Add various client-authenticating PKINIT tests

Add tests for non-anonymous PKINIT:
* FILE: with no password
* FILE: with a password
* DIR: with no password
* DIR: with a password
* PKCS12: with no password
* PKCS12: with a password
* PKCS11: with a password, if soft-pkcs11.so is found via ctypes

[ghudson@mit.edu: reformatted to 79 columns; removed intermediate
success() calls]

src/tests/Makefile.in

@@ -82,6 +82,7 @@ check-pytests:: gcred hist kdbtest t_localauth
 	$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_authpkinit.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)

src/tests/dejagnu/pkinit-certs/privkey-enc.pem

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,91CA660D6286E453
+
+DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7
+Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU
+AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX
+z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL
+EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO
+rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH
+8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn
+593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld
+rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd
++n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM
+LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37
+bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644
+RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT
+H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V
+DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi
+Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn
+foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw
+WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV
+xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f
+PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe
+/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU
+Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy
+BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d
+mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE
+UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh
+-----END RSA PRIVATE KEY-----

src/tests/dejagnu/pkinit-certs/user.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFkjCCBHqgAwIBAgIIYo5oQQ6iySowDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNV
+BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk
+Z2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMgSW5zZWN1cmUgUGtpbml0IEtlcmJl
+cm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBu
+b3QgdXNlIG90aGVyd2lzZTAeFw0xMzAxMTcxODU5MDVaFw0yMzEyMzExODU5MDVa
+MIGhMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE
+BxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBr
+aW5pdCBLZXJiZXJvcyB0ZXN0IENBMS0wKwYDVQQDFCRwa2luaXQgdGVzdCBzdWl0
+ZSBjbGllbnQ7IGRvIG5vdCB1c2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCdgsx7nyfLTQyCyQk/u1nc8hBGlCRcYslkojQd+e0JFsi6+adl6M9Ip00z
+J6PNEjKN3DUUMlQCeldhyJzdMPnzXsbkfrdSuWUAa7L6WFBY3MTpzoq556t69Hek
+xqodeidp+VVqxS7l7YABZWcVvPjHTi4uVB6Oo/CbmxHXFN4tSdV9Jjvk1tcYgTjz
+yINXTBbyeoahVaf9OxF37sq5BQiQmm3z5XomTqE8hw+p7qHuZc0ayBzl0FKoHBVy
+NT0Nt5PjHHESaBB0u3up03BXVk8tCdNCmiA2tPm5/ehJs5OzIzTYY5auIhGayqrz
+Wx8yum+JNFEPCipNQSGgJKivRSZzAgMBAAGjggHEMIIBwDAdBgNVHQ4EFgQUWfzZ
+FQqBO+QWfRyDDIJCk15YLFgwgdwGA1UdIwSB1DCB0YAUWfzZFQqBO+QWfRyDDIJC
+k15YLFihga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
+dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMg
+SW5zZWN1cmUgUGtpbml0IEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5p
+dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIJANsFDWp1HgAa
+MA4GA1UdDwEB/wQEAwIE8DB9BgNVHREEdjB0oC4GBisGAQUCAqAkMCKgDRsLS1JC
+VEVTVC5DT02hETAPoAMCAQGhCDAGGwR1c2VyoCAGCisGAQQBgjcUAgOgEgwQdXNl
+ckBrcmJ0ZXN0LmNvbaAgBgorBgEEAYI3FAIDoBIMEHVzZXJAS1JCVEVTVC5DT00w
+JgYDVR0lBB8wHQYHKwYBBQIDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQEFBQADggEBAJZ+5CMbEj9anyH/b/jxUT8yGgYB3KGj7qL+
+RdU2zjgsQUMSdnlqQzpuEcY3z1wK94dYQVsPaYBv+zHl0rXFMfKlm97nVdCJi0ep
+vplNAaUlhkma3D8rkPN5LmIdHslpJD6pwbV+o69aCEsrwm38flmEnBX0OUynULod
+icDvxOxhmYG2kXmUmF7wZXI+XWX8b/TloDNLAnYfjKytMa3SQdp6wtj76BCk+ZZQ
+GAF3D0BS36lkNQ/8buHFhVv/tC/rFvql8DRbFzk6W02Ymq2OhcP0uz67rFZ2KjZ5
+Z0WP1REC8Cv7yoqOKPk8S+1FK+8RdKHjT1n/n+Mws72F72bxQWQ=
+-----END CERTIFICATE-----

