noout -in "$output_cert_file" || return 2 + + local found_md5 expected_md5 + expected_md5=$(openssl x509 -noout -modulus -in "$certificate") + found_md5=$(openssl x509 -noout -modulus -in "$output_cert_file") + + if [ "$expected_md5" != "$found_md5" ]; then + echo "Unexpected certificate found: $found_md5" + return 3 + fi + + # Try to authorize now! + + output_file="$tmpdir/${output_base_name}-auth.output" + output_cert_file="$tmpdir/$(basename "$output_file" .output).pem" + + echo -n "$PIN" | "$SSSD_P11_CHILD" \ + --auth -d 10 --debug-fd=2 \ + --${ca_db_arg}="$key_ring" \ + --pin \ + --key_id "$TOKEN_ID" \ + "$verify_arg" \ + --token_name "$token_name" \ + --module_name "$SOFTHSM2_MODULE" > "$output_file" || return 2 + + grep -qs "$TOKEN_ID" "$output_file" || return 2 + + echo "-----BEGIN CERTIFICATE-----" > "$output_cert_file" + tail -n1 "$output_file" >> "$output_cert_file" + echo "-----END CERTIFICATE-----" >> "$output_cert_file" + + openssl x509 -text -noout -in "$output_cert_file" || return 2 + + found_md5=$(openssl x509 -noout -modulus -in "$output_cert_file") + + if [ "$expected_md5" != "$found_md5" ]; then + echo "Unexpected certificate found: $found_md5" + return 3 + fi +} + +function valid_certificate() { + if ! check_certificate "$@"; then + echo "Unexpected failure!" + exit 2 + fi +} + + +function invalid_certificate() { + if check_certificate "$@"; then + echo "Unexpected pass!" + exit 2 + fi +} + +if [[ -v NO_SSSD_TESTS ]]; then + if [[ -v GENERATE_SMART_CARDS ]]; then + prepare_softhsm2_card \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" + + prepare_softhsm2_card \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" + + prepare_softhsm2_card \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" + fi + + echo "Certificates generation completed!" + exit 0 +fi + +## Checking that Root CA Trusted certificate is accepted + +invalid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + /dev/null + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + /dev/null \ + "no_verification" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" \ + "partial_chain" + +invalid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" + +invalid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" \ + "partial_chain" + + +## Checking that Intermediate CA Trusted certificate is accepted + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + /dev/null + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + /dev/null \ + "no_verification" + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" \ + "partial_chain" + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" \ + "partial_chain" + + +## Checking that Sub Intermediate CA Trusted certificate is accepted + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" \ + "partial_chain" + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-sub-intermediate-CA.pem" + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-intermediate-chain-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-sub-chain-CA.pem" \ + "partial_chain" + +set +x + +echo +echo "Test completed, Root CA and intermediate issued certificates verified!" diff --git a/debian/tests/util b/debian/tests/util new file mode 100644 index 0000000..3d72970 --- /dev/null +++ b/debian/tests/util @@ -0,0 +1,264 @@ +#!/bin/sh + +reconfigure_slapd() { + debconf-set-selections << EOF +slapd slapd/domain string ${mydomain} +slapd shared/organization string ${mydomain} +slapd slapd/password1 password ${admin_pw} +slapd slapd/password2 password ${admin_pw} +EOF + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb + dpkg-reconfigure -fnoninteractive -pcritical slapd +} + +die() { + echo "ERROR" + echo "$@" + exit 1 +} + +enable_pam_mkhomedir() { + if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then + echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session + fi +} + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +generate_certs() { + local cn="$1" + local cert="/etc/ldap/server.pem" + local key="/etc/ldap/server.key" + local cnf="/etc/ldap/openssl.cnf" + + cat > "$cnf" <<EOF +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +prompt = no +policy = policy_anything + +[ req_distinguished_name ] +commonName = ${cn} +EOF + openssl req -new -x509 -nodes -out "$cert" -keyout "$key" -config "$cnf" + chmod 0640 "$key" + chgrp openldap "$key" + if [ ! -f "$cert" ]; then + echo "ERROR, failed to generate certificate for ldap test" + exit 1 + fi + if [ ! -f "$key" ]; then + echo "ERROR, failed to generate key for ldap test" + exit 1 + fi +} + +enable_ldap_ssl() { + cat > /etc/ldap/ldap.conf <<EOF +BASE ${mysuffix} +URI ldap://${myhostname} +TLS_CACERT /etc/ldap/server.pem +EOF + { + cat <<EOF +dn: cn=config +add: olcTLSCACertificateFile +olcTLSCACertificateFile: /etc/ldap/server.pem +- +add: olcTLSCertificateFile +olcTLSCertificateFile: /etc/ldap/server.pem +- +add: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: /etc/ldap/server.key +EOF + } | ldapmodify -H ldapi:/// -Y EXTERNAL -Q +} + +populate_ldap_rfc2307() { + { + cat <<EOF +dn: ou=People,${mysuffix} +ou: People +objectClass: organizationalUnit + +dn: ou=Group,${mysuffix} +ou: Group +objectClass: organizationalUnit + +dn: uid=${ldap_user},ou=People,${mysuffix} +uid: ${ldap_user} +objectClass: inetOrgPerson +objectClass: posixAccount +cn: ${ldap_user} +sn: ${ldap_user} +givenName: ${ldap_user} +mail: ${ldap_user}@${mydomain} +userPassword: ${ldap_user_pw} +uidNumber: 10001 +gidNumber: 10001 +loginShell: /bin/bash +homeDirectory: /home/${ldap_user} + +dn: cn=${ldap_user},ou=Group,${mysuffix} +cn: ${ldap_user} +objectClass: posixGroup +gidNumber: 10001 +memberUid: ${ldap_user} + +dn: cn=${ldap_group},ou=Group,${mysuffix} +cn: ${ldap_group} +objectClass: posixGroup +gidNumber: 10100 +memberUid: ${ldap_user} +EOF + } | ldapadd -x -D "${admin_dn}" -w "${admin_pw}" +} + +configure_sssd_ldap_rfc2307_krb5_auth() { + cat > /etc/sssd/sssd.conf <<EOF +[sssd] +config_file_version = 2 +services = nss, pam +domains = LDAP + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://${myhostname} +auth_provider = krb5 +krb5_server = ${myhostname} +krb5_realm = ${myrealm} +cache_credentials = True +ldap_search_base = ${mysuffix} +EOF + chmod 0600 /etc/sssd/sssd.conf + systemctl restart sssd || { + systemctl status --lines 100 sssd + false + } +} + +configure_sssd_ldap_rfc2307() { + cat > /etc/sssd/sssd.conf <<EOF +[sssd] +config_file_version = 2 +services = nss, pam +domains = LDAP + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://${myhostname} +cache_credentials = True +ldap_search_base = ${mysuffix} +EOF + chmod 0600 /etc/sssd/sssd.conf + systemctl restart sssd || { + systemctl status --lines 100 sssd + false + } +} + +check_local_user() { + local local_user="$1" + + if grep -q "^${local_user}" /etc/passwd; then + die "Found ${local_user} in /etc/passwd" + fi +} + +check_local_group() { + local local_group="$1" + + if grep -q "^${local_group}" /etc/group; then + die "Found ${local_group} in /etc/group" + fi +} + +check_getent_user() { + local getent_user="$1" + local output + + output=$(getent passwd ${getent_user}) + if [ -z "${output}" ]; then + die "${getent_user} not found via getent passwd" + fi +} + +check_getent_group() { + local getent_group="$1" + local output + + output=$(getent group ${getent_group}) + if [ -z "${output}" ]; then + die "${getent_group} not found via getent group" + fi +} + +create_realm() { + local realm_name="$1" + local kerberos_server="$2" + + # start fresh + rm -rf /var/lib/krb5kdc/* + rm -rf /etc/krb5kdc/* + rm -f /etc/krb5.keytab + + # setup some defaults + cat > /etc/krb5kdc/kdc.conf <<EOF +[kdcdefaults] + kdc_ports = 750,88 +[realms] + ${realm_name} = { + database_name = /var/lib/krb5kdc/principal + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /etc/krb5kdc/stash + kdc_ports = 750,88 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3-hmac-sha1 + #supported_enctypes = aes256-cts:normal aes128-cts:normal + default_principal_flags = +preauth + } +EOF + + cat > /etc/krb5.conf <<EOF +[libdefaults] + default_realm = ${realm_name} + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + fcc-mit-ticketflags = true +[realms] + ${realm_name} = { + kdc = ${kerberos_server} + admin_server = ${kerberos_server} + } +EOF + echo "# */admin *" > /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +create_krb_principal() { + local principal="$1" + local password="$2" + + kadmin.local -q "addprinc -pw ${password} ${principal}" +} + |