-
Notifications
You must be signed in to change notification settings - Fork 366
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add various client-authenticating PKINIT tests
Add tests for non-anonymous PKINIT: * FILE: with no password * FILE: with a password * DIR: with no password * DIR: with a password * PKCS12: with no password * PKCS12: with a password * PKCS11: with a password, if soft-pkcs11.so is found via ctypes [ghudson@mit.edu: reformatted to 79 columns; removed intermediate success() calls]
- Loading branch information
1 parent
b5d76a1
commit f42477d
Showing
6 changed files
with
203 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
-----BEGIN RSA PRIVATE KEY----- | ||
Proc-Type: 4,ENCRYPTED | ||
DEK-Info: DES-EDE3-CBC,91CA660D6286E453 | ||
|
||
DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7 | ||
Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU | ||
AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX | ||
z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL | ||
EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO | ||
rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH | ||
8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn | ||
593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld | ||
rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd | ||
+n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM | ||
LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37 | ||
bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644 | ||
RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT | ||
H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V | ||
DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi | ||
Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn | ||
foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw | ||
WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV | ||
xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f | ||
PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe | ||
/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU | ||
Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy | ||
BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d | ||
mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE | ||
UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh | ||
-----END RSA PRIVATE KEY----- |
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIFkjCCBHqgAwIBAgIIYo5oQQ6iySowDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNV | ||
BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk | ||
Z2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMgSW5zZWN1cmUgUGtpbml0IEtlcmJl | ||
cm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBu | ||
b3QgdXNlIG90aGVyd2lzZTAeFw0xMzAxMTcxODU5MDVaFw0yMzEyMzExODU5MDVa | ||
MIGhMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE | ||
BxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBr | ||
aW5pdCBLZXJiZXJvcyB0ZXN0IENBMS0wKwYDVQQDFCRwa2luaXQgdGVzdCBzdWl0 | ||
ZSBjbGllbnQ7IGRvIG5vdCB1c2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK | ||
AoIBAQCdgsx7nyfLTQyCyQk/u1nc8hBGlCRcYslkojQd+e0JFsi6+adl6M9Ip00z | ||
J6PNEjKN3DUUMlQCeldhyJzdMPnzXsbkfrdSuWUAa7L6WFBY3MTpzoq556t69Hek | ||
xqodeidp+VVqxS7l7YABZWcVvPjHTi4uVB6Oo/CbmxHXFN4tSdV9Jjvk1tcYgTjz | ||
yINXTBbyeoahVaf9OxF37sq5BQiQmm3z5XomTqE8hw+p7qHuZc0ayBzl0FKoHBVy | ||
NT0Nt5PjHHESaBB0u3up03BXVk8tCdNCmiA2tPm5/ehJs5OzIzTYY5auIhGayqrz | ||
Wx8yum+JNFEPCipNQSGgJKivRSZzAgMBAAGjggHEMIIBwDAdBgNVHQ4EFgQUWfzZ | ||
FQqBO+QWfRyDDIJCk15YLFgwgdwGA1UdIwSB1DCB0YAUWfzZFQqBO+QWfRyDDIJC | ||
k15YLFihga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl | ||
dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMg | ||
SW5zZWN1cmUgUGtpbml0IEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5p | ||
dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIJANsFDWp1HgAa | ||
MA4GA1UdDwEB/wQEAwIE8DB9BgNVHREEdjB0oC4GBisGAQUCAqAkMCKgDRsLS1JC | ||
VEVTVC5DT02hETAPoAMCAQGhCDAGGwR1c2VyoCAGCisGAQQBgjcUAgOgEgwQdXNl | ||
ckBrcmJ0ZXN0LmNvbaAgBgorBgEEAYI3FAIDoBIMEHVzZXJAS1JCVEVTVC5DT00w | ||
JgYDVR0lBB8wHQYHKwYBBQIDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMAkGA1UdEwQC | ||
MAAwDQYJKoZIhvcNAQEFBQADggEBAJZ+5CMbEj9anyH/b/jxUT8yGgYB3KGj7qL+ | ||
RdU2zjgsQUMSdnlqQzpuEcY3z1wK94dYQVsPaYBv+zHl0rXFMfKlm97nVdCJi0ep | ||
vplNAaUlhkma3D8rkPN5LmIdHslpJD6pwbV+o69aCEsrwm38flmEnBX0OUynULod | ||
icDvxOxhmYG2kXmUmF7wZXI+XWX8b/TloDNLAnYfjKytMa3SQdp6wtj76BCk+ZZQ | ||
GAF3D0BS36lkNQ/8buHFhVv/tC/rFvql8DRbFzk6W02Ymq2OhcP0uz67rFZ2KjZ5 | ||
Z0WP1REC8Cv7yoqOKPk8S+1FK+8RdKHjT1n/n+Mws72F72bxQWQ= | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
