bx509d: Use /get-tgt lifetime q-param

This commit is contained in:
Nicolas Williams
2021-05-06 23:13:24 -05:00
parent 5aaf12351a
commit 8807a0aad9
3 changed files with 94 additions and 1 deletions

View File

@@ -1327,7 +1327,7 @@ k5_do_CA(struct bx509_request_desc *r)
/* Issue the certificate */
if (ret == 0)
ret = kdc_issue_certificate(r->context, "get-tgt", logfac, req, p,
&r->token_times, 0,
&r->token_times, r->req_life,
1 /* send_chain */, &certs);
krb5_free_principal(r->context, p);
hx509_request_free(&req);

View File

@@ -67,6 +67,7 @@ ukeytab=FILE:${ukt}
kinit="${kinit} -c $cache ${afs_no_afslog}"
klist2="${klist} --hidden -v -c $cache2"
klistjson="${klist} --json -c $cache"
klist="${klist} --hidden -v -c $cache"
kgetcred="${kgetcred} -c $cache"
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
@@ -494,6 +495,84 @@ ${kgetcred} -H HTTP/${server}@${R} ||
${klist} | grep Addresses:.IPv4:8.8.8.8 ||
{ echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
echo "Fetch TGT (for other, w/ lifetime req under max)"
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
(set -vx; csr_grant pkinit bar@${R} foo@${R})
${kdestroy}
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
if ! (set -vx;
curl -o "${cachefile}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=3d"); then
echo "Failed to get a TGT with /get-tgt end-point"
exit 2
fi
${kgetcred} -H HTTP/${server}@${R} ||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
if which jq >/dev/null; then
if ! ${klistjson} | jq -e '
(reduce (.tickets[0]|(.Issued,.Expires)|
strptime("%b %e %H:%M:%S %Y")|mktime) as $t
(0; if .==0 then $t else $t - . end) / 86400) | floor |
. == 3'; then
echo "Incorrect lifetime"
exit 2
fi
fi
echo "Fetch TGT (for other, w/ lifetime req over max)"
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
(set -vx; csr_grant pkinit bar@${R} foo@${R})
${kdestroy}
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
if ! (set -vx;
curl -o "${cachefile}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=10d"); then
echo "Failed to get a TGT with /get-tgt end-point"
exit 2
fi
${kgetcred} -H HTTP/${server}@${R} ||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
if which jq >/dev/null; then
if ! ${klistjson} | jq -e '
(reduce (.tickets[0]|(.Issued,.Expires)|
strptime("%b %e %H:%M:%S %Y")|mktime) as $t
(0; if .==0 then $t else $t - . end) / 86400) | floor |
. == 5'; then
echo "Incorrect lifetime"
exit 2
fi
fi
echo "Fetch TGT (for other, w/ lifetime req under max)"
${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
(set -vx; csr_grant pkinit bar@${R} foo@${R})
${kdestroy}
token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
if ! (set -vx;
curl -o "${cachefile}" -Lgsf \
--resolve ${server}:${bx509port}:127.0.0.1 \
-H "Authorization: Negotiate $token" \
"http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=5d"); then
echo "Failed to get a TGT with /get-tgt end-point"
exit 2
fi
${kgetcred} -H HTTP/${server}@${R} ||
{ echo "Trivial offline CA test failed (TGS)"; exit 2; }
if which jq >/dev/null; then
if ! ${klistjson} | jq -e '
(reduce (.tickets[0]|(.Issued,.Expires)|
strptime("%b %e %H:%M:%S %Y")|mktime) as $t
(0; if .==0 then $t else $t - . end) / 86400) |
. >= 4'; then
echo "Failed to get a TGT with /get-tgt end-point with addresses"
exit 2
fi
fi
echo "Fetch negotiate token (pre-test)"
# Do what /bnegotiate does, roughly, prior to testing /bnegotiate
$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \

View File

@@ -36,6 +36,7 @@
pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
pkinit_mappings_file = @srcdir@/pki-mapping
pkinit_max_life_from_cert = 5d
database = {
dbname = @objdir@/current-db
@@ -130,12 +131,25 @@
realms = {
TEST.H5L.SE = {
# Default (no cert exts requested)
client = {
# Use an issuer for user certs:
ca = PEM-FILE:@objdir@/user-issuer.pem
subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
ekus = 1.3.6.1.5.5.7.3.2
include_pkinit_san = true
allow_extra_lifetime = true
max_cert_lifetime = 7d
force_cert_lifetime = 2d
}
user = {
# Use an issuer for user certs:
ca = PEM-FILE:@objdir@/user-issuer.pem
subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
ekus = 1.3.6.1.5.5.7.3.2
include_pkinit_san = true
allow_extra_lifetime = true
max_cert_lifetime = 7d
force_cert_lifetime = 2d
}
hostbased_service = {
# Only for HTTP services