svn rev #24556: branches/krb5-1-9/src/tests/

Fri Dec 3 13:47:59 EST 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=24556
Commit By: tlyu
Log Message:
ticket: 1219
version_fixed: 1.9
status: resolved

pull up r24555 from trunk

 ------------------------------------------------------------------------
 r24555 | tlyu | 2010-12-03 07:34:53 -0500 (Fri, 03 Dec 2010) | 6 lines

 ticket: 1219
 target_version: 1.9
 tags: pullup

 Test for key rollover for TGT, including purging old keys.


Changed Files:
U   branches/krb5-1-9/src/tests/Makefile.in
A   branches/krb5-1-9/src/tests/t_keyrollover.py
Modified: branches/krb5-1-9/src/tests/Makefile.in
===================================================================

--- branches/krb5-1-9/src/tests/Makefile.in	2010-12-03 12:34:53 UTC (rev 24555)
+++ branches/krb5-1-9/src/tests/Makefile.in	2010-12-03 18:47:59 UTC (rev 24556)
@@ -65,6 +65,7 @@
 	$(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
 
 clean::
 	$(RM) kdc.conf

Added: branches/krb5-1-9/src/tests/t_keyrollover.py
===================================================================
--- branches/krb5-1-9/src/tests/t_keyrollover.py	                        (rev 0)
+++ branches/krb5-1-9/src/tests/t_keyrollover.py	2010-12-03 18:47:59 UTC (rev 24556)
@@ -0,0 +1,46 @@
+#!/usr/bin/python
+from k5test import *
+
+rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}}
+
+realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
+                krb5_conf=rollover_krb5_conf)
+
+princ1 = 'host/test1@%s' % (realm.realm,)
+princ2 = 'host/test2@%s' % (realm.realm,)
+realm.addprinc(princ1)
+realm.addprinc(princ2)
+
+realm.run_as_client([kvno, realm.host_princ])
+
+# Change key for TGS, keeping old key.
+realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' %
+                  (realm.realm, realm.realm))
+
+# Ensure that kvno still works with an old TGT.
+realm.run_as_client([kvno, princ1])
+
+realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm))
+# Make sure an old TGT fails after purging old TGS key.
+realm.run_as_client([kvno, princ2], expected_code=1)
+output = realm.run_as_client([klist, '-e'])
+
+expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
+    (realm.realm, realm.realm)
+
+if expected not in output:
+    fail('keyrollover: expected TGS enctype not found')
+
+# Check that new key actually works.
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+output = realm.run_as_client([klist, '-e'])
+
+expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
+    'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
+    (realm.realm, realm.realm)
+
+if expected not in output:
+    fail('keyrollover: expected TGS enctype not found after change')
+
+success('keyrollover')


