s4:torture/rpc/backupkey: Require 2048 bit RSA key

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

(fixed cleanup of memory)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

1 files changed, 75 insertions, 0 deletions

diff --git a/source4/torture/rpc/backupkey.c b/source4/torture/rpc/backupkey.c
index 75f756c9cc..f74cded084 100644
--- a/source4/torture/rpc/backupkey.c
+++ b/source4/torture/rpc/backupkey.c
@@ -30,6 +30,7 @@
 #include <system/network.h>
 #include <hx509.h>
 #include <der.h>
+#include <hcrypto/rsa.h>
 
 
 /* Our very special and valued secret */
@@ -1034,6 +1035,77 @@ static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx,
 	return true;
 }
 
+/* 
+ * Check that the RSA modulus in the certificate of the DCs has 2048 bits.
+ */
+static bool test_RetreiveBackupKeyGUID_2048bits(struct torture_context *tctx,
+					struct dcerpc_pipe *p)
+{
+	struct dcerpc_binding_handle *b = p->binding_handle;
+	DATA_BLOB out_blob;
+	struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	hx509_context hctx;
+	int hret;
+	hx509_cert cert;
+	SubjectPublicKeyInfo spki;
+	RSA *rsa;
+	int RSA_returned_bits;
+
+	hx509_context_init(&hctx);
+
+	if (r == NULL) {
+		return false;
+	}
+
+	dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
+
+	if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+		const unsigned char *spki_spk_data;
+		torture_assert_ntstatus_ok(tctx,
+				dcerpc_bkrp_BackupKey_r(b, tctx, r),
+				"Get GUID");
+
+		out_blob.length = *r->out.data_out_len;
+
+		hret = hx509_cert_init_data(hctx, out_blob.data, out_blob.length, &cert);
+		torture_assert_int_equal(tctx, hret, 0, "hx509_cert_init_data failed");
+
+		hret = hx509_cert_get_SPKI(hctx, cert , &spki);
+		torture_assert_int_equal(tctx, hret, 0, "hx509_cert_get_SPKI failed");
+
+		/* We must take a copy, as d2i_RSAPublicKey *changes* the input parameter */
+		spki_spk_data = spki.subjectPublicKey.data;
+		rsa = d2i_RSAPublicKey(NULL, &spki_spk_data, spki.subjectPublicKey.length / 8);
+		torture_assert_int_equal(tctx, rsa != NULL, 1, "d2i_RSAPublicKey failed");
+
+		RSA_returned_bits = BN_num_bits(rsa->n);
+		torture_assert_int_equal(tctx,
+						RSA_returned_bits,
+						2048,
+						"RSA Key doesn't have 2048 bits");
+
+		RSA_free(rsa);
+
+		/* 
+		 * Because we prevented spki from being changed above,
+		 * we can now safely call this to free it 
+		 */
+		free_SubjectPublicKeyInfo(&spki);
+		hx509_cert_free(cert);
+		hx509_context_free(&hctx);
+
+	} else {
+		torture_assert_ntstatus_equal(tctx,
+						dcerpc_bkrp_BackupKey_r(b, tctx, r),
+						NT_STATUS_ACCESS_DENIED,
+						"Get GUID");
+	}
+	return true;
+}
+
 struct torture_suite *torture_rpc_backupkey(TALLOC_CTX *mem_ctx)
 {
 	struct torture_rpc_tcase *tcase;
@@ -1080,5 +1152,8 @@ struct torture_suite *torture_rpc_backupkey(TALLOC_CTX *mem_ctx)
 	torture_rpc_tcase_add_test(tcase, "empty_request_restore_guid",
 				   test_RestoreGUID_emptyrequest);
 
+	torture_rpc_tcase_add_test(tcase, "retreive_backup_key_guid_2048_bits",
+		test_RetreiveBackupKeyGUID_2048bits);
+
 	return suite;
 }