Add bx509d

tests/bin/setup-env.in

@@ -15,6 +15,7 @@ NO_AFS="@NO_AFS@"
 # most commands in heimdal as variables
 
 # regular apps
+bx509d="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/bx509d"
 hxtool="${TESTS_ENVIRONMENT} ${top_builddir}/lib/hx509/hxtool"
 iprop_log="${TESTS_ENVIRONMENT} ${top_builddir}/lib/kadm5/iprop-log"
 ipropd_master="${TESTS_ENVIRONMENT} ${top_builddir}/lib/kadm5/ipropd-master"
@@ -23,6 +24,9 @@ kadmin="${TESTS_ENVIRONMENT} ${top_builddir}/kadmin/kadmin"
 kadmind="${TESTS_ENVIRONMENT} ${top_builddir}/kadmin/kadmind"
 kdc="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/kdc"
 kdc_tester="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/kdc-tester"
+test_csr_authorizer="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_csr_authorizer"
+test_kdc_ca="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_kdc_ca"
+test_token_validator="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_token_validator"
 kdestroy="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kdestroy"
 kdigest="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kdigest"
 kgetcred="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kgetcred"
@@ -35,6 +39,7 @@ kswitch="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/heimtools kswitch"
 kx509="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/heimtools kx509"
 ktutil="${TESTS_ENVIRONMENT} ${top_builddir}/admin/ktutil"
 gsstool="${TESTS_ENVIRONMENT} ${top_builddir}/lib/gssapi/gsstool"
+gsstoken="${TESTS_ENVIRONMENT} ${top_builddir}/lib/gssapi/gss-token"
 
 # regression test tools
 test_ap_req="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_ap-req"
@@ -43,7 +48,9 @@ test_gic="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_gic"
 test_renew="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_renew"
 test_ntlm="${TESTS_ENVIRONMENT} ${top_builddir}/lib/gssapi/test_ntlm"
 test_context="${TESTS_ENVIRONMENT} ${top_builddir}/lib/gssapi/test_context"
+rkbase64="${TESTS_ENVIRONMENT} ${top_builddir}/lib/roken/rkbase64"
 rkpty="${TESTS_ENVIRONMENT} ${top_builddir}/lib/roken/rkpty"
+rkvis="${TESTS_ENVIRONMENT} ${top_builddir}/lib/roken/rkvis"
 test_set_kvno0="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_set_kvno0"
 test_alname="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_alname"
 test_kuserok="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_kuserok"

tests/kdc/Makefile.am

@@ -11,6 +11,7 @@ noinst_DATA = \
 	krb5-hdb-mitdb.conf \
 	krb5-weak.conf \
 	krb5-pkinit.conf \
+	krb5-bx509.conf \
 	krb5-pkinit-win.conf \
 	krb5-slave2.conf \
 	krb5-slave.conf
@@ -32,6 +33,7 @@ SCRIPT_TESTS = \
 	check-keys \
 	check-kpasswdd \
 	check-pkinit \
+	check-bx509 \
 	check-iprop \
 	check-referral \
 	check-tester \
@@ -141,6 +143,11 @@ check-pkinit: check-pkinit.in Makefile krb5-pkinit.conf
 	$(chmod) +x check-pkinit.tmp && \
 	mv check-pkinit.tmp check-pkinit
 
+check-bx509: check-bx509.in Makefile krb5-bx509.conf
+	$(do_subst) < $(srcdir)/check-bx509.in > check-bx509.tmp && \
+	$(chmod) +x check-bx509.tmp && \
+	mv check-bx509.tmp check-bx509
+
 check-iprop: check-iprop.in Makefile krb5.conf krb5-slave.conf krb5-slave2.conf
 	$(do_subst) < $(srcdir)/check-iprop.in > check-iprop.tmp && \
 	$(chmod) +x check-iprop.tmp && \
@@ -226,6 +233,10 @@ krb5-pkinit.conf: krb5-pkinit.conf.in Makefile
 	$(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit.conf.tmp && \
 	mv krb5-pkinit.conf.tmp krb5-pkinit.conf
 
