svn rev #24556: branches/krb5-1-9/src/tests/
tlyu@MIT.EDU
tlyu at MIT.EDU
Fri Dec 3 13:47:59 EST 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24556
Commit By: tlyu
Log Message:
ticket: 1219
version_fixed: 1.9
status: resolved
pull up r24555 from trunk
------------------------------------------------------------------------
r24555 | tlyu | 2010-12-03 07:34:53 -0500 (Fri, 03 Dec 2010) | 6 lines
ticket: 1219
target_version: 1.9
tags: pullup
Test for key rollover for TGT, including purging old keys.
Changed Files:
U branches/krb5-1-9/src/tests/Makefile.in
A branches/krb5-1-9/src/tests/t_keyrollover.py
Modified: branches/krb5-1-9/src/tests/Makefile.in
===================================================================
--- branches/krb5-1-9/src/tests/Makefile.in 2010-12-03 12:34:53 UTC (rev 24555)
+++ branches/krb5-1-9/src/tests/Makefile.in 2010-12-03 18:47:59 UTC (rev 24556)
@@ -65,6 +65,7 @@
$(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
clean::
$(RM) kdc.conf
Added: branches/krb5-1-9/src/tests/t_keyrollover.py
===================================================================
--- branches/krb5-1-9/src/tests/t_keyrollover.py (rev 0)
+++ branches/krb5-1-9/src/tests/t_keyrollover.py 2010-12-03 18:47:59 UTC (rev 24556)
@@ -0,0 +1,46 @@
+#!/usr/bin/python
+from k5test import *
+
+rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}}
+
+realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
+ krb5_conf=rollover_krb5_conf)
+
+princ1 = 'host/test1@%s' % (realm.realm,)
+princ2 = 'host/test2@%s' % (realm.realm,)
+realm.addprinc(princ1)
+realm.addprinc(princ2)
+
+realm.run_as_client([kvno, realm.host_princ])
+
+# Change key for TGS, keeping old key.
+realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' %
+ (realm.realm, realm.realm))
+
+# Ensure that kvno still works with an old TGT.
+realm.run_as_client([kvno, princ1])
+
+realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm))
+# Make sure an old TGT fails after purging old TGS key.
+realm.run_as_client([kvno, princ2], expected_code=1)
+output = realm.run_as_client([klist, '-e'])
+
+expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
+ (realm.realm, realm.realm)
+
+if expected not in output:
+ fail('keyrollover: expected TGS enctype not found')
+
+# Check that new key actually works.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+output = realm.run_as_client([klist, '-e'])
+
+expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
+ 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
+ (realm.realm, realm.realm)
+
+if expected not in output:
+ fail('keyrollover: expected TGS enctype not found after change')
+
+success('keyrollover')
More information about the cvs-krb5
mailing list