Add PKINIT support in kdc-tester and check-tester
This commit is contained in:
@@ -141,7 +141,8 @@ get_fast_armor_ccache(const char *fast_armor_princ, const char *keytab,
|
||||
static void
|
||||
eval_kinit(heim_dict_t o)
|
||||
{
|
||||
heim_string_t user, password, keytab, fast_armor_princ;
|
||||
heim_string_t user, password, keytab, fast_armor_princ, pk_user_id;
|
||||
krb5_get_init_creds_opt *opt;
|
||||
krb5_init_creds_context ctx;
|
||||
krb5_principal client;
|
||||
krb5_keytab kt = NULL;
|
||||
@@ -157,14 +158,30 @@ eval_kinit(heim_dict_t o)
|
||||
|
||||
password = heim_dict_get_value(o, HSTR("password"));
|
||||
keytab = heim_dict_get_value(o, HSTR("keytab"));
|
||||
if (password == NULL && keytab == NULL)
|
||||
krb5_errx(kdc_context, 1, "no password nor keytab");
|
||||
pk_user_id = heim_dict_get_value(o, HSTR("pkinit-user-cert-id"));
|
||||
if (password == NULL && keytab == NULL && pk_user_id == NULL)
|
||||
krb5_errx(kdc_context, 1, "password, keytab, nor PKINIT user cert ID");
|
||||
|
||||
ret = krb5_parse_name(kdc_context, heim_string_get_utf8(user), &client);
|
||||
if (ret)
|
||||
krb5_err(kdc_context, 1, ret, "krb5_unparse_name");
|
||||
|
||||
ret = krb5_init_creds_init(kdc_context, client, NULL, NULL, 0, NULL, &ctx);
|
||||
/* PKINIT parts */
|
||||
ret = krb5_get_init_creds_opt_alloc (kdc_context, &opt);
|
||||
if (ret)
|
||||
krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_alloc");
|
||||
|
||||
if (pk_user_id) {
|
||||
ret = krb5_get_init_creds_opt_set_pkinit(kdc_context, opt,
|
||||
client,
|
||||
heim_string_get_utf8(pk_user_id),
|
||||
NULL, NULL, NULL, 0,
|
||||
NULL, NULL, NULL);
|
||||
if (ret)
|
||||
krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
|
||||
}
|
||||
|
||||
ret = krb5_init_creds_init(kdc_context, client, NULL, NULL, 0, opt, &ctx);
|
||||
if (ret)
|
||||
krb5_err(kdc_context, 1, ret, "krb5_init_creds_init");
|
||||
|
||||
|
@@ -1,6 +1,7 @@
|
||||
include $(top_srcdir)/Makefile.am.common
|
||||
|
||||
noinst_DATA = \
|
||||
kdc-tester4.json \
|
||||
krb5.conf \
|
||||
krb5-canon.conf \
|
||||
krb5-canon2.conf \
|
||||
@@ -45,6 +46,7 @@ endif
|
||||
|
||||
do_subst = sed $(do_dlopen) \
|
||||
-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
|
||||
-e 's,[@]top_srcdir[@],$(top_srcdir),g' \
|
||||
-e 's,[@]srcdir[@],$(srcdir),g' \
|
||||
-e 's,[@]port[@],$(port),g' \
|
||||
-e 's,[@]admport[@],$(admport),g' \
|
||||
@@ -95,7 +97,7 @@ check-kdc-weak: check-kdc-weak.in Makefile
|
||||
chmod +x check-kdc-weak.tmp
|
||||
mv check-kdc-weak.tmp check-kdc-weak
|
||||
|
||||
check-tester: check-tester.in Makefile
|
||||
check-tester: check-tester.in kdc-tester4.json Makefile
|
||||
$(do_subst) < $(srcdir)/check-tester.in > check-tester.tmp
|
||||
chmod +x check-tester.tmp
|
||||
mv check-tester.tmp check-tester
|
||||
@@ -140,6 +142,10 @@ check-kpasswdd: check-kpasswdd.in Makefile
|
||||
chmod +x check-kpasswdd.tmp
|
||||
mv check-kpasswdd.tmp check-kpasswdd
|
||||
|
||||
kdc-tester4.json: kdc-tester4.json.in Makefile
|
||||
$(do_subst) < $(srcdir)/kdc-tester4.json.in > kdc-tester4.json.tmp