+krb5-bx509.conf: krb5-bx509.conf.in Makefile
+	$(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-bx509.conf.in > krb5-bx509.conf.tmp && \
+	mv krb5-bx509.conf.tmp krb5-bx509.conf
+
 krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile
 	$(do_subst) -e 's,[@]w2k[@],yes,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit-win.conf.tmp && \
 	mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf
@@ -260,6 +271,7 @@ CLEANFILES= \
 	krb5-hdb-mitdb.conf \
 	krb5-pkinit-win.conf \
 	krb5-pkinit.conf \
+	krb5-bx509.conf \
 	krb5-slave2.conf \
 	krb5-slave.conf \
 	krb5-weak.conf \
@@ -303,6 +315,7 @@ EXTRA_DIST = \
 	check-keys.in \
 	check-kpasswdd.in \
 	check-pkinit.in \
+	check-bx509.in \
 	check-referral.in \
 	check-tester.in \
 	check-uu.in \
@@ -317,6 +330,7 @@ EXTRA_DIST = \
 	kdc-tester3.json \
 	kdc-tester4.json.in \
 	krb5-pkinit.conf.in \
+	krb5-bx509.conf.in \
 	krb5.conf.in \
 	krb5-authz.conf.in \
 	krb5-authz2.conf.in \

