Blame SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch

e58a44
From f726fe232a16a51ca277b660c61aa9cfc2f512f1 Mon Sep 17 00:00:00 2001
e58a44
From: Matt Rogers <mrogers@redhat.com>
e58a44
Date: Fri, 9 Dec 2016 11:43:27 -0500
e58a44
Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py
e58a44
e58a44
[ghudson@mit.edu: simplify and explain tests; add test for
e58a44
id-pkinit-san match against canonicalized client principal]
e58a44
e58a44
ticket: 8528
e58a44
(cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d)
e58a44
---
665228
 src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++
e58a44
 1 file changed, 57 insertions(+)
e58a44
e58a44
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
e58a44
index 526473b42..ac4d326b6 100755
e58a44
--- a/src/tests/t_pkinit.py
e58a44
+++ b/src/tests/t_pkinit.py
e58a44
@@ -23,6 +23,9 @@ privkey_pem = os.path.join(certs, 'privkey.pem')
e58a44
 privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem')
e58a44
 user_p12 = os.path.join(certs, 'user.p12')
e58a44
 user_enc_p12 = os.path.join(certs, 'user-enc.p12')
e58a44
+user_upn_p12 = os.path.join(certs, 'user-upn.p12')
e58a44
+user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
e58a44
+user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
e58a44
 path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
e58a44
 path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
e58a44
 
e58a44
@@ -36,6 +39,20 @@ pkinit_kdc_conf = {'realms': {'$realm': {
e58a44
 restrictive_kdc_conf = {'realms': {'$realm': {
e58a44
             'restrict_anonymous_to_tgt': 'true' }}}
e58a44
 
e58a44
+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
e58a44
+              'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
e58a44
+              'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}}
e58a44
+alias_kdc_conf = {'realms': {'$realm': {
e58a44
+            'default_principal_flags': '+preauth',
e58a44
+            'pkinit_eku_checking': 'none',
e58a44
+            'pkinit_allow_upn': 'true',
e58a44
+            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
e58a44
+            'database_module': 'test'}},
e58a44
+                  'dbmodules': {'test': {
e58a44
+                      'db_library': 'test',
e58a44
+                      'alias': {'user@krbtest.com': 'user'},
e58a44
+                      'princs': testprincs}}}
e58a44
+
e58a44
 file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
e58a44
 file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
e58a44
 dir_identity = 'DIR:%s' % path
e58a44
@@ -45,11 +62,51 @@ dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'),
e58a44
 dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'),
e58a44
                                         os.path.join(path_enc, 'user.key'))
e58a44
 p12_identity = 'PKCS12:%s' % user_p12
e58a44
+p12_upn_identity = 'PKCS12:%s' % user_upn_p12
e58a44
+p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
e58a44
+p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
e58a44
 p12_enc_identity = 'PKCS12:%s' % user_enc_p12
e58a44
 p11_identity = 'PKCS11:soft-pkcs11.so'
e58a44
 p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
e58a44
                       'slotid=1:token=SoftToken (token)')
e58a44
 
e58a44
+# Start a realm with the test kdb module for the following UPN SAN tests.
e58a44
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
e58a44
+                create_kdb=False)
e58a44
+realm.start_kdc()
e58a44
+
e58a44
+# Compatibility check: cert contains UPN "user", which matches the
e58a44
+# request principal user@KRBTEST.COM if parsed as a normal principal.
e58a44
+realm.kinit(realm.user_princ,
e58a44
+            flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity])
e58a44
+
e58a44
+# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches
e58a44
+# the request principal user@KRBTEST.COM if parsed as a normal principal.
e58a44
+realm.kinit(realm.user_princ,
e58a44
+            flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity])
e58a44
+
e58a44
+# Cert contains UPN "user@krbtest.com" which is aliased to the request
e58a44
+# principal.
e58a44
+realm.kinit(realm.user_princ,
e58a44
+            flags=['-X', 'X509_user_identity=%s' % p12_upn_identity])
e58a44
+
e58a44
+# Test an id-pkinit-san match to a post-canonical principal.
e58a44
+realm.kinit('user@krbtest.com',
e58a44
+            flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity])
e58a44
+
e58a44
+# Test a UPN match to a post-canonical principal.  (This only works
e58a44
+# for the cert with the UPN containing just "user", as we don't allow
e58a44
+# UPN reparsing when comparing to the canonicalized client principal.)
e58a44
+realm.kinit('user@krbtest.com',
e58a44
+            flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity])
e58a44
+
e58a44
+# Test a mismatch.
e58a44
+out = realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity,
e58a44
+                 'user2'], expected_code=1)
e58a44
+if 'kinit: Client name mismatch while getting initial credentials' not in out:
e58a44
+    fail('Wrong error for UPN SAN mismatch')
e58a44
+realm.stop()
e58a44
+
e58a44
 realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
e58a44
                 get_creds=False)
e58a44