|
||||
mv kdc-tester4.json.tmp kdc-tester4.json
|
||||
|
||||
krb5.conf: krb5.conf.in Makefile
|
||||
$(do_subst) \
|
||||
-e 's,[@]WEAK[@],false,g' \
|
||||
@@ -203,6 +209,7 @@ CLEANFILES= \
|
||||
iprop.keytab \
|
||||
digest-reply \
|
||||
foopassword \
|
||||
kdc-tester4.json \
|
||||
krb5.conf \
|
||||
krb5-canon.conf \
|
||||
krb5-canon2.conf \
|
||||
@@ -261,6 +268,7 @@ EXTRA_DIST = \
|
||||
iprop-acl \
|
||||
kdc-tester1.json \
|
||||
kdc-tester2.json \
|
||||
kdc-tester4.json.in \
|
||||
krb5-pkinit.conf.in \
|
||||
krb5.conf.in \
|
||||
krb5-canon.conf.in \
|
||||
|
@@ -50,11 +50,30 @@ R=TEST.H5L.SE
|
||||
|
||||
keytabfile=${objdir}/server.keytab
|
||||
keytab="FILE:${keytabfile}"
|
||||
keyfile="${hx509_data}/key.der"
|
||||
keyfile2="${hx509_data}/key2.der"
|
||||
|
||||
kadmin="${kadmin} -l -r $R"
|
||||
|
||||
server=host/datan.test.h5l.se
|
||||
|
||||
rsa=yes
|
||||
pkinit=no
|
||||
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
|
||||
rsa=no
|
||||
fi
|
||||
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
|
||||
rsa=no
|
||||
fi
|
||||
|
||||
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
|
||||
pkinit=yes
|
||||
fi
|
||||
|
||||
# If we doesn't support pkinit and have RSA, give up
|
||||
if test "$rsa" != yes ; then
|
||||
pkinit=no
|
||||
fi
|
||||
|
||||
rm -f ${keytabfile}
|
||||
rm -f current-db*
|
||||
@@ -84,5 +103,45 @@ ${kdc_tester} ${srcdir}/kdc-tester2.json || exit 1
|
||||
echo "fast + keytab"
|
||||
${kdc_tester} ${srcdir}/kdc-tester3.json || exit 1
|
||||
|
||||
if test "$pkinit" = yes ; then
|
||||
KRB5_CONFIG="${1-${objdir}/krb5-pkinit.conf}"
|
||||
export KRB5_CONFIG
|
||||
echo "Setting up certificates"
|
||||
${hxtool} request-create \
|
||||
--subject="CN=kdc,DC=test,DC=h5l,DC=se" \
|
||||
--key=FILE:${keyfile2} \
|
||||
req-kdc.der || exit 1
|
||||
${hxtool} request-create \
|
||||
--subject="CN=foo,DC=test,DC=h5l,DC=se" \
|
||||
--key=FILE:${keyfile2} \
|
||||
req-pkinit.der || exit 1
|
||||
|
||||
echo "issue self-signed ca cert"
|
||||
${hxtool} issue-certificate \
|
||||
--self-signed \
|
||||
--issue-ca \
|
||||
--ca-private-key=FILE:${keyfile} \
|
||||
--subject="CN=CA,DC=test,DC=h5l,DC=se" \
|
||||
--certificate="FILE:ca.crt" || exit 1
|
||||
|
||||
echo "issue kdc certificate"
|
||||
${hxtool} issue-certificate \
|
||||
--ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
|
||||
--type="pkinit-kdc" \
|
||||
--pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
|
||||
--req="PKCS10:req-kdc.der" \
|
||||
--certificate="FILE:kdc.crt" || exit 1
|
||||
|
||||
echo "issue user certificate (pkinit san)"
|
||||
${hxtool} issue-certificate \
|
||||
--ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
|
||||
--type="pkinit-client" \
|
||||
--pk-init-principal="foo@TEST.H5L.SE" \
|
||||
--req="PKCS10:req-pkinit.der" \
|
||||
--certificate="FILE:pkinit.crt" || exit 1
|
||||
|
||||
echo "pkinit"
|
||||
${kdc_tester} ${srcdir}/kdc-tester4.json || exit 1
|
||||
fi
|
||||
|
||||
exit $ec
|
||||
|
Reference in New Issue
Block a user