tests/kdc/check-bx509.in

@@ -0,0 +1,407 @@
+#!/bin/sh
+#
+# Copyright (c) 2019 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+DCs="DC=test,DC=h5l,DC=se"
+H=datan.test.h5l.se
+
+port=@port@
+
+#kadmin="${kadmin} -l -r $R"
+bx509="${bx509} --reverse-proxied -p $port"
+
+server=datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keyfile="${hx509_data}/key.der"
+keyfile2="${hx509_data}/key2.der"
+keytab=FILE:${objdir}/kt
+kt=${objdir}/kt
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} --hidden -v -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+kx509="${kx509} -c $cache"
+
+KRB5_CONFIG="${objdir}/krb5-bx509.conf"
+export KRB5_CONFIG
+
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+    rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    rsa=no
+fi
+
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+    pkinit=yes
+fi
+
+# If we doesn't support pkinit and have RSA, give up
+if test "$pkinit" != yes -o "$rsa" != yes ; then
+    exit 77
+fi
+
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f *.pem *.crt *.der
+rm -rf simple_csr_authz
+
+mkdir -p simple_csr_authz
+
+> messages.log
+
+# We'll avoid using a KDC.  We only need one for Negotiate tokens, and we'll
+# use ktutil and kimpersonate to make it possible to create and accept those
+# without a KDC.
+
+# csr_grant ext-type value princ
+csr_grant() {
+    mkdir -p "${objdir}/simple_csr_authz/${3}"
+    touch "${objdir}/simple_csr_authz/${3}/${1}-${2}"
+}
+
+csr_revoke() {
+    rm -rf "${objdir}/simple_csr_authz"
+    mkdir -p "${objdir}/simple_csr_authz"
+}
+
+# get_cert ""         curl-opts
+# get_cert "&qparams" curl-opts
+get_cert() {
+    url="http://${server}:${port}/bx509?csr=$csr${1}"
+    shift
+    curl -g --connect-to ${server}:${port}:localhost:${port}            \
+         -H "Authorization: Negotiate $token"                           \
+         "$@" "$url"
+}
+
+rm -f $kt
+$ktutil -k $keytab add -r -V 1 -e aes128-cts-hmac-sha1-96               \
+    -p HTTP/datan.test.h5l.se@TEST.H5L.SE ||
+    { echo "failed to setup kimpersonate credentials"; exit 2; }
+$ktutil -k $keytab list ||
+    { echo "failed to setup kimpersonate credentials"; exit 2; }
+$kimpersonate --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96  \
+   -c foo@TEST.H5L.SE -s HTTP/datan.test.h5l.se@TEST.H5L.SE ||
+    { echo "failed to setup kimpersonate credentials"; exit 2; }
+$klist ||
+    { echo "failed to setup kimpersonate credentials"; exit 2; }
+
+echo "Setting up certificates"
+# We need:
+#
+#  - a CA certificate for issuing client certificates
+#  - a CA certificate for issuing server certificates
+#  - a CA certificate for issuing mixed  certificates
+#  - a certificate for bx509 itself (well, not in reverse proxy mode, but we'll
+#    make one anyways)
+
+# Make the realm's user cert issuer CA certificate.
+#
+# NOTE WELL: We need all three KeyUsage values listed below!
+#            We also need this to be of type "pkinit-kdc",
+#            which means we'll get an appropriate EKU OID as
+#            well.
+$hxtool ca  --issue-ca --self-signed --type=pkinit-kdc          \
+            --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
+            --pk-init-principal=krbtgt/${R}@${R}                \
+            --generate-key=rsa --key-bits=1024                  \
+            --subject="OU=Users,CN=KDC,${DCs}"                  \
+            --certificate=PEM-FILE:"${objdir}/user-issuer.pem" ||
+    { echo "failed to setup CA certificate"; exit 2; }
+
+# We'll use the user cert issuer as the PKINIT anchor, allowing bx509-issued
