From f42477d27dc4f6c482a23a8c29d416d830277d04 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 10 Jan 2013 18:30:04 -0500 Subject: Add various client-authenticating PKINIT tests Add tests for non-anonymous PKINIT: * FILE: with no password * FILE: with a password * DIR: with no password * DIR: with a password * PKCS12: with no password * PKCS12: with a password * PKCS11: with a password, if soft-pkcs11.so is found via ctypes [ghudson@mit.edu: reformatted to 79 columns; removed intermediate success() calls] --- src/tests/Makefile.in | 1 + src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 30 ++++++ src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 0 -> 3029 bytes src/tests/dejagnu/pkinit-certs/user.p12 | Bin 0 -> 3104 bytes src/tests/dejagnu/pkinit-certs/user.pem | 32 ++++++ src/tests/t_authpkinit.py | 140 +++++++++++++++++++++++++ 6 files changed, 203 insertions(+) create mode 100644 src/tests/dejagnu/pkinit-certs/privkey-enc.pem create mode 100644 src/tests/dejagnu/pkinit-certs/user-enc.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user.pem create mode 100644 src/tests/t_authpkinit.py diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 45f3e8f1e3..55a3237896 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -82,6 +82,7 @@ check-pytests:: gcred hist kdbtest t_localauth $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_authpkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem new file mode 100644 index 0000000000..9f7816f179 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,91CA660D6286E453 + +DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7 +Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU +AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX +z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL +EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO +rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH +8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn +593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld +rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd ++n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM +LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37 +bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644 +RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT +H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V +DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi +Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn +foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw +WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV +xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f +PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe +/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU +Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy +BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d +mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE +UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh +-----END RSA PRIVATE KEY----- diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 new file mode 100644 index 0000000000..107480c6d2 Binary files /dev/null and b/src/tests/dejagnu/pkinit-certs/user-enc.p12 differ diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12 new file mode 100644 index 0000000000..a7c2baddf6 Binary files /dev/null and b/src/tests/dejagnu/pkinit-certs/user.p12 differ diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem new file mode 100644 index 0000000000..e6beefcde7 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/user.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFkjCCBHqgAwIBAgIIYo5oQQ6iySowDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNV +BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk +Z2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMgSW5zZWN1cmUgUGtpbml0IEtlcmJl +cm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBu +b3QgdXNlIG90aGVyd2lzZTAeFw0xMzAxMTcxODU5MDVaFw0yMzEyMzExODU5MDVa +MIGhMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE +BxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBr +aW5pdCBLZXJiZXJvcyB0ZXN0IENBMS0wKwYDVQQDFCRwa2luaXQgdGVzdCBzdWl0 +ZSBjbGllbnQ7IGRvIG5vdCB1c2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCdgsx7nyfLTQyCyQk/u1nc8hBGlCRcYslkojQd+e0JFsi6+adl6M9Ip00z +J6PNEjKN3DUUMlQCeldhyJzdMPnzXsbkfrdSuWUAa7L6WFBY3MTpzoq556t69Hek +xqodeidp+VVqxS7l7YABZWcVvPjHTi4uVB6Oo/CbmxHXFN4tSdV9Jjvk1tcYgTjz +yINXTBbyeoahVaf9OxF37sq5BQiQmm3z5XomTqE8hw+p7qHuZc0ayBzl0FKoHBVy +NT0Nt5PjHHESaBB0u3up03BXVk8tCdNCmiA2tPm5/ehJs5OzIzTYY5auIhGayqrz +Wx8yum+JNFEPCipNQSGgJKivRSZzAgMBAAGjggHEMIIBwDAdBgNVHQ4EFgQUWfzZ +FQqBO+QWfRyDDIJCk15YLFgwgdwGA1UdIwSB1DCB0YAUWfzZFQqBO+QWfRyDDIJC +k15YLFihga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl +dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMg +SW5zZWN1cmUgUGtpbml0IEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5p +dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIJANsFDWp1HgAa +MA4GA1UdDwEB/wQEAwIE8DB9BgNVHREEdjB0oC4GBisGAQUCAqAkMCKgDRsLS1JC +VEVTVC5DT02hETAPoAMCAQGhCDAGGwR1c2VyoCAGCisGAQQBgjcUAgOgEgwQdXNl +ckBrcmJ0ZXN0LmNvbaAgBgorBgEEAYI3FAIDoBIMEHVzZXJAS1JCVEVTVC5DT00w +JgYDVR0lBB8wHQYHKwYBBQIDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMAkGA1UdEwQC +MAAwDQYJKoZIhvcNAQEFBQADggEBAJZ+5CMbEj9anyH/b/jxUT8yGgYB3KGj7qL+ +RdU2zjgsQUMSdnlqQzpuEcY3z1wK94dYQVsPaYBv+zHl0rXFMfKlm97nVdCJi0ep +vplNAaUlhkma3D8rkPN5LmIdHslpJD6pwbV+o69aCEsrwm38flmEnBX0OUynULod +icDvxOxhmYG2kXmUmF7wZXI+XWX8b/TloDNLAnYfjKytMa3SQdp6wtj76BCk+ZZQ +GAF3D0BS36lkNQ/8buHFhVv/tC/rFvql8DRbFzk6W02Ymq2OhcP0uz67rFZ2KjZ5 +Z0WP1REC8Cv7yoqOKPk8S+1FK+8RdKHjT1n/n+Mws72F72bxQWQ= +-----END CERTIFICATE----- diff --git a/src/tests/t_authpkinit.py b/src/tests/t_authpkinit.py new file mode 100644 index 0000000000..41c10f580e --- /dev/null +++ b/src/tests/t_authpkinit.py @@ -0,0 +1,140 @@ +#!/usr/bin/python +from k5test import * + +# Skip this test if pkinit wasn't built. +if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): + success('Warning: not testing pkinit because it is not built') + exit(0) + +# Check if soft-pkcs11.so is available. +have_soft_pkcs11 = False +try: + import ctypes + lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so') + del lib + have_soft_pkcs11 = True +except: + have_soft_pkcs11 = False + +# Construct a krb5.conf fragment configuring pkinit. +certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') +ca_pem = os.path.join(certs, 'ca.pem') +kdc_pem = os.path.join(certs, 'kdc.pem') +user_pem = os.path.join(certs, 'user.pem') +privkey_pem = os.path.join(certs, 'privkey.pem') +privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem') +user_p12 = os.path.join(certs, 'user.p12') +user_enc_p12 = os.path.join(certs, 'user-enc.p12') +path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') +path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') + +pkinit_krb5_conf = { + 'realms': {'$realm': { + 'pkinit_anchors': 'FILE:%s' % ca_pem, + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}} +pkinit_kdc_conf = { + 'realms': {'$realm': { + 'default_principal_flags': '+preauth', + 'pkinit_eku_checking': 'none'}}} + +file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) +file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem) +dir_identity = 'DIR:%s' % path +dir_enc_identity = 'DIR:%s' % path_enc +p12_identity = 'PKCS12:%s' % user_p12 +p12_enc_identity = 'PKCS12:%s' % user_enc_p12 +p11_identity = 'PKCS11:soft-pkcs11.so' +# Set up the DIR: identities. They go away as a side-effect of reinitializing +# the realm testdir, so we don't have a specific cleanup method. +def setup_dir_identities(realm): + os.mkdir(path) + os.mkdir(path_enc) + shutil.copy(privkey_pem, os.path.join(path, 'user.key')) + shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key')) + shutil.copy(user_pem, os.path.join(path, 'user.crt')) + shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) + +# Run the basic test - PKINIT with FILE: identity, with no password on the key. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % file_identity]) +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# Run the basic test - PKINIT with FILE: identity, with a password on the key, +# supplied by the prompter. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % file_enc_identity], + password='encrypted') +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with DIR: identity, with no password on the key. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +setup_dir_identities(realm) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with DIR: identity, with a password on the key, supplied by the +# prompter. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +setup_dir_identities(realm) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % dir_enc_identity], + password='encrypted') +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with PKCS12: identity, with no password on the bundle. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the +# prompter. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) +realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p12_enc_identity], + password='encrypted') +realm.klist('user@%s' % realm.realm) +realm.run([kvno, realm.host_princ]) +realm.stop() + +if have_soft_pkcs11: + os.environ['SOFTPKCS11RC'] = os.path.join(os.getcwd(), 'testdir', + 'soft-pkcs11.rc') + + # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. + realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) + conf = open(os.environ['SOFTPKCS11RC'], 'w') + conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, + privkey_enc_pem)) + conf.close() + realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p11_identity], + password='encrypted') + realm.klist('user@%s' % realm.realm) + realm.run([kvno, realm.host_princ]) + realm.stop() +else: + output('soft-pkcs11.so not found: ' + 'skipping tests with PKCS11 identities\n') + +success('Authenticated PKINIT') -- cgit