diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-07-19 11:33:20 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-07-22 12:25:31 -0400 |
| commit | b37a0be87e5146d730b89abd1378a3043d5015b2 (patch) | |
| tree | 32392f8837c320b186ce146384045afce3150fd4 /src/tests/t_pkinit.py | |
| parent | 744d6f873393b6bbd12e1c1884738676a089fa65 (diff) | |
| download | krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.gz krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.xz krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.zip | |
Don't ask empty responder questions in PKINIT
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
Diffstat (limited to 'src/tests/t_pkinit.py')
| -rw-r--r-- | src/tests/t_pkinit.py | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index fd1db929f..7b20fa37b 100644 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -89,7 +89,7 @@ realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS') # Run the basic test - PKINIT with FILE: identity, with no password on the key. realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % file_identity, 'user@%s' % realm.realm]) @@ -144,7 +144,7 @@ shutil.copy(user_pem, os.path.join(path, 'user.crt')) shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % dir_identity, 'user@%s' % realm.realm]) @@ -195,7 +195,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with no password on the bundle. realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % p12_identity, 'user@%s' % realm.realm]) @@ -243,13 +243,31 @@ realm.run([kvno, realm.host_princ]) if have_soft_pkcs11: softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') + realm.env['SOFTPKCS11RC'] = softpkcs11rc + + # PKINIT with PKCS11: identity, with no need for a PIN. conf = open(softpkcs11rc, 'w') conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, - privkey_enc_pem)) + privkey_pem)) conf.close() - realm.env['SOFTPKCS11RC'] = softpkcs11rc + # Expect to succeed without having to supply any more information. + realm.run(['./responder', + '-x', + 'pkinit=', + '-X', + 'X509_user_identity=%s' % p11_identity, + 'user@%s' % realm.realm]) + realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p11_identity]) + realm.klist('user@%s' % realm.realm) + realm.run([kvno, realm.host_princ]) # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. + os.remove(softpkcs11rc) + conf = open(softpkcs11rc, 'w') + conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, + privkey_enc_pem)) + conf.close() # Expect failure if the responder does nothing, and there's no prompter realm.run(['./responder', '-x', |