+# certificates to be used for PKINIT.  Though we won't be testing PKINIT here
+# -- we test kx509->PKINIT in check-pkinit.
+cp ${objdir}/user-issuer.pem ${objdir}/pkinit-anchor.pem
+
+# Put the cert alone in the trust anchors file
+#ex "${objdir}/pkinit-anchor.pem" <<"EOF"
+#/-----BEGIN CERTIFICATE-----
+#1,.-1 d
+#wq
+#EOF
+
+$hxtool ca  --issue-ca --self-signed                                \
+            --ku=digitalSignature --ku=keyCertSign --ku=cRLSign     \
+            --generate-key=rsa --key-bits=1024                      \
+            --subject="OU=Servers,CN=KDC,${DCs}"                    \
+            --certificate=PEM-FILE:"${objdir}/server-issuer.pem" ||
+    { echo "failed to setup CA certificate"; exit 2; }
+
+$hxtool ca  --issue-ca --self-signed                                \
+            --ku=digitalSignature --ku=keyCertSign --ku=cRLSign     \
+            --generate-key=rsa --key-bits=1024                      \
+            --subject="OU=Users,CN=KDC,${DCs}"                      \
+            --certificate=PEM-FILE:"${objdir}/mixed-issuer.pem" ||
+    { echo "failed to setup CA certificate"; exit 2; }
+
+$hxtool ca  --issue-ca --type=https-negotiate-server                \
+            --ca-certificate=PEM-FILE:"${objdir}/server-issuer.pem" \
+            --ku=digitalSignature --pk-init-principal=HTTP/${H}@${R}\
+            --generate-key=rsa --key-bits=1024 --subject=""         \
+            --certificate=PEM-FILE:"${objdir}/bx509.pem" ||
+    { echo "failed to setup CA certificate"; exit 2; }
+
+# XXX Before starting bx509d let us use kdc test programs to check that:
+#
+#  - the negotiate token validator plugin works
+#  - the simple CSR authorizer plugin works
+#  - the KDC CA tester program works
+
+echo "Check gss-token and Negotiate token validator plugin"
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$H | tr A B)
+$test_token_validator -a datan.test.h5l.se Negotiate "$token" &&
+    { echo "Negotiate token validator accepted invalid token"; exit 2; }
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$H)
+$test_token_validator -a datan.test.h5l.se Negotiate "$token" ||
+    { echo "Negotiate token validator failed to validate valid token"; exit 2; }
+
+echo "Making a plain CSR"
+$hxtool request-create  --subject='' --generate-key=rsa --key-bits=1024 \
+                        --key=FILE:"${objdir}/k.der" "${objdir}/req" ||
+    { echo "Failed to make a CSR"; exit 2; }
+
+rm -f trivial.pem server.pem email.pem
+
+echo "Testing plain user cert issuance KDC CA"
+$test_kdc_ca -a bx509 -A foo@TEST.H5L.SE PKCS10:${objdir}/req       \
+             PEM-FILE:${objdir}/trivial.pem ||
+    { echo "Trivial offline CA test failed"; exit 2; }
+$hxtool print --content PEM-FILE:${objdir}/trivial.pem ||
+    { echo "Trivial offline CA test failed"; exit 2; }
+
+echo "Testing other cert issuance KDC CA"
+csr_revoke
+# https server cert
+$hxtool request-create  --subject='' --generate-key=rsa --key-bits=1024 \
+                        --key=FILE:"${objdir}/k.der"                    \
+                        --eku=id_pkix_kp_serverAuth                     \
+                        --dnsname=foo.test.h5l.se "${objdir}/req" ||
+    { echo "Failed to make a CSR with a dNSName SAN request"; exit 2; }
+$test_kdc_ca -a bx509 foo@TEST.H5L.SE PKCS10:${objdir}/req              \
+             PEM-FILE:${objdir}/server.pem &&
+    { echo "Trivial offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
+csr_grant dnsname foo.test.h5l.se foo@TEST.H5L.SE
+csr_grant eku 1.3.6.1.5.5.7.3.1 foo@TEST.H5L.SE
