bx509d: Use /get-tgt lifetime q-param
This commit is contained in:
Nicolas Williams
@@ -1327,7 +1327,7 @@ k5_do_CA(struct bx509_request_desc *r)
|
||||
/* Issue the certificate */
|
||||
if (ret == 0)
|
||||
ret = kdc_issue_certificate(r->context, "get-tgt", logfac, req, p,
|
||||
&r->token_times, 0,
|
||||
&r->token_times, r->req_life,
|
||||
1 /* send_chain */, &certs);
|
||||
krb5_free_principal(r->context, p);
|
||||
hx509_request_free(&req);
|
||||
|
||||
@@ -67,6 +67,7 @@ ukeytab=FILE:${ukt}
|
||||
|
||||
kinit="${kinit} -c $cache ${afs_no_afslog}"
|
||||
klist2="${klist} --hidden -v -c $cache2"
|
||||
klistjson="${klist} --json -c $cache"
|
||||
klist="${klist} --hidden -v -c $cache"
|
||||
kgetcred="${kgetcred} -c $cache"
|
||||
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
|
||||
@@ -494,6 +495,84 @@ ${kgetcred} -H HTTP/${server}@${R} ||
|
||||
${klist} | grep Addresses:.IPv4:8.8.8.8 ||
|
||||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
|
||||
|
||||
echo "Fetch TGT (for other, w/ lifetime req under max)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
curl -o "${cachefile}" -Lgsf \
|
||||
--resolve ${server}:${bx509port}:127.0.0.1 \
|
||||
-H "Authorization: Negotiate $token" \
|
||||
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=3d"); then
|
||||
echo "Failed to get a TGT with /get-tgt end-point"
|
||||
exit 2
|
||||
fi
|
||||
${kgetcred} -H HTTP/${server}@${R} ||
|
||||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
|
||||
if which jq >/dev/null; then
|
||||
if ! ${klistjson} | jq -e '
|
||||
(reduce (.tickets[0]|(.Issued,.Expires)|
|
||||
strptime("%b %e %H:%M:%S %Y")|mktime) as $t
|
||||
(0; if .==0 then $t else $t - . end) / 86400) | floor |
|
||||
. == 3'; then
|
||||
echo "Incorrect lifetime"
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Fetch TGT (for other, w/ lifetime req over max)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
curl -o "${cachefile}" -Lgsf \
|
||||
--resolve ${server}:${bx509port}:127.0.0.1 \
|
||||
-H "Authorization: Negotiate $token" \
|
||||
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=10d"); then
|
||||
echo "Failed to get a TGT with /get-tgt end-point"
|
||||
exit 2
|
||||
fi
|
||||
${kgetcred} -H HTTP/${server}@${R} ||
|
||||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
|
||||
if which jq >/dev/null; then
|
||||
if ! ${klistjson} | jq -e '
|
||||
(reduce (.tickets[0]|(.Issued,.Expires)|
|
||||
strptime("%b %e %H:%M:%S %Y")|mktime) as $t
|
||||
(0; if .==0 then $t else $t - . end) / 86400) | floor |
|
||||
. == 5'; then
|
||||
echo "Incorrect lifetime"
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Fetch TGT (for other, w/ lifetime req under max)"
|
||||
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
|
||||
(set -vx; csr_grant pkinit bar@${R} foo@${R})
|
||||
${kdestroy}
|
||||
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
|
||||
if ! (set -vx;
|
||||
curl -o "${cachefile}" -Lgsf \
|
||||
--resolve ${server}:${bx509port}:127.0.0.1 \
|
||||
-H "Authorization: Negotiate $token" \
|
||||
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=5d"); then
|
||||
echo "Failed to get a TGT with /get-tgt end-point"
|
||||
exit 2
|
||||
fi
|
||||
${kgetcred} -H HTTP/${server}@${R} ||
|
||||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
|
||||
if which jq >/dev/null; then
|
||||
if ! ${klistjson} | jq -e '
|
||||
(reduce (.tickets[0]|(.Issued,.Expires)|
|
||||
strptime("%b %e %H:%M:%S %Y")|mktime) as $t
|
||||
(0; if .==0 then $t else $t - . end) / 86400) |
|
||||
. >= 4'; then
|
||||
echo "Failed to get a TGT with /get-tgt end-point with addresses"
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Fetch negotiate token (pre-test)"
|
||||
# Do what /bnegotiate does, roughly, prior to testing /bnegotiate
|
||||
$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
|
||||
|
||||
@@ -36,6 +36,7 @@
|
||||
pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
|
||||
pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
|
||||
pkinit_mappings_file = @srcdir@/pki-mapping
|
||||
pkinit_max_life_from_cert = 5d
|
||||
|
||||
database = {
|
||||
dbname = @objdir@/current-db
|
||||
@@ -130,12 +131,25 @@
|
||||
realms = {
|
||||
TEST.H5L.SE = {
|
||||
# Default (no cert exts requested)
|
||||
client = {
|
||||
# Use an issuer for user certs:
|
||||
ca = PEM-FILE:@objdir@/user-issuer.pem
|
||||
subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
|
||||
ekus = 1.3.6.1.5.5.7.3.2
|
||||
include_pkinit_san = true
|
||||
allow_extra_lifetime = true
|
||||
max_cert_lifetime = 7d
|
||||
force_cert_lifetime = 2d
|
||||
}
|
||||
user = {
|
||||
# Use an issuer for user certs:
|
||||
ca = PEM-FILE:@objdir@/user-issuer.pem
|
||||
subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
|
||||
ekus = 1.3.6.1.5.5.7.3.2
|
||||
include_pkinit_san = true
|
||||
allow_extra_lifetime = true
|
||||
max_cert_lifetime = 7d
|
||||
force_cert_lifetime = 2d
|
||||
}
|
||||
hostbased_service = {
|
||||
# Only for HTTP services
|
||||
|
||||
Reference in New Issue
Block a user