From 1da235c9c3275f56cb217d0087b7b9da06c19ff5 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Wed, 9 Feb 2022 23:07:24 -0600
Subject: [PATCH] osx: Avoid blocking the KDC in KEYCHAIN in tests

If a client tries to use PKINIT we can block in the OS X keychain if no
anchors are configured.
---
 tests/gss/krb5.conf.in    | 15 +++++++++++++++
 tests/plugin/krb5.conf.in | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/tests/gss/krb5.conf.in b/tests/gss/krb5.conf.in
index b8e04b651..aae031db6 100644
--- a/tests/gss/krb5.conf.in
+++ b/tests/gss/krb5.conf.in
@@ -18,6 +18,21 @@ include @srcdirabs@/include-krb5.conf
 	}
 
 [kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
 	database = {
 		dbname = @objdir@/current-db
 		realm = TEST.H5L.SE
diff --git a/tests/plugin/krb5.conf.in b/tests/plugin/krb5.conf.in
index 8ab2f1717..d188c314b 100644
--- a/tests/plugin/krb5.conf.in
+++ b/tests/plugin/krb5.conf.in
@@ -19,6 +19,21 @@
 	}
 
 [kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
 	database = {
 		dbname = @objdir@/current-db
 		realm = TEST.H5L.SE