+$test_kdc_ca -a bx509 foo@TEST.H5L.SE PKCS10:${objdir}/req              \
+             PEM-FILE:${objdir}/server.pem ||
+    { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+$hxtool print --content PEM-FILE:${objdir}/server.pem ||
+    { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+# email cert
+$hxtool request-create  --subject='' --generate-key=rsa --key-bits=1024 \
+                        --key=FILE:"${objdir}/k.der"                    \
+                        --eku=id_pkix_kp_clientAuth                     \
+                        --email=foo@test.h5l.se "${objdir}/req" ||
+    { echo "Failed to make a CSR with an rfc822Name SAN request"; exit 2; }
+$test_kdc_ca -a bx509 foo@TEST.H5L.SE PKCS10:${objdir}/req              \
+             PEM-FILE:${objdir}/email.pem &&
+    { echo "Trivial offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
+csr_grant email foo@test.h5l.se foo@TEST.H5L.SE
+csr_grant eku 1.3.6.1.5.5.7.3.2 foo@TEST.H5L.SE
+$test_kdc_ca -a bx509 foo@TEST.H5L.SE PKCS10:${objdir}/req              \
+             PEM-FILE:${objdir}/email.pem ||
+    { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+$hxtool print --content PEM-FILE:${objdir}/email.pem ||
+    { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+
+if ! which curl; then
+    echo "curl is not available -- not testing bx509d"
+    exit 0
+fi
+
+echo "Starting bx509d"
+${bx509d} --reverse-proxied -H $H --cert=${objdir}/bx509.pem -t -p $port --daemon ||
+    { echo "bx509 failed to start"; exit 2; }
+bx509pid=`getpid bx509d`
+
+trap "kill -9 ${bx509pid}; echo signal killing bx509d; cat ca.crt kdc.crt pkinit.crt ;exit 1;" EXIT
+ec=0
+
+rm -f trivial.pem server.pem email.pem
+
+echo "Making a plain CSR"
+csr_revoke
+$hxtool request-create  --subject='' --generate-key=rsa --key-bits=1024 \
+                        --key=FILE:"${objdir}/k.der" "${objdir}/req" ||
+    { echo "Failed to make a CSR"; exit 2; }
+csr=$($rkbase64 -- ${objdir}/req | $rkvis -h --stdin)
+
+# XXX Add autoconf check for curl?
+#     Create a barebones bx509 HTTP/1.1 client test program?
+
+echo "Fetching a trivial user certificate"
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$H)
+if (set -vx; get_cert '' -sf -o "${objdir}/trivial.pem"); then
+    $hxtool print --content "FILE:${objdir}/trivial.pem"
+    if $hxtool acert --end-entity                                            \
+                    --expr="%{certificate.subject} == \"CN=foo,$DCs\""  \
+                    -P "foo@TEST.H5L.SE" "FILE:${objdir}/trivial.pem"; then
+        echo 'Successfully obtained a trivial client certificate!'
+    else
+        echo 'FAIL: Obtained a trivial client certificate w/o expected PKINIT SAN)'
+        exit 1
+    fi
+else
+    echo 'Failed to get a certificate!'
+    exit 1
+fi
+
+echo "Checking that authorization is enforced"
+csr_revoke
+get_cert '&rfc822Name=foo@bar.example' -vvv -o "${objdir}/bad1.pem"
+if (set -vx; get_cert '&rfc822Name=foo@bar.example' -sf -o "${objdir}/trivial.pem"); then
+    $hxtool print --content "FILE:${objdir}/bad1.pem"
+    echo 'Obtained a client certificate for a non-granted name!'
+    exit 1
+else
+    echo 'Correctly failed to get a client certificate for a non-granted name'
+fi
+
+if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/bad2.pem"); then
+    $hxtool print --content "FILE:${objdir}/bad2.pem"
+    echo 'Obtained a server certificate for a non-granted name!'
+    exit 1
+else
+    echo 'Correctly failed to get a server certificate for a non-granted name'
+fi
+
+echo "Fetching a server certificate with one dNSName SAN"
+csr_grant dnsname $server foo@TEST.H5L.SE
