|
 |
0dc40d9 |
From 650504957919949aa8ede95fc5e251cdd96e9895 Mon Sep 17 00:00:00 2001
|
|
|
0dc40d9 |
From: Matt Rogers <mrogers@redhat.com>
|
|
|
0dc40d9 |
Date: Fri, 9 Dec 2016 11:43:27 -0500
|
|
|
0dc40d9 |
Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py
|
|
|
0dc40d9 |
|
|
|
0dc40d9 |
[ghudson@mit.edu: simplify and explain tests; add test for
|
|
|
0dc40d9 |
id-pkinit-san match against canonicalized client principal]
|
|
|
0dc40d9 |
|
|
|
0dc40d9 |
ticket: 8528
|
|
|
0dc40d9 |
(cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d)
|
|
|
0dc40d9 |
---
|
|
|
0dc40d9 |
src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
0dc40d9 |
1 file changed, 57 insertions(+)
|
|
|
0dc40d9 |
|
|
|
0dc40d9 |
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
|
|
|
0dc40d9 |
index 526473b42..ac4d326b6 100755
|
|
|
0dc40d9 |
--- a/src/tests/t_pkinit.py
|
|
|
0dc40d9 |
+++ b/src/tests/t_pkinit.py
|
|
|
0dc40d9 |
@@ -23,6 +23,9 @@ privkey_pem = os.path.join(certs, 'privkey.pem')
|
|
|
0dc40d9 |
privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem')
|
|
|
0dc40d9 |
user_p12 = os.path.join(certs, 'user.p12')
|
|
|
0dc40d9 |
user_enc_p12 = os.path.join(certs, 'user-enc.p12')
|
|
|
0dc40d9 |
+user_upn_p12 = os.path.join(certs, 'user-upn.p12')
|
|
|
0dc40d9 |
+user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
|
|
|
0dc40d9 |
+user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
|
|
|
0dc40d9 |
path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
|
|
|
0dc40d9 |
path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
|
|
|
0dc40d9 |
|
|
|
0dc40d9 |
@@ -36,6 +39,20 @@ pkinit_kdc_conf = {'realms': {'$realm': {
|
|
|
0dc40d9 |
restrictive_kdc_conf = {'realms': {'$realm': {
|
|
|
0dc40d9 |
'restrict_anonymous_to_tgt': 'true' }}}
|
|
|
0dc40d9 |
|
|
|
0dc40d9 |
+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
|
|
|
0dc40d9 |
+ 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
|
|
|
0dc40d9 |
+ 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}}
|
|
|
0dc40d9 |
+alias_kdc_conf = {'realms': {'$realm': {
|
|
|
0dc40d9 |
+ 'default_principal_flags': '+preauth',
|
|
|
0dc40d9 |
+ 'pkinit_eku_checking': 'none',
|
|
|
0dc40d9 |
+ 'pkinit_allow_upn': 'true',
|
|
|
0dc40d9 |
+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
|
|
|
0dc40d9 |
+ 'database_module': 'test'}},
|
|
|
0dc40d9 |
+ 'dbmodules': {'test': {
|
|
|
0dc40d9 |
+ 'db_library': 'test',
|
|
|
0dc40d9 |
+ 'alias': {'user@krbtest.com': 'user'},
|
|
|
0dc40d9 |
+ 'princs': testprincs}}}
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
|
|
|
0dc40d9 |
file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
|
|
|
0dc40d9 |
dir_identity = 'DIR:%s' % path
|
|
|
0dc40d9 |
@@ -45,11 +62,51 @@ dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'),
|
|
|
0dc40d9 |
dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'),
|
|
|
0dc40d9 |
os.path.join(path_enc, 'user.key'))
|
|
|
0dc40d9 |
p12_identity = 'PKCS12:%s' % user_p12
|
|
|
0dc40d9 |
+p12_upn_identity = 'PKCS12:%s' % user_upn_p12
|
|
|
0dc40d9 |
+p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
|
|
|
0dc40d9 |
+p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
|
|
|
0dc40d9 |
p12_enc_identity = 'PKCS12:%s' % user_enc_p12
|
|
|
0dc40d9 |
p11_identity = 'PKCS11:soft-pkcs11.so'
|
|
|
0dc40d9 |
p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
|
|
|
0dc40d9 |
'slotid=1:token=SoftToken (token)')
|
|
|
0dc40d9 |
|
|
|
0dc40d9 |
+# Start a realm with the test kdb module for the following UPN SAN tests.
|
|
|
0dc40d9 |
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
|
|
|
0dc40d9 |
+ create_kdb=False)
|
|
|
0dc40d9 |
+realm.start_kdc()
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
+# Compatibility check: cert contains UPN "user", which matches the
|
|
|
0dc40d9 |
+# request principal user@KRBTEST.COM if parsed as a normal principal.
|
|
|
0dc40d9 |
+realm.kinit(realm.user_princ,
|
|
|
0dc40d9 |
+ flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity])
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
+# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches
|
|
|
0dc40d9 |
+# the request principal user@KRBTEST.COM if parsed as a normal principal.
|
|
|
0dc40d9 |
+realm.kinit(realm.user_princ,
|
|
|
0dc40d9 |
+ flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity])
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
+# Cert contains UPN "user@krbtest.com" which is aliased to the request
|
|
|
0dc40d9 |
+# principal.
|
|
|
0dc40d9 |
+realm.kinit(realm.user_princ,
|
|
|
0dc40d9 |
+ flags=['-X', 'X509_user_identity=%s' % p12_upn_identity])
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
+# Test an id-pkinit-san match to a post-canonical principal.
|
|
|
0dc40d9 |
+realm.kinit('user@krbtest.com',
|
|
|
0dc40d9 |
+ flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity])
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
+# Test a UPN match to a post-canonical principal. (This only works
|
|
|
0dc40d9 |
+# for the cert with the UPN containing just "user", as we don't allow
|
|
|
0dc40d9 |
+# UPN reparsing when comparing to the canonicalized client principal.)
|
|
|
0dc40d9 |
+realm.kinit('user@krbtest.com',
|
|
|
0dc40d9 |
+ flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity])
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
+# Test a mismatch.
|
|
|
0dc40d9 |
+out = realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity,
|
|
|
0dc40d9 |
+ 'user2'], expected_code=1)
|
|
|
0dc40d9 |
+if 'kinit: Client name mismatch while getting initial credentials' not in out:
|
|
|
0dc40d9 |
+ fail('Wrong error for UPN SAN mismatch')
|
|
|
0dc40d9 |
+realm.stop()
|
|
|
0dc40d9 |
+
|
|
|
0dc40d9 |
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
|
|
|
0dc40d9 |
get_creds=False)
|
|
|
0dc40d9 |
|