krb5 commit: Clean up and improve PKINIT test script

Greg Hudson ghudson at MIT.EDU
Fri Jul 19 18:14:56 EDT 2013


https://github.com/krb5/krb5/commit/4fb415e9357b6fb9593dc9b52aa93ffe85524806
commit 4fb415e9357b6fb9593dc9b52aa93ffe85524806
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jul 19 10:00:05 2013 -0400

    Clean up and improve PKINIT test script
    
    Don't create a bunch of identically configured realms; just reuse the
    same one.  Remove a redundant assignment from the soft-pkcs11.so
    check.  Move the pkinit_identity setting from krb5.conf to kdc.conf,
    since it's only used by the KDC.  Add a test for trying anonymous
    PKINIT when it isn't configured.  Check for a specific error message
    when testing restricted anonymous PKINIT.

 src/tests/t_pkinit.py |  113 +++++++++++++++----------------------------------
 1 files changed, 35 insertions(+), 78 deletions(-)

diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index e9915eb..fd1db92 100644
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -7,7 +7,6 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
     exit(0)
 
 # Check if soft-pkcs11.so is available.
-have_soft_pkcs11 = False
 try:
     import ctypes
     lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so')
@@ -28,14 +27,14 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12')
 path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
 path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
 
-pkinit_krb5_conf = {
-    'realms': {'$realm': {
-            'pkinit_anchors': 'FILE:%s' % ca_pem,
-            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}}
-pkinit_kdc_conf = {
-    'realms': {'$realm': {
+pkinit_krb5_conf = {'realms': {'$realm': {
+            'pkinit_anchors': 'FILE:%s' % ca_pem}}}
+pkinit_kdc_conf = {'realms': {'$realm': {
             'default_principal_flags': '+preauth',
-            'pkinit_eku_checking': 'none'}}}
+            'pkinit_eku_checking': 'none',
+            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}}
+restrictive_kdc_conf = {'realms': {'$realm': {
+            'restrict_anonymous_to_tgt': 'true' }}}
 
 file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
 file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
@@ -51,19 +50,10 @@ p11_identity = 'PKCS11:soft-pkcs11.so'
 p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
                       'slotid=1:token=SoftToken (token)')
 
-# Set up the DIR: identities.  They go away as a side-effect of reinitializing
-# the realm testdir, so we don't have a specific cleanup method.
-def setup_dir_identities(realm):
-    os.mkdir(path)
-    os.mkdir(path_enc)
-    shutil.copy(privkey_pem, os.path.join(path, 'user.key'))
-    shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key'))
-    shutil.copy(user_pem, os.path.join(path, 'user.crt'))
-    shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
-
-# Sanity check - password-based preauth should still work.
 realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
                 get_creds=False)
+
+# Sanity check - password-based preauth should still work.
 realm.run(['./responder',
            '-r', 'password=%s' % password('user'),
            'user@%s' % realm.realm])
@@ -71,33 +61,32 @@ realm.kinit('user@%s' % realm.realm,
             password=password('user'))
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
-
-restrictive_kdc_conf = {
-    'realms': {'$realm' : {
-            'restrict_anonymous_to_tgt': 'true' }}}
 
 # Test anonymous PKINIT.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, create_user=False)
+out = realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1)
+if 'not found in Kerberos database' not in out:
+    fail('Wrong error for anonymous PKINIT without anonymous enabled')
 realm.addprinc('WELLKNOWN/ANONYMOUS')
 realm.kinit('@%s' % realm.realm, flags=['-n'])
 realm.klist('WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS')
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
-# Now try again with anonymous restricted; kvno should fail.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=restrictive_kdc_conf,
-                create_user=False)
-realm.addprinc('WELLKNOWN/ANONYMOUS')
+# Test with anonymous restricted; FAST should work but kvno should fail.
+r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)
+realm.stop_kdc()
+realm.start_kdc(env=r_env)
 realm.kinit('@%s' % realm.realm, flags=['-n'])
-# now try FAST
 realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache])
-realm.run([kvno, realm.host_princ], expected_code=1)
-realm.stop()
+out = realm.run([kvno, realm.host_princ], expected_code=1)
+if 'KDC policy rejects request' not in out:
+    fail('Wrong error for restricted anonymous PKINIT')
+
+# Go back to a normal KDC and disable anonymous PKINIT.
+realm.stop_kdc()
+realm.start_kdc()
+realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS')
 