+if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/server.pem"); then
+    $hxtool print --content "FILE:${objdir}/server.pem"
+    if (set -vx; $hxtool acert --expr="%{certificate.subject} == \"\""             \
+                    --end-entity -P foo@TEST.H5L.SE               \
+                    "FILE:${objdir}/server.pem"); then
+        echo 'Got a broken server certificate (has PKINIT SAN)'
+        exit 1
+    elif $hxtool acert --end-entity -D $server "FILE:${objdir}/server.pem"; then
+        echo 'Successfully obtained a server certificate!'
+    else
+        echo 'Got a broken server certificate'
+        exit 1
+    fi
+else
+    echo 'Failed to get a server certificate!'
+    exit 1
+fi
+
+echo "Fetching a server certificate with two dNSName SANs"
+csr_grant dnsname "second-$server" foo@TEST.H5L.SE
+if (set -vx;
+    get_cert "&dNSName=${server}&dNSName=second-$server" -sf \
+        -o "${objdir}/server2.pem"); then
+    $hxtool print --content "FILE:${objdir}/server2.pem"
+    if $hxtool acert --expr="%{certificate.subject} == \"\""             \
+                    --end-entity -P foo@TEST.H5L.SE               \
+                    "FILE:${objdir}/server2.pem"; then
+        echo 'Got a broken server certificate (has PKINIT SAN)'
+        exit 1
+    elif $hxtool acert --end-entity -D "$server"                      \
+                                   -D "second-$server"               \
+                                   "FILE:${objdir}/server2.pem"; then
+        echo 'Successfully obtained a server certificate with two dNSName SANs!'
+    else
+        echo 'Got a broken server certificate (wanted two dNSName SANs)'
+        exit 1
+    fi
+else
+    echo 'Failed to get a server certificate with two dNSName SANs!'
+    exit 1
+fi
+
+echo "Fetching an email certificate"
+csr_grant email foo@bar.example foo@TEST.H5L.SE
+if (set -vx; get_cert "&rfc822Name=foo@bar.example" -sf -o "${objdir}/email.pem"); then
+    $hxtool print --content "FILE:${objdir}/email.pem"
+    if $hxtool acert --end-entity -P "foo@TEST.H5L.SE" "FILE:${objdir}/email.pem"; then
+        echo 'Got a broken email certificate (has PKINIT SAN)'
+        exit 1
+    elif $hxtool acert --expr="%{certificate.subject} == \"\""           \
+                      --end-entity -M foo@bar.example                   \
+                      "FILE:${objdir}/email.pem"; then
+        echo 'Successfully obtained a email certificate!'
+    else
+        echo 'Got a broken email certificate'
+        exit 1
+    fi
+else
+    echo 'Failed to get an email certificate!'
+    exit 1
+fi
+
+if false not yet; then
+    # XXX Need to start a KDC to test this.
+    echo "Fetching a Negotiate token"
+    if (set -vx;
+        curl -o negotiate-token -Lgsf --connect-to ${server}:${port}:localhost:${port} \
+            -H "Authorization: Negotiate $token" \
+            "http://${server}:${port}/bnegotiate?target=HTTP%40${server}"); then
+        # bx509 sends us a token w/o a newline for now; we add one because
+        # gss-token expects it.
+        [[ -s negotiate-token ]] && echo >> negotiate-token
+        if [[ -s negotiate-token ]] && KRB5_KTNAME="${etc}/keytab.user" $gsstoken -Nr < negotiate-token; then
+            echo 'Successfully obtained a Negotiate token!'
+        else
+            echo 'Failed to get a Negotiate token!'
+            exit 1
+        fi
+    else
+        echo 'Failed to get a Negotiate token!'
+        exit 1
+    fi
+fi
+
+echo "killing bx509d (${bx509pid})"
+sh ${leaks_kill} bx509 $bx509pid || ec=1
+
+trap "" EXIT
+
+exit $ec

