git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
s4:heimdal: import lorikeet-heimdal-202201172009 (commit 5a0b45cd723628b3690ea848548b...
[samba.git] / source4 / heimdal / tests / kdc / check-pkinit.in
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden). 
5 # All rights reserved. 
6 #
7 # Redistribution and use in source and binary forms, with or without 
8 # modification, are permitted provided that the following conditions 
9 # are met: 
10 #
11 # 1. Redistributions of source code must retain the above copyright 
12 #    notice, this list of conditions and the following disclaimer. 
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright 
15 #    notice, this list of conditions and the following disclaimer in the 
16 #    documentation and/or other materials provided with the distribution. 
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors 
19 #    may be used to endorse or promote products derived from this software 
20 #    without specific prior written permission. 
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
25 # ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
32 # SUCH DAMAGE. 
33
34 top_builddir="@top_builddir@"
35 env_setup="@env_setup@"
36 objdir="@objdir@"
37
38 testfailed="echo test failed; cat messages.log; exit 1"
39
40 . ${env_setup}
41
42 # If there is no useful db support compiled in, disable test
43 ${have_db} || exit 77
44
45 R=TEST.H5L.SE
46
47 port=@port@
48
49 kadmin="${kadmin} -l -r $R"
50 kdc="${kdc} --addresses=localhost -P $port"
51
52 server=host/datan.test.h5l.se
53 cache="FILE:${objdir}/cache.krb5"
54 keyfile="${hx509_data}/key.der"
55 keyfile2="${hx509_data}/key2.der"
56
57 kinit="${kinit} -c $cache ${afs_no_afslog}"
58 klistjson="${klist} --json -c $cache"
59 klistplain="${klist} -c $cache"
60 klist="${klist} --hidden -v -c $cache"
61 kgetcred="${kgetcred} -c $cache"
62 kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
63 kx509="${kx509} -c $cache"
64
65 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
66 export KRB5_CONFIG
67
68 rsa=yes
69 pkinit=no
70 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
71     rsa=no
72 fi
73 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
74     rsa=no
75 fi
76
77 if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
78     pkinit=yes
79 fi
80
81 # If we doesn't support pkinit and have RSA, give up
82 if test "$pkinit" != yes -o "$rsa" != yes ; then
83     exit 77
84 fi
85
86
87 rm -f current-db*
88 rm -f out-*
89 rm -f mkey.file*
90
91 > messages.log
92
93 echo Creating database
94 ${kadmin} \
95     init \
96     --realm-max-ticket-life=1day \
97     --realm-max-renewable-life=1month \
98     ${R} || exit 1
99
100 ${kadmin} modify --max-ticket-life=5d krbtgt/${R}@${R} || exit 1
101 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
102 ${kadmin} add -p bar --use-defaults bar@${R} || exit 1
103 ${kadmin} add -p baz --use-defaults baz@${R} || exit 1
104 ${kadmin} add -p foo --use-defaults host/server.test.h5l.se@${R} || exit 1
105 ${kadmin} modify --alias=baz2\\@test.h5l.se@${R} baz@${R} || exit 1
106 ${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
107
108 ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
109
110 echo "Doing database check"
111 ${kadmin} check ${R} || exit 1
112
113 # XXX Do not use committed, in-tree private keys or certificates!
