From 67294a23b97e3fae3c20861a8313f860b89a2859 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 25 Jan 2022 19:35:06 +0100
Subject: [PATCH] testprogs: A PKINIT PAC test which runs against Heimdal and
 MIT Kerberos

There is no need to specify the enctype and it isn't supported by MIT Kerberos
anyway.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184
---
 selftest/knownfail_mit_kdc            |  7 ----
 selftest/skip_mit_kdc_pre_1_20        |  1 +
 source4/selftest/tests.py             | 21 +++++-----
 testprogs/blackbox/test_pkinit_pac.sh | 59 +++++++++++++++------------
 4 files changed, 45 insertions(+), 43 deletions(-)

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index a3f3e51e367..9b55627bbc8 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -262,18 +262,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^netr-bdc-arcfour.verify-sig-arcfour
 ^netr-bdc-arcfour.verify-sig-arcfour
-^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local
-^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local
 ^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local
 ^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local
 ^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local
 ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local
 ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local
-^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local
 ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc
 ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc
 ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc
diff --git a/selftest/skip_mit_kdc_pre_1_20 b/selftest/skip_mit_kdc_pre_1_20
index 1877929300b..aa6c418662d 100644
--- a/selftest/skip_mit_kdc_pre_1_20
+++ b/selftest/skip_mit_kdc_pre_1_20
@@ -1 +1,2 @@
 ^samba4.blackbox.pkinit_simple
+^samba4.blackbox.pkinit_pac
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1630f0c20fc..165a933d110 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -555,17 +555,6 @@ plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join
 plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
 
 if have_heimdal_support:
-    plantestsuite("samba4.blackbox.pkinit_pac",
-                  "ad_dc:local",
-                  [os.path.join(bbdir, "test_pkinit_pac.sh"),
-                   '$SERVER',
-                   '$USERNAME',
-                   '$PASSWORD',
-                   '$REALM',
-                   '$DOMAIN',
-                   '$PREFIX/ad_dc',
-                   "aes256-cts-hmac-sha1-96",
-                   configuration])
     plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient4, configuration])
     plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "arcfour-hmac-md5", smbclient3, configuration])
     plantestsuite("samba4.blackbox.kinit", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient3, configuration])
@@ -596,6 +585,16 @@ plantestsuite("samba4.blackbox.pkinit_simple",
                '$PREFIX/ad_dc',
                smbclient3,
                configuration])
+plantestsuite("samba4.blackbox.pkinit_pac",
+              "ad_dc:local",
+              [os.path.join(bbdir, "test_pkinit_pac.sh"),
+               '$SERVER',
+               '$USERNAME',
+               '$PASSWORD',
+               '$REALM',
+               '$DOMAIN',
+               '$PREFIX/ad_dc',
+               configuration])
 
 plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH'])
 
diff --git a/testprogs/blackbox/test_pkinit_pac.sh b/testprogs/blackbox/test_pkinit_pac.sh
index 4c19136a106..8047517fde1 100755
--- a/testprogs/blackbox/test_pkinit_pac.sh
+++ b/testprogs/blackbox/test_pkinit_pac.sh
@@ -1,10 +1,12 @@
 #!/bin/sh
 # Blackbox tests for pkinit and pac verification
+#
 # Copyright (C) 2006-2008 Stefan Metzmacher
+# Copyright (C) 2022      Andreas Schneider
 
-if [ $# -lt 5 ]; then
+if [ $# -lt 6 ]; then
 	cat <<EOF
-Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE
+Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
 EOF
 	exit 1
 fi
@@ -15,40 +17,47 @@ PASSWORD=$3
 REALM=$4
 DOMAIN=$5
 PREFIX=$6
-ENCTYPE=$7
-shift 7
+shift 6
 failed=0
 
-samba4bindir="$BINDIR"
-samba4srcdir="$SRCDIR/source4"
-samba4kinit_binary=kinit
-if test -x $BINDIR/samba4kinit; then
-	samba4kinit_binary=$BINDIR/samba4kinit
-fi
-
-smbtorture4="$samba4bindir/smbtorture --basedir=$SELFTEST_TMPDIR"
+samba_bindir="$BINDIR"
 
-. $(dirname $0)/subunit.sh
-. $(dirname $0)/common_test_fns.inc
+samba_kinit="$(command -v kinit)"
+if [ -x "${samba_bindir}/samba4kinit" ]; then
+	samba_kinit="${samba_bindir}/samba4kinit"
+fi
+samba_smbtorture="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR"
 
-enctype="-e $ENCTYPE"
-unc="//$SERVER/tmp"
+. "$(dirname "$0")"/subunit.sh
+. "$(dirname "$0")"/common_test_fns.inc
 
 KRB5CCNAME_PATH="$PREFIX/tmpccache"
+rm -f "${KRB5CCNAME_PATH}"
 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
 export KRB5CCNAME
-rm -f $KRB5CCNAME_PATH
 
-USER_PRINCIPAL_NAME=$(echo "${USERNAME}@${REALM}" | tr A-Z a-z)
-PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")"
+
+kbase="$(basename "${samba_kinit}")"
+if [ "${kbase}" = "samba4kinit" ]; then
+	# HEIMDAL
+	X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+	OPTION_RENEWABLE="--renewable"
+else
+	X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+	OPTION_RENEWABLE="-r 1h"
+fi
+OPTION_REQUEST_PAC="--request-pac"
 
-testit "STEP1 kinit with pkinit (name specified) " \
-	$samba4kinit $enctype --request-pac --renewable --cache=$KRB5CCNAME $PKUSER $USERNAME@$REALM ||
+testit "STEP1 kinit with pkinit (name specified)" \
+	"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+		"${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
 	failed=$((failed + 1))
 testit "STEP1 remote.pac verification" \
-	$smbtorture4 ncacn_np:$SERVER rpc.pac --workgroup=$DOMAIN -U$USERNAME%$PASSWORD --option=torture:pkinit_ccache=$KRB5CCNAME ||
+	"${samba_smbtorture}" ncacn_np:"${SERVER}" rpc.pac \
+	--workgroup="${DOMAIN}" -U"${USERNAME}%${PASSWORD}" \
+	--option=torture:pkinit_ccache="${KRB5CCNAME}" ||
 	failed=$((failed + 1))
 
-rm -f $KRB5CCNAME_PATH
-exit $failed
+rm -f "${KRB5CCNAME_PATH}"
+exit ${failed}
-- 
2.34.1