diff --git a/kdc/bx509d.c b/kdc/bx509d.c index f986bf271..e1461f043 100644 --- a/kdc/bx509d.c +++ b/kdc/bx509d.c @@ -1327,7 +1327,7 @@ k5_do_CA(struct bx509_request_desc *r) /* Issue the certificate */ if (ret == 0) ret = kdc_issue_certificate(r->context, "get-tgt", logfac, req, p, - &r->token_times, 0, + &r->token_times, r->req_life, 1 /* send_chain */, &certs); krb5_free_principal(r->context, p); hx509_request_free(&req); diff --git a/tests/kdc/check-bx509.in b/tests/kdc/check-bx509.in index 89853f838..081ee9603 100644 --- a/tests/kdc/check-bx509.in +++ b/tests/kdc/check-bx509.in @@ -67,6 +67,7 @@ ukeytab=FILE:${ukt} kinit="${kinit} -c $cache ${afs_no_afslog}" klist2="${klist} --hidden -v -c $cache2" +klistjson="${klist} --json -c $cache" klist="${klist} --hidden -v -c $cache" kgetcred="${kgetcred} -c $cache" kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" @@ -494,6 +495,84 @@ ${kgetcred} -H HTTP/${server}@${R} || ${klist} | grep Addresses:.IPv4:8.8.8.8 || { echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; } +echo "Fetch TGT (for other, w/ lifetime req under max)" +${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R} +(set -vx; csr_grant pkinit bar@${R} foo@${R}) +${kdestroy} +token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server) +if ! (set -vx; + curl -o "${cachefile}" -Lgsf \ + --resolve ${server}:${bx509port}:127.0.0.1 \ + -H "Authorization: Negotiate $token" \ + "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=3d"); then + echo "Failed to get a TGT with /get-tgt end-point" + exit 2 +fi +${kgetcred} -H HTTP/${server}@${R} || + { echo "Trivial offline CA test failed (TGS)"; exit 2; } +if which jq >/dev/null; then + if ! ${klistjson} | jq -e ' + (reduce (.tickets[0]|(.Issued,.Expires)| + strptime("%b %e %H:%M:%S %Y")|mktime) as $t + (0; if .==0 then $t else $t - . end) / 86400) | floor | + . == 3'; then + echo "Incorrect lifetime" + exit 2 + fi +fi + +echo "Fetch TGT (for other, w/ lifetime req over max)" +${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R} +(set -vx; csr_grant pkinit bar@${R} foo@${R}) +${kdestroy} +token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server) +if ! (set -vx; + curl -o "${cachefile}" -Lgsf \ + --resolve ${server}:${bx509port}:127.0.0.1 \ + -H "Authorization: Negotiate $token" \ + "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=10d"); then + echo "Failed to get a TGT with /get-tgt end-point" + exit 2 +fi +${kgetcred} -H HTTP/${server}@${R} || + { echo "Trivial offline CA test failed (TGS)"; exit 2; } +if which jq >/dev/null; then + if ! ${klistjson} | jq -e ' + (reduce (.tickets[0]|(.Issued,.Expires)| + strptime("%b %e %H:%M:%S %Y")|mktime) as $t + (0; if .==0 then $t else $t - . end) / 86400) | floor | + . == 5'; then + echo "Incorrect lifetime" + exit 2 + fi +fi + +echo "Fetch TGT (for other, w/ lifetime req under max)" +${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R} +(set -vx; csr_grant pkinit bar@${R} foo@${R}) +${kdestroy} +token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server) +if ! (set -vx; + curl -o "${cachefile}" -Lgsf \ + --resolve ${server}:${bx509port}:127.0.0.1 \ + -H "Authorization: Negotiate $token" \ + "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=5d"); then + echo "Failed to get a TGT with /get-tgt end-point" + exit 2 +fi +${kgetcred} -H HTTP/${server}@${R} || + { echo "Trivial offline CA test failed (TGS)"; exit 2; } +if which jq >/dev/null; then + if ! ${klistjson} | jq -e ' + (reduce (.tickets[0]|(.Issued,.Expires)| + strptime("%b %e %H:%M:%S %Y")|mktime) as $t + (0; if .==0 then $t else $t - . end) / 86400) | + . >= 4'; then + echo "Failed to get a TGT with /get-tgt end-point with addresses" + exit 2 + fi +fi + echo "Fetch negotiate token (pre-test)" # Do what /bnegotiate does, roughly, prior to testing /bnegotiate $hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \ diff --git a/tests/kdc/krb5-bx509.conf.in b/tests/kdc/krb5-bx509.conf.in index f089cefcd..8a9d0bb49 100644 --- a/tests/kdc/krb5-bx509.conf.in +++ b/tests/kdc/krb5-bx509.conf.in @@ -36,6 +36,7 @@ pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_max_life_from_cert = 5d database = { dbname = @objdir@/current-db @@ -130,12 +131,25 @@ realms = { TEST.H5L.SE = { # Default (no cert exts requested) + client = { + # Use an issuer for user certs: + ca = PEM-FILE:@objdir@/user-issuer.pem + subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se + ekus = 1.3.6.1.5.5.7.3.2 + include_pkinit_san = true + allow_extra_lifetime = true + max_cert_lifetime = 7d + force_cert_lifetime = 2d + } user = { # Use an issuer for user certs: ca = PEM-FILE:@objdir@/user-issuer.pem subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se ekus = 1.3.6.1.5.5.7.3.2 include_pkinit_san = true + allow_extra_lifetime = true + max_cert_lifetime = 7d + force_cert_lifetime = 2d } hostbased_service = { # Only for HTTP services