Add PKINIT support in kdc-tester and check-tester

2011-11-22 18:40:48 -06:00
parent b02365d714
commit 35f4032381
3 changed files with 89 additions and 5 deletions
--- a/kdc/kdc-tester.c
+++ b/kdc/kdc-tester.c
@@ -141,7 +141,8 @@ get_fast_armor_ccache(const char *fast_armor_princ, const char *keytab,
 static void
 eval_kinit(heim_dict_t o)
 {
-    heim_string_t user, password, keytab, fast_armor_princ;
+    heim_string_t user, password, keytab, fast_armor_princ, pk_user_id;
    krb5_get_init_creds_opt *opt;
    krb5_init_creds_context ctx;
    krb5_principal client;
    krb5_keytab kt = NULL;
@@ -157,14 +158,30 @@ eval_kinit(heim_dict_t o)
    password = heim_dict_get_value(o, HSTR("password"));
    keytab = heim_dict_get_value(o, HSTR("keytab"));
-    if (password == NULL && keytab == NULL)
+    pk_user_id = heim_dict_get_value(o, HSTR("pkinit-user-cert-id"));
-	krb5_errx(kdc_context, 1, "no password nor keytab");
+    if (password == NULL && keytab == NULL && pk_user_id == NULL)
 	krb5_errx(kdc_context, 1, "password, keytab, nor PKINIT user cert ID");
    ret = krb5_parse_name(kdc_context, heim_string_get_utf8(user), &client);
    if (ret)
 	krb5_err(kdc_context, 1, ret, "krb5_unparse_name");
-    ret = krb5_init_creds_init(kdc_context, client, NULL, NULL, 0, NULL, &ctx);
+    /* PKINIT parts */
    ret = krb5_get_init_creds_opt_alloc (kdc_context, &opt);
    if (ret)
 	krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_alloc");
    if (pk_user_id) {
 	ret = krb5_get_init_creds_opt_set_pkinit(kdc_context, opt,
 						 client,
 						 heim_string_get_utf8(pk_user_id),
 						 NULL, NULL, NULL, 0,
 						 NULL, NULL, NULL);
 	if (ret)
 	    krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
    }
    ret = krb5_init_creds_init(kdc_context, client, NULL, NULL, 0, opt, &ctx);
    if (ret)
 	krb5_err(kdc_context, 1, ret, "krb5_init_creds_init");
--- a/tests/kdc/Makefile.am
+++ b/tests/kdc/Makefile.am
@@ -1,6 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 noinst_DATA = \
 	kdc-tester4.json \
 	krb5.conf \
 	krb5-canon.conf \
 	krb5-canon2.conf \
@@ -45,6 +46,7 @@ endif
 do_subst = sed $(do_dlopen) \
 	-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
 	-e 's,[@]top_srcdir[@],$(top_srcdir),g' \
 	-e 's,[@]srcdir[@],$(srcdir),g' \
 	-e 's,[@]port[@],$(port),g' \
 	-e 's,[@]admport[@],$(admport),g' \
@@ -95,7 +97,7 @@ check-kdc-weak: check-kdc-weak.in Makefile
 	chmod +x check-kdc-weak.tmp
 	mv check-kdc-weak.tmp check-kdc-weak
-check-tester: check-tester.in Makefile
+check-tester: check-tester.in kdc-tester4.json Makefile
 	$(do_subst) < $(srcdir)/check-tester.in > check-tester.tmp
 	chmod +x check-tester.tmp
 	mv check-tester.tmp check-tester
@@ -140,6 +142,10 @@ check-kpasswdd: check-kpasswdd.in Makefile
 	chmod +x check-kpasswdd.tmp
 	mv check-kpasswdd.tmp check-kpasswdd
 kdc-tester4.json: kdc-tester4.json.in Makefile
 	$(do_subst) < $(srcdir)/kdc-tester4.json.in > kdc-tester4.json.tmp
 	mv kdc-tester4.json.tmp kdc-tester4.json
 krb5.conf: krb5.conf.in Makefile
 	$(do_subst) \
 	   -e 's,[@]WEAK[@],false,g' \
@@ -203,6 +209,7 @@ CLEANFILES= \
 	iprop.keytab \
 	digest-reply \
 	foopassword \
 	kdc-tester4.json \
 	krb5.conf \
 	krb5-canon.conf \
 	krb5-canon2.conf \
@@ -261,6 +268,7 @@ EXTRA_DIST = \
 	iprop-acl \
 	kdc-tester1.json \
 	kdc-tester2.json \
 	kdc-tester4.json.in \
 	krb5-pkinit.conf.in \
 	krb5.conf.in \
 	krb5-canon.conf.in \
--- a/tests/kdc/check-tester.in
+++ b/tests/kdc/check-tester.in
@@ -50,11 +50,30 @@ R=TEST.H5L.SE
 keytabfile=${objdir}/server.keytab
 keytab="FILE:${keytabfile}"
 keyfile="${hx509_data}/key.der"
 keyfile2="${hx509_data}/key2.der"
 kadmin="${kadmin} -l -r $R"
 server=host/datan.test.h5l.se
 rsa=yes
 pkinit=no
 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
    rsa=no
 fi
 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
    rsa=no
 fi
 if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
    pkinit=yes
 fi
 # If we doesn't support pkinit and have RSA, give up
 if test "$rsa" != yes ; then
    pkinit=no
 fi
 rm -f ${keytabfile}
 rm -f current-db*
@@ -84,5 +103,45 @@ ${kdc_tester} ${srcdir}/kdc-tester2.json || exit 1
 echo "fast + keytab"
 ${kdc_tester} ${srcdir}/kdc-tester3.json || exit 1
 if test "$pkinit" = yes ; then
    KRB5_CONFIG="${1-${objdir}/krb5-pkinit.conf}"
    export KRB5_CONFIG
    echo "Setting up certificates"
    ${hxtool} request-create \
 	     --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
 	     --key=FILE:${keyfile2} \
 	     req-kdc.der || exit 1
    ${hxtool} request-create \
 	     --subject="CN=foo,DC=test,DC=h5l,DC=se" \
 	     --key=FILE:${keyfile2} \
 	     req-pkinit.der || exit 1
    echo "issue self-signed ca cert"
    ${hxtool} issue-certificate \
 	      --self-signed \
 	      --issue-ca \
 	      --ca-private-key=FILE:${keyfile} \
 	      --subject="CN=CA,DC=test,DC=h5l,DC=se" \
 	      --certificate="FILE:ca.crt" || exit 1
    echo "issue kdc certificate"
    ${hxtool} issue-certificate \
 	      --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
 	      --type="pkinit-kdc" \
 	      --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
 	      --req="PKCS10:req-kdc.der" \
 	      --certificate="FILE:kdc.crt" || exit 1
    echo "issue user certificate (pkinit san)"
    ${hxtool} issue-certificate \
 	      --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
 	      --type="pkinit-client" \
 	      --pk-init-principal="foo@TEST.H5L.SE" \
 	      --req="PKCS10:req-pkinit.der" \
 	      --certificate="FILE:pkinit.crt" || exit 1
    echo "pkinit"
    ${kdc_tester} ${srcdir}/kdc-tester4.json || exit 1
 fi
 exit $ec