src/tests/t_authpkinit.py

@@ -0,0 +1,140 @@
+#!/usr/bin/python
+from k5test import *
+
+# Skip this test if pkinit wasn't built.
+if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
+    success('Warning: not testing pkinit because it is not built')
+    exit(0)
+
+# Check if soft-pkcs11.so is available.
+have_soft_pkcs11 = False
+try:
+    import ctypes
+    lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so')
+    del lib
+    have_soft_pkcs11 = True
+except:
+    have_soft_pkcs11 = False
+
+# Construct a krb5.conf fragment configuring pkinit.
+certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
+ca_pem = os.path.join(certs, 'ca.pem')
+kdc_pem = os.path.join(certs, 'kdc.pem')
+user_pem = os.path.join(certs, 'user.pem')
+privkey_pem = os.path.join(certs, 'privkey.pem')
+privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem')
+user_p12 = os.path.join(certs, 'user.p12')
+user_enc_p12 = os.path.join(certs, 'user-enc.p12')
+path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
+path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
+
+pkinit_krb5_conf = {
+    'realms': {'$realm': {
+            'pkinit_anchors': 'FILE:%s' % ca_pem,
+            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}}
+pkinit_kdc_conf = {
+    'realms': {'$realm': {
+            'default_principal_flags': '+preauth',
+            'pkinit_eku_checking': 'none'}}}
+
+file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
+file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
+dir_identity = 'DIR:%s' % path
+dir_enc_identity = 'DIR:%s' % path_enc
+p12_identity = 'PKCS12:%s' % user_p12
+p12_enc_identity = 'PKCS12:%s' % user_enc_p12
+p11_identity = 'PKCS11:soft-pkcs11.so'
+# Set up the DIR: identities.  They go away as a side-effect of reinitializing
+# the realm testdir, so we don't have a specific cleanup method.
+def setup_dir_identities(realm):
+    os.mkdir(path)
+    os.mkdir(path_enc)
+    shutil.copy(privkey_pem, os.path.join(path, 'user.key'))
+    shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key'))
+    shutil.copy(user_pem, os.path.join(path, 'user.crt'))
+    shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
+
+# Run the basic test - PKINIT with FILE: identity, with no password on the key.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+realm.kinit('user@%s' % realm.realm,
+            flags=['-X', 'X509_user_identity=%s' % file_identity])
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
+# Run the basic test - PKINIT with FILE: identity, with a password on the key,
+# supplied by the prompter.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+realm.kinit('user@%s' % realm.realm,
+            flags=['-X', 'X509_user_identity=%s' % file_enc_identity],
+            password='encrypted')
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
+# PKINIT with DIR: identity, with no password on the key.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+setup_dir_identities(realm)
+realm.kinit('user@%s' % realm.realm,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity])
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
+# PKINIT with DIR: identity, with a password on the key, supplied by the
+# prompter.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+setup_dir_identities(realm)
+realm.kinit('user@%s' % realm.realm,
+            flags=['-X', 'X509_user_identity=%s' % dir_enc_identity],
+            password='encrypted')
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
+# PKINIT with PKCS12: identity, with no password on the bundle.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+realm.kinit('user@%s' % realm.realm,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity])
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
+# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
+# prompter.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+realm.kinit('user@%s' % realm.realm,
+            flags=['-X', 'X509_user_identity=%s' % p12_enc_identity],
+            password='encrypted')
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
+if have_soft_pkcs11:
+	os.environ['SOFTPKCS11RC'] = os.path.join(os.getcwd(), 'testdir',
+                                                  'soft-pkcs11.rc')
+
+	# PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
+	realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                        get_creds=False)
+	conf = open(os.environ['SOFTPKCS11RC'], 'w')
+	conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
+                                         privkey_enc_pem))
+	conf.close()
+	realm.kinit('user@%s' % realm.realm,
+                    flags=['-X', 'X509_user_identity=%s' % p11_identity],
+                    password='encrypted')
+	realm.klist('user@%s' % realm.realm)
+	realm.run([kvno, realm.host_princ])
+	realm.stop()
+else:
+	output('soft-pkcs11.so not found: '
+               'skipping tests with PKCS11 identities\n')
+
+success('Authenticated PKINIT')