oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bx509d: Implement /get-tgt end-point

Browse Source
This commit is contained in:
Nicolas Williams
2021-04-06 13:55:52 -05:00
parent d72c4af635
commit 6633f6e525
5 changed files with 260 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/kdc/Makefile.am
View File

@@ -317,6 +317,7 @@ CLEANFILES= \
barpassword \
ca.crt \
cache.krb5 \
cache2.krb5 \
cdigest-reply \
client-cache \
curlheaders \
@@ -339,8 +340,10 @@ CLEANFILES= \
krb5-cc.conf \
krb5-cccol.conf \
krb5-hdb-mitdb.conf \
krb5-master2.conf \
krb5-pkinit-win.conf \
krb5-pkinit.conf \
krb5-pkinit2.conf \
krb5-bx509.conf \
krb5-httpkadmind.conf \
krb5-slave2.conf \
@@ -354,12 +357,14 @@ CLEANFILES= \
malloc-log \
malloc-log-master \
malloc-log-slave \
messages.log2 \
negotiate-token \
notfoopassword \
o2cache.krb5 \
o2digest-reply \
ocache.krb5 \
out-log \
req \
response-headers \
s2digest-reply \
sdb \

30
tests/kdc/check-bx509.in
View File

@@ -54,7 +54,10 @@ kdc="${kdc} --addresses=localhost -P $port"
server=datan.test.h5l.se
otherserver=other.test.h5l.se
cache="FILE:${objdir}/cache.krb5"
cachefile="${objdir}/cache.krb5"
cache="FILE:${cachefile}"
cachefile2="${objdir}/cache2.krb5"
cache2="FILE:${cachefile2}"
keyfile="${hx509_data}/key.der"
keyfile2="${hx509_data}/key2.der"
kt=${objdir}/kt
@@ -63,6 +66,7 @@ ukt=${objdir}/ukt
ukeytab=FILE:${ukt}
kinit="${kinit} -c $cache ${afs_no_afslog}"
klist2="${klist} --hidden -v -c $cache2"
klist="${klist} --hidden -v -c $cache"
kgetcred="${kgetcred} -c $cache"
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
@@ -429,6 +433,30 @@ trap "kill -9 ${kdcpid} ${bx509pid}; echo signal killing kdc and bx509d; exit 1;
${kinit} -kt $ukeytab foo@${R} || exit 1
$klist || { echo "failed to setup kimpersonate credentials"; exit 2; }
echo "Fetch TGT"
(set -vx; csr_grant pkinit foo@${R} foo@${R})
token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
if ! (set -vx;
curl -o "${cachefile2}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt"); then
echo "Failed to get a TGT with /get-tgt end-point"
exit 2
fi
echo "Fetch TGT (inception)"
${kdestroy}
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
if ! (set -vx;
curl -o "${cachefile}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt"); then
echo "Failed to get a TGT with /get-tgt end-point"
exit 2
fi
echo "Fetch negotiate token (pre-test)"
# Do what /bnegotiate does, roughly, prior to testing /bnegotiate
$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \

39
tests/kdc/krb5-bx509.conf.in
View File

@@ -121,6 +121,45 @@
}
}
[getTGT]
simple_csr_authorizer_directory = @objdir@/simple_csr_authz
realms = {
TEST.H5L.SE = {
# Default (no cert exts requested)
user = {
# Use an issuer for user certs:
ca = PEM-FILE:@objdir@/user-issuer.pem
subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
ekus = 1.3.6.1.5.5.7.3.2
include_pkinit_san = true
}
hostbased_service = {
# Only for HTTP services
HTTP = {
# Use an issuer for server certs:
ca = PEM-FILE:@objdir@/server-issuer.pem
include_dnsname_san = true
# Don't bother with a template
}
}
# Non-default certs (extensions requested)
#
# Use no templates -- get empty subject names,
# use SANs.
#
# Use appropriate issuers.
client = {
ca = PEM-FILE:@objdir@/user-issuer.pem
}
server = {
ca = PEM-FILE:@objdir@/server-issuer.pem
}
mixed = {
ca = PEM-FILE:@objdir@/mixed-issuer.pem
}
}
}
[logging]
kdc = 0-/FILE:@objdir@/messages.log
bx509d = 0-/FILE:@objdir@/messages.log