114 # XXX Add hxtool command to generate a private key w/o generating a CSR
115 # XXX Use hxtool to generate a fresh private key
116 # XXX Use hxtool to generate self-signed CA certs
117 # XXX Use PEM-FILE and store private key and certificate in same file
118 # XXX Update krb5.conf.in to use ${objdir}-relative keys and certificates
119
120 echo "Setting up certificates"
121 ${hxtool} request-create \
122          --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
123          --key=FILE:${keyfile2} \
124          req-kdc.der || exit 1
125 ${hxtool} request-create \
126          --subject="CN=bar,DC=test,DC=h5l,DC=se" \
127          --key=FILE:${keyfile2} \
128          req-pkinit.der || exit 1
129 ${hxtool} request-create \
130          --subject="CN=baz,DC=test,DC=h5l,DC=se" \
131          --key=FILE:${keyfile2} \
132          req-pkinit2.der || exit 1
133
134 echo "issue self-signed ca cert"
135 ${hxtool} issue-certificate \
136           --self-signed \
137           --issue-ca \
138           --ca-private-key=FILE:${keyfile} \
139           --subject="CN=CA,DC=test,DC=h5l,DC=se" \
140           --certificate="FILE:ca.crt" || exit 1
141
142 echo "issue kdc certificate"
143 ${hxtool} issue-certificate \
144           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
145           --type="pkinit-kdc" \
146           --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
147           --req="PKCS10:req-kdc.der" \
148           --certificate="FILE:kdc.crt" || exit 1
149
150 echo "issue user certificate (pkinit san)"
151 ${hxtool} issue-certificate \
152           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
153           --type="pkinit-client" \
154           --pk-init-principal="bar@TEST.H5L.SE" \
155           --req="PKCS10:req-pkinit.der" \
156           --lifetime=7d \
157           --certificate="FILE:pkinit.crt" || exit 1
158
159 echo "issue user certificate (pkinit san; synthetic principal)"
160 ${hxtool} issue-certificate \
161           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
162           --type="pkinit-client" \
163           --pk-init-principal="synthetized@TEST.H5L.SE" \
164           --req="PKCS10:req-pkinit.der" \
165           --lifetime=7d \
166           --certificate="FILE:pkinit-synthetic.crt" || exit 1
167
168 echo "issue user 2 certificate (no san)"
169 ${hxtool} issue-certificate \
170           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
171           --type="pkinit-client" \
172           --req="PKCS10:req-pkinit2.der" \
173           --certificate="FILE:pkinit2.crt" || exit 1
174
175 echo "issue user 3 certificate (ms san)"
176 ${hxtool} issue-certificate \
177           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
178           --type="pkinit-client" \
179           --ms-upn="bar@test.h5l.se" \
180           --req="PKCS10:req-pkinit2.der" \
181           --certificate="FILE:pkinit3.crt" || exit 1
182
183 echo "issue user 3 certificate (ms san, baz2)"
184 ${hxtool} issue-certificate \
185           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
186           --type="pkinit-client" \
187           --ms-upn="baz2\\@test.h5l.se@${R}" \
188           --req="PKCS10:req-pkinit2.der" \
189           --certificate="FILE:pkinit4.crt" || exit 1
190
191 echo "issue self-signed kx509 template cert"
192 ${hxtool} issue-certificate \
193           --self-signed \
194           --ca-private-key=FILE:${keyfile} \
195           --subject='CN=${principal-component0},DC=test,DC=h5l,DC=se' \
196           --certificate="FILE:kx509-template.crt" || exit 1
197
198 echo foo > ${objdir}/foopassword
199
200 echo Starting kdc ; > messages.log
201 KRB5_CONFIG="${objdir}/krb5-pkinit2.conf"
202 ${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
203 kdcpid=`getpid kdc`
204
205 trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt; exit 1;' EXIT
206
207 ec=0
208
209 echo "Trying pk-init (principal in cert; longer max_life)"; > messages.log
210 base="${objdir}"
211 ${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
212         { ec=1 ; eval "${testfailed}"; }
213 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
214 ${klist}
215 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
216     ${klistjson} |
217         jq -e '(((.tickets[0].Expires|
218                strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
219                (floor < 4)' >/dev/null &&
220            { ec=1 ; eval "${testfailed}"; }
221 fi
222 ${kdestroy}
223
224 echo "Trying pk-init (principal in cert; synthetic)"; > messages.log
225 base="${objdir}"
226 ${kinit} --lifetime=5d -C FILE:${base}/pkinit-synthetic.crt,${keyfile2} synthetized@${R} || \
227         { ec=1 ; eval "${testfailed}"; }
228 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
229 ${klist}
230 ${kdestroy}
231
232 echo "Restarting kdc ($kdcpid)"
233 sh ${leaks_kill} kdc $kdcpid || ec=1
234 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
235 ${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
236 kdcpid=`getpid kdc`
237
238 echo "Trying pk-init (principal in cert)"; > messages.log
239 base="${objdir}"
240 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
241         { ec=1 ; eval "${testfailed}"; }
