krb5 commit: Clean up PKINIT tests
Greg Hudson
ghudson at mit.edu
Thu Jan 22 19:59:34 EST 2015
https://github.com/krb5/krb5/commit/b547063dafe7af4082b00efd4b5636ac5604f42e
commit b547063dafe7af4082b00efd4b5636ac5604f42e
Author: Greg Hudson <ghudson at mit.edu>
Date: Sun Jan 4 17:30:45 2015 -0500
Clean up PKINIT tests
Use realm.user_princ where appropriate. Re-wrap some overwrapped
function calls. De-indent the PKCS11 tests using skip_rest.
src/tests/t_pkinit.py | 256 ++++++++++++++++++-------------------------------
1 files changed, 93 insertions(+), 163 deletions(-)
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 23889c4..52123e1 100644
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -53,12 +53,10 @@ realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
get_creds=False)
# Sanity check - password-based preauth should still work.
-realm.run(['./responder',
- '-r', 'password=%s' % password('user'),
- 'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
- password=password('user'))
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-r', 'password=%s' % password('user'),
+ realm.user_princ])
+realm.kinit(realm.user_princ, password=password('user'))
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# Test anonymous PKINIT.
@@ -99,52 +97,36 @@ realm.start_kdc()
realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS')
# Run the basic test - PKINIT with FILE: identity, with no password on the key.
-realm.run(['./responder',
- '-x',
- 'pkinit=',
- '-X',
- 'X509_user_identity=%s' % file_identity,
- 'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
+realm.run(['./responder', '-x', 'pkinit=',
+ '-X', 'X509_user_identity=%s' % file_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % file_identity])
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# Run the basic test - PKINIT with FILE: identity, with a password on the key,
# supplied by the prompter.
# Expect failure if the responder does nothing, and we have no prompter.
-realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' % file_enc_identity,
- '-X',
- 'X509_user_identity=%s' % file_enc_identity,
- 'user@%s' % realm.realm],
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
+ '-X', 'X509_user_identity=%s' % file_enc_identity, realm.user_princ],
expected_code=2)
-realm.kinit('user@%s' % realm.realm,
+realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % file_enc_identity],
password='encrypted')
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# Run the basic test - PKINIT with FILE: identity, with a password on the key,
# supplied by the responder.
# Supply the response in raw form.
-realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' % file_enc_identity,
- '-r',
- 'pkinit={"%s": "encrypted"}' % file_enc_identity,
- '-X',
- 'X509_user_identity=%s' % file_enc_identity,
- 'user@%s' % realm.realm])
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
+ '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
+ '-X', 'X509_user_identity=%s' % file_enc_identity,
+ realm.user_princ])
# Supply the response through the convenience API.
-realm.run(['./responder',
- '-X',
- 'X509_user_identity=%s' % file_enc_identity,
- '-p',
- '%s=%s' % (file_enc_identity, 'encrypted'),
- 'user@%s' % realm.realm])
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity,
+ '-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ])
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# PKINIT with DIR: identity, with no password on the key.
@@ -154,167 +136,115 @@ shutil.copy(privkey_pem, os.path.join(path, 'user.key'))
shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key'))
shutil.copy(user_pem, os.path.join(path, 'user.crt'))
shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
-realm.run(['./responder',
- '-x',
- 'pkinit=',
- '-X',
- 'X509_user_identity=%s' % dir_identity,
- 'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
+realm.run(['./responder', '-x', 'pkinit=', '-X',
+ 'X509_user_identity=%s' % dir_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % dir_identity])
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# PKINIT with DIR: identity, with a password on the key, supplied by the
# prompter.
# Expect failure if the responder does nothing, and we have no prompter.
-realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' %
- dir_file_enc_identity,
- '-X',
- 'X509_user_identity=%s' % dir_enc_identity,
- 'user@%s' % realm.realm],
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity,
+ '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ],
expected_code=2)
-realm.kinit('user@%s' % realm.realm,
+realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % dir_enc_identity],
password='encrypted')
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# PKINIT with DIR: identity, with a password on the key, supplied by the
# responder.
# Supply the response in raw form.
-realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' %
- dir_file_enc_identity,
- '-r',
- 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity,
- '-X',
- 'X509_user_identity=%s' % dir_enc_identity,
- 'user@%s' % realm.realm])
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity,
+ '-r', 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity,
+ '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ])
# Supply the response through the convenience API.
-realm.run(['./responder',
- '-X',
- 'X509_user_identity=%s' % dir_enc_identity,
- '-p',
- '%s=%s' % (dir_file_enc_identity, 'encrypted'),
- 'user@%s' % realm.realm])
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % dir_enc_identity,
+ '-p', '%s=%s' % (dir_file_enc_identity, 'encrypted'),
+ realm.user_princ])
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# PKINIT with PKCS12: identity, with no password on the bundle.