 # Run the basic test - PKINIT with FILE: identity, with no password on the key.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
 realm.run(['./responder',
            '-x',
            'pkinit={}',
@@ -108,12 +97,9 @@ realm.kinit('user@%s' % realm.realm,
             flags=['-X', 'X509_user_identity=%s' % file_identity])
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # Run the basic test - PKINIT with FILE: identity, with a password on the key,
 # supplied by the prompter.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
 # Expect failure if the responder does nothing, and we have no prompter.
 realm.run(['./responder',
           '-x',
@@ -127,12 +113,9 @@ realm.kinit('user@%s' % realm.realm,
             password='encrypted')
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # Run the basic test - PKINIT with FILE: identity, with a password on the key,
 # supplied by the responder.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
 # Supply the response in raw form.
 realm.run(['./responder',
            '-x',
@@ -151,12 +134,14 @@ realm.run(['./responder',
            'user@%s' % realm.realm])
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # PKINIT with DIR: identity, with no password on the key.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
-setup_dir_identities(realm)
+os.mkdir(path)
+os.mkdir(path_enc)
+shutil.copy(privkey_pem, os.path.join(path, 'user.key'))
+shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key'))
+shutil.copy(user_pem, os.path.join(path, 'user.crt'))
+shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
 realm.run(['./responder',
            '-x',
            'pkinit={}',
@@ -167,13 +152,9 @@ realm.kinit('user@%s' % realm.realm,
             flags=['-X', 'X509_user_identity=%s' % dir_identity])
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # PKINIT with DIR: identity, with a password on the key, supplied by the
 # prompter.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
-setup_dir_identities(realm)
 # Expect failure if the responder does nothing, and we have no prompter.
 realm.run(['./responder',
            '-x',
@@ -188,13 +169,9 @@ realm.kinit('user@%s' % realm.realm,
             password='encrypted')
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # PKINIT with DIR: identity, with a password on the key, supplied by the
 # responder.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
-setup_dir_identities(realm)
 # Supply the response in raw form.
 realm.run(['./responder',
            '-x',
@@ -214,11 +191,8 @@ realm.run(['./responder',
            'user@%s' % realm.realm])
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # PKINIT with PKCS12: identity, with no password on the bundle.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
 realm.run(['./responder',
            '-x',
            'pkinit={}',
@@ -229,12 +203,9 @@ realm.kinit('user@%s' % realm.realm,
             flags=['-X', 'X509_user_identity=%s' % p12_identity])
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
 # prompter.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
 # Expect failure if the responder does nothing, and we have no prompter.
 realm.run(['./responder',
            '-x',
@@ -248,12 +219,9 @@ realm.kinit('user@%s' % realm.realm,
             password='encrypted')
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
 # responder.
-realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                get_creds=False)
 # Supply the response in raw form.
 realm.run(['./responder',
            '-x',
@@ -272,19 +240,16 @@ realm.run(['./responder',
            'user@%s' % realm.realm])
 realm.klist('user@%s' % realm.realm)
 realm.run([kvno, realm.host_princ])
-realm.stop()
 
 if have_soft_pkcs11:
-    os.environ['SOFTPKCS11RC'] = os.path.join(os.getcwd(), 'testdir',
-                                              'soft-pkcs11.rc')
-
-    # PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
-    realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                    get_creds=False)
-    conf = open(os.environ['SOFTPKCS11RC'], 'w')
+    softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
+    conf = open(softpkcs11rc, 'w')
     conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
                                      privkey_enc_pem))
     conf.close()
+    realm.env['SOFTPKCS11RC'] = softpkcs11rc
+
+    # PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
     # Expect failure if the responder does nothing, and there's no prompter
     realm.run(['./responder',
                '-x',
@@ -298,15 +263,8 @@ if have_soft_pkcs11:
                 password='encrypted')
     realm.klist('user@%s' % realm.realm)
     realm.run([kvno, realm.host_princ])
-    realm.stop()
 
     # PKINIT with PKCS11: identity, with a PIN supplied by the responder.
-    realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-                    get_creds=False)
-    conf = open(os.environ['SOFTPKCS11RC'], 'w')
-    conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
-                                     privkey_enc_pem))
-    conf.close()
     # Supply the response in raw form.
     realm.run(['./responder',
                '-x',
@@ -326,7 +284,6 @@ if have_soft_pkcs11:
                'user@%s' % realm.realm])
     realm.klist('user@%s' % realm.realm)
     realm.run([kvno, realm.host_princ])
-    realm.stop()
 else:
     output('soft-pkcs11.so not found: skipping tests with PKCS11 identities\n')
 


More information about the cvs-krb5 mailing list