From 2cd6e322025c2a6bd2fb05a31c6e08d4ac7fa47a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Thu, 4 Jan 2007 01:58:51 +0000 Subject: [PATCH] Generate a ca, kdc cert and client cert and try to use them git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19662 ec53bebd-3082-4978-b11e-865c3cabbd6b --- tests/kdc/check-pkinit.in | 168 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 tests/kdc/check-pkinit.in diff --git a/tests/kdc/check-pkinit.in b/tests/kdc/check-pkinit.in new file mode 100644 index 000000000..01d81d7f5 --- /dev/null +++ b/tests/kdc/check-pkinit.in @@ -0,0 +1,168 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=8888 + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +cache="FILE:${objdir}/cache.krb5" +keyfile="${srcdir}/../../lib/hx509/data/key.der" +keyfile2="${srcdir}/../../lib/hx509/data/key2.der" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" +hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool" + +KRB5_CONFIG="${objdir}/krb5-pkinit.conf" +export KRB5_CONFIG + +rsa=yes +pkinit=no +if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then + rsa=no +fi +if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then + pkinit=yes +fi + +# If we doesn't support pkinit and have RSA, give up +if test "$pkinit" != yes -o "$rsa" != yes ; then + exit 77 +fi + + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add -p bar --use-defaults bar@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo "Setting up certificates" +${hxtool} request-create \ + --subject="CN=kdc,DC=test,DC=h5l,DC=se" \ + --key=${keyfile2} \ + req-kdc.der || exit 1 +${hxtool} request-create \ + --subject="CN=bar,DC=test,DC=h5l,DC=se" \ + --key=${keyfile2} \ + req-pkinit.der || exit 1 + +echo "issue self-signed ca cert" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --ca-private-key=${keyfile} \ + --subject="CN=CA,DC=test,DC=h5l,DC=se" \ + --certificate="ca.crt" || exit 1 + +echo "issue kdc certificate" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-kdc" \ + --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ + --req="req-kdc.der" \ + --certificate="kdc.crt" || exit 1 + +echo "issue user certificate" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="bar@TEST.H5L.SE" \ + --req="req-pkinit.der" \ + --certificate="pkinit.crt" || exit 1 + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +ec=0 + +echo "Trying pk-init (principal in cert)"; > messages.log +base="${objdir}" +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} +echo "Trying pk-init (principal in pki-mapping) "; > messages.log +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +echo "killing kdc (${kdcpid})" +kill $kdcpid || exit 1 + +trap "" EXIT + +exit $ec