tests/kdc/check-pkinit.in

@@ -98,6 +98,7 @@ ${kadmin} \
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
 ${kadmin} add -p bar --use-defaults bar@${R} || exit 1
 ${kadmin} add -p baz --use-defaults baz@${R} || exit 1
+${kadmin} add -p foo --use-defaults host/server.test.h5l.se@${R} || exit 1
 ${kadmin} modify --alias=baz2@test.h5l.se baz@${R} || exit 1
 ${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
 
@@ -306,7 +307,7 @@ fi
 
 
 echo "killing kdc (${kdcpid})"
-sh ${leaks_kill} kdc $kdcpid || exit 1
+sh ${leaks_kill} kdc $kdcpid || ec=1
 
 trap "" EXIT
 

tests/kdc/krb5-bx509.conf.in

@@ -0,0 +1,129 @@
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+	allow_weak_crypto = TRUE
+        rdns = false
+        fcache_strict_checking = false
+        name_canon_rules = as-is:realm=TEST.H5L.SE
+
+[appdefaults]
+	pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem
+	pkinit_pool = FILE:@objdir@/pkinit-anchor.pem
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+		pkinit_win2k = @w2k@
+	}
+
+[kdc]
+        num-kdc-processes = 1
+        strict-nametypes = true
+	enable-pkinit = true
+        pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
+	pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
+	pkinit_mappings_file = @srcdir@/pki-mapping
+
+        # Locate kdc plugins for testing
+        plugin_dir =  @objdir@/../../kdc/.libs
+
+        # Configure kdc plugins for testing
+        simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+
+        enable-pkinit = true
+        pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
+        pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
+        pkinit_mappings_file = @srcdir@/pki-mapping
+ 
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+                log_file = @objdir@/log.current-db.log
+	}
+
+        negotiate_token_validator = {
+                keytab = FILE:@objdir@/kt
+        }
+
+        realms = {
+                TEST.H5L.SE = {
+                        kx509 = {
+                                user = {
+                                        include_pkinit_san = true
+                                        subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+                                        ekus = 1.3.6.1.5.5.7.3.2
+                                        ca = PEM-FILE:@objdir@/user-issuer.pem
+                                }
+                                hostbased_service = {
+                                        HTTP = {
+                                                include_dnsname_san = true
+                                                ekus = 1.3.6.1.5.5.7.3.1
+                                                ca = PEM-FILE:@objdir@/server-issuer.pem
+                                        }
+                                }
+                                client = {
+                                        ekus = 1.3.6.1.5.5.7.3.2
+                                        ca = PEM-FILE:@objdir@/user-issuer.pem
+                                }
+                                server = {
+                                        ekus = 1.3.6.1.5.5.7.3.1
+                                        ca = PEM-FILE:@objdir@/server-issuer.pem
+                                }
+                                mixed = {
+                                        ekus = 1.3.6.1.5.5.7.3.1
+                                        ekus = 1.3.6.1.5.5.7.3.2
+                                        ca = PEM-FILE:@objdir@/mixed-issuer.pem
+                                }
+                        }
+                }
+        }
+
+[hdb]
+	db-dir = @objdir@
+ 
+[bx509]
+        realms = {
+                TEST.H5L.SE = {
+                        # Default (no cert exts requested)
+                        user = {
+                                # Use an issuer for user certs:
+                                ca = PEM-FILE:@objdir@/user-issuer.pem
+                                subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+                                ekus = 1.3.6.1.5.5.7.3.2
+                                include_pkinit_san = true
+                        }
+                        hostbased_service = {
+                                # Only for HTTP services
+                                HTTP = {
+                                        # Use an issuer for server certs:
+                                        ca = PEM-FILE:@objdir@/server-issuer.pem
+                                        include_dnsname_san = true
+                                        # Don't bother with a template
+                                }
+                        }
+                        # Non-default certs (extensions requested)
+                        #
+                        # Use no templates -- get empty subject names,
+                        # use SANs.
+                        #
+                        # Use appropriate issuers.
+                        client = {
+                                ca = PEM-FILE:@objdir@/user-issuer.pem
+                        }
+                        server = {
+                                ca = PEM-FILE:@objdir@/server-issuer.pem
+                        }
+                        mixed = {
+                                ca = PEM-FILE:@objdir@/mixed-issuer.pem
+                        }
+                }
+        }
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	bx509d = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+[domain_realm]
+        . = TEST.H5L.SE

tests/kdc/krb5-pkinit.conf.in

@@ -20,13 +20,12 @@
 	pkinit_anchors = FILE:@objdir@/ca.crt
 	pkinit_mappings_file = @srcdir@/pki-mapping
 
-        enable-kx509 = true
-        kx509_include_email_san = true
-        kx509_include_pkinit_san = true
-        kx509_include_dnsname_san = true
+        plugin_dir =  @objdir@/../../kdc/.libs
+
+        simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+
+        enable_kx509 = true
         require_initial_kca_tickets = false
-        kx509_template = FILE:@objdir@/kx509-template.crt
-        kx509_ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
 
 	database = {
 		dbname = @objdir@/current-db
@@ -35,6 +34,38 @@
                 log_file = @objdir@/log.current-db.log
 	}
 
+
+        realms = {
+                TEST.H5L.SE = {
+                        negotiate_token_validator = {
+                                keytab = HDBGET:@objdir@/current-db
+                        }
+                        kx509 = {
+                                user = {
+                                        include_pkinit_san = true
+                                        subject_name = CN=${principal-name-without-realm},DC=TEST,DC=H5L,DC=SE
+                                        ekus = 1.3.6.1.5.5.7.3.2
+                                        ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+                                        template_cert = FILE:@objdir@/kx509-template.crt
+                                }
+                                hostbased_service = {
+                                        HTTP = {
+                                                include_dnsname_san = true
+                                                ekus = 1.3.6.1.5.5.7.3.1
+                                                ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+                                        }
+                                }
+                                client = {
+                                        ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+                                }
+                                server = {
+                                        ekus = 1.3.6.1.5.5.7.3.1
+                                        ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+                                }
+                        }
+                }
+        }
+
 [hdb]
 	db-dir = @objdir@
 

tests/plugin/windc.c

@@ -1,6 +1,7 @@
 #include <string.h>
 #include <krb5.h>
 #include <hdb.h>
+#include <hx509.h>
 #include <kdc.h>
 #include <windc_plugin.h>