#!/usr/bin/python | ||
from k5test import * | ||
|
||
# Skip this test if pkinit wasn't built. | ||
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): | ||
success('Warning: not testing pkinit because it is not built') | ||
exit(0) | ||
|
||
# Check if soft-pkcs11.so is available. | ||
have_soft_pkcs11 = False | ||
try: | ||
import ctypes | ||
lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so') | ||
del lib | ||
have_soft_pkcs11 = True | ||
except: | ||
have_soft_pkcs11 = False | ||
|
||
# Construct a krb5.conf fragment configuring pkinit. | ||
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') | ||
ca_pem = os.path.join(certs, 'ca.pem') | ||
kdc_pem = os.path.join(certs, 'kdc.pem') | ||
user_pem = os.path.join(certs, 'user.pem') | ||
privkey_pem = os.path.join(certs, 'privkey.pem') | ||
privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem') | ||
user_p12 = os.path.join(certs, 'user.p12') | ||
user_enc_p12 = os.path.join(certs, 'user-enc.p12') | ||
path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') | ||
path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') | ||
|
||
pkinit_krb5_conf = { | ||
'realms': {'$realm': { | ||
'pkinit_anchors': 'FILE:%s' % ca_pem, | ||
'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}} | ||
pkinit_kdc_conf = { | ||
'realms': {'$realm': { | ||
'default_principal_flags': '+preauth', | ||
'pkinit_eku_checking': 'none'}}} | ||
|
||
file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) | ||
file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem) | ||
dir_identity = 'DIR:%s' % path | ||
dir_enc_identity = 'DIR:%s' % path_enc | ||
p12_identity = 'PKCS12:%s' % user_p12 | ||
p12_enc_identity = 'PKCS12:%s' % user_enc_p12 | ||
p11_identity = 'PKCS11:soft-pkcs11.so' | ||
# Set up the DIR: identities. They go away as a side-effect of reinitializing | ||
# the realm testdir, so we don't have a specific cleanup method. | ||
def setup_dir_identities(realm): | ||
os.mkdir(path) | ||
os.mkdir(path_enc) | ||
shutil.copy(privkey_pem, os.path.join(path, 'user.key')) | ||
shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key')) | ||
shutil.copy(user_pem, os.path.join(path, 'user.crt')) | ||
shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) | ||
|
||
# Run the basic test - PKINIT with FILE: identity, with no password on the key. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % file_identity]) | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
|
||
# Run the basic test - PKINIT with FILE: identity, with a password on the key, | ||
# supplied by the prompter. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % file_enc_identity], | ||
password='encrypted') | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
|
||
# PKINIT with DIR: identity, with no password on the key. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
setup_dir_identities(realm) | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % p12_identity]) | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
|
||
# PKINIT with DIR: identity, with a password on the key, supplied by the | ||
# prompter. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
setup_dir_identities(realm) | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % dir_enc_identity], | ||
password='encrypted') | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
|
||
# PKINIT with PKCS12: identity, with no password on the bundle. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % p12_identity]) | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
|
||
# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the | ||
# prompter. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % p12_enc_identity], | ||
password='encrypted') | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
|
||
if have_soft_pkcs11: | ||
os.environ['SOFTPKCS11RC'] = os.path.join(os.getcwd(), 'testdir', | ||
'soft-pkcs11.rc') | ||
|
||
# PKINIT with PKCS11: identity, with a PIN supplied by the prompter. | ||
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, | ||
get_creds=False) | ||
conf = open(os.environ['SOFTPKCS11RC'], 'w') | ||
conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, | ||
privkey_enc_pem)) | ||
conf.close() | ||
realm.kinit('user@%s' % realm.realm, | ||
flags=['-X', 'X509_user_identity=%s' % p11_identity], | ||
password='encrypted') | ||
realm.klist('user@%s' % realm.realm) | ||
realm.run([kvno, realm.host_princ]) | ||
realm.stop() | ||
else: | ||
output('soft-pkcs11.so not found: ' | ||
'skipping tests with PKCS11 identities\n') | ||
|
||
success('Authenticated PKINIT') |