-realm.run(['./responder',
- '-x',
- 'pkinit=',
- '-X',
- 'X509_user_identity=%s' % p12_identity,
- 'user@%s' % realm.realm])
-realm.kinit('user@%s' % realm.realm,
+realm.run(['./responder', '-x', 'pkinit=',
+ '-X', 'X509_user_identity=%s' % p12_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % p12_identity])
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
# prompter.
# Expect failure if the responder does nothing, and we have no prompter.
-realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' % p12_enc_identity,
- '-X',
- 'X509_user_identity=%s' % p12_enc_identity,
- 'user@%s' % realm.realm],
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity,
+ '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ],
expected_code=2)
-realm.kinit('user@%s' % realm.realm,
+realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % p12_enc_identity],
password='encrypted')
-realm.klist('user@%s' % realm.realm)
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
# responder.
# Supply the response in raw form.
-realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' % p12_enc_identity,
- '-r',
- 'pkinit={"%s": "encrypted"}' % p12_enc_identity,
- '-X',
- 'X509_user_identity=%s' % p12_enc_identity,
- 'user@%s' % realm.realm])
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity,
+ '-r', 'pkinit={"%s": "encrypted"}' % p12_enc_identity,
+ '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ])
# Supply the response through the convenience API.
-realm.run(['./responder',
- '-X',
- 'X509_user_identity=%s' % p12_enc_identity,
- '-p',
- '%s=%s' % (p12_enc_identity, 'encrypted'),
- 'user@%s' % realm.realm])
-realm.klist('user@%s' % realm.realm)
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,
+ '-p', '%s=%s' % (p12_enc_identity, 'encrypted'),
+ realm.user_princ])
+realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
-if have_soft_pkcs11:
- softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
- realm.env['SOFTPKCS11RC'] = softpkcs11rc
-
- # PKINIT with PKCS11: identity, with no need for a PIN.
- conf = open(softpkcs11rc, 'w')
- conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
- privkey_pem))
- conf.close()
- # Expect to succeed without having to supply any more information.
- realm.run(['./responder',
- '-x',
- 'pkinit=',
- '-X',
- 'X509_user_identity=%s' % p11_identity,
- 'user@%s' % realm.realm])
- realm.kinit('user@%s' % realm.realm,
- flags=['-X', 'X509_user_identity=%s' % p11_identity])
- realm.klist('user@%s' % realm.realm)
- realm.run([kvno, realm.host_princ])
+if not have_soft_pkcs11:
+ skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
+
+softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
+realm.env['SOFTPKCS11RC'] = softpkcs11rc
+
+# PKINIT with PKCS11: identity, with no need for a PIN.
+conf = open(softpkcs11rc, 'w')
+conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, privkey_pem))
+conf.close()
+# Expect to succeed without having to supply any more information.
+realm.run(['./responder', '-x', 'pkinit=',
+ '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ])
+realm.kinit(realm.user_princ,
+ flags=['-X', 'X509_user_identity=%s' % p11_identity])
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
- # PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
- os.remove(softpkcs11rc)
- conf = open(softpkcs11rc, 'w')
- conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
- privkey_enc_pem))
- conf.close()
- # Expect failure if the responder does nothing, and there's no prompter
- realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' % p11_token_identity,
- '-X',
- 'X509_user_identity=%s' % p11_identity,
- 'user@%s' % realm.realm],
- expected_code=2)
- realm.kinit('user@%s' % realm.realm,
- flags=['-X', 'X509_user_identity=%s' % p11_identity],
- password='encrypted')
- realm.klist('user@%s' % realm.realm)
- realm.run([kvno, realm.host_princ])
+# PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
+os.remove(softpkcs11rc)
+conf = open(softpkcs11rc, 'w')
+conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
+ privkey_enc_pem))
+conf.close()
+# Expect failure if the responder does nothing, and there's no prompter
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity,
+ '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ],
+ expected_code=2)
+realm.kinit(realm.user_princ,
+ flags=['-X', 'X509_user_identity=%s' % p11_identity],
+ password='encrypted')
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
- # PKINIT with PKCS11: identity, with a PIN supplied by the responder.
- # Supply the response in raw form.
- realm.run(['./responder',
- '-x',
- 'pkinit={"%s": 0}' % p11_token_identity,
- '-r',
- 'pkinit={"%s": "encrypted"}' %
- p11_token_identity,
- '-X',
- 'X509_user_identity=%s' % p11_identity,
- 'user@%s' % realm.realm])
- # Supply the response through the convenience API.
- realm.run(['./responder',
- '-X',
- 'X509_user_identity=%s' % p11_identity,
- '-p',
- '%s=%s' % (p11_token_identity, 'encrypted'),
- 'user@