242 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
243 ${klist}
244 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
245     ${klistjson} |
246         jq -e '(((.tickets[0].Expires|
247                strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
248                (floor > 1)' >/dev/null &&
249            { ec=1 ; eval "${testfailed}"; }
250 fi
251 ${kdestroy}
252
253 echo "Trying pk-init (principal in cert; longer max_life from cert ext)"; > messages.log
254 # Re-issue cert with --pkinit-max-life=7d
255 ${hxtool} issue-certificate \
256           --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
257           --type="pkinit-client" \
258           --pk-init-principal="bar@TEST.H5L.SE" \
259           --req="PKCS10:req-pkinit.der" \
260           --lifetime=7d \
261           --pkinit-max-life=7d \
262           --certificate="FILE:pkinit.crt" || exit 1
263 base="${objdir}"
264 ${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
265         { ec=1 ; eval "${testfailed}"; }
266 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
267 ${klist}
268 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
269     ${klistjson} |
270         jq -e '(((.tickets[0].Expires|
271                strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
272                (floor < 4)' >/dev/null &&
273            { ec=1 ; eval "${testfailed}"; }
274 fi
275
276 echo "Check kx509 certificate acquisition"
277 ${kx509} -s || { ec=1 ; eval "${testfailed}"; }
278 ${kx509} -o PEM-FILE:${objdir}/kx509.pem || { ec=1 ; eval "${testfailed}"; }
279 ${kdestroy}
280
281 echo "Check PKINIT w/ kx509 certificate"
282 ${kinit} -C PEM-FILE:${objdir}/kx509.pem bar@${R} || \
283         { ec=1 ; eval "${testfailed}"; }
284
285 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
286 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
287         { ec=1 ; eval "${testfailed}"; }
288 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
289 ${kdestroy}
290
291 echo "Trying pk-init (principal subject in DB)"; > messages.log
292 ${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
293         { ec=1 ; eval "${testfailed}"; }
294 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
295 ${kdestroy}
296
297 echo "Trying pk-init (ms upn)"; > messages.log
298 ${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
299         { ec=1 ; eval "${testfailed}"; }
300 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
301 ${kdestroy}
302
303 echo "Trying pk-init (ms upn, enterprise)"; > messages.log
304 ${kinit}  --canonicalize --enterprise \
305         -C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se || \
306         { ec=1 ; eval "${testfailed}"; }
307 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
308 ${kdestroy}
309
310 echo "Trying pk-init (ms upn, enterprise, pk-enterprise)"; > messages.log
311 ${kinit} --canonicalize \
312         --pk-enterprise \
313         -C FILE:${base}/pkinit4.crt,${keyfile2} ${R} || \
314         { ec=1 ; eval "${testfailed}"; }
315 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
316 ${kdestroy}
317
318 KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf"
319 export KRB5_CONFIG
320
321 echo "Duplicated tests, now in windows 2000 mode"
322
323 echo "Trying pk-init (principal in cert)"; > messages.log
324 base="${objdir}"
325 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
326         { ec=1 ; eval "${testfailed}"; }
327 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
328 ${kdestroy}
329
330 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
331 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
332         { ec=1 ; eval "${testfailed}"; }
333 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
334 ${kdestroy}
335
336 echo "Trying pk-init (principal subject in DB)"; > messages.log
337 ${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
338         { ec=1 ; eval "${testfailed}"; }
339 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
340 ${kdestroy}
341
342 echo "Trying pk-init (ms upn)"; > messages.log
343 ${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
344         { ec=1 ; eval "${testfailed}"; }
345 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
346 ${kdestroy}
347
348
349 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
350 export KRB5_CONFIG
351
352 echo "Trying PKCS11 support"
353
354 cat > test-rc-file.rc <<EOF
355 certificate     cert    User certificate        FILE:${base}/pkinit.crt,${keyfile2}
356 app-fatal       true
357 EOF
358
359 SOFTPKCS11RC="test-rc-file.rc"
360 export SOFTPKCS11RC
361
362 dir=${base}/../../lib/hx509
363 file=
364
365 for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
366     if [ -f $dir/$a ] ; then
367         file=$dir/$a
368         break
369     fi
370 done
371
372 if [ X"$file" != X -a @DLOPEN@ ] ; then
373
374     echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
375     ${kinit} -C PKCS11:${file} foo@${R} || \
376         { ec=1 ; eval "${testfailed}"; }
377     ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
378     ${kdestroy}
379
380 fi
381
382
383 echo "killing kdc (${kdcpid})"
384 sh ${leaks_kill} kdc $kdcpid || ec=1
385
386 trap "" EXIT
387
388 exit $ec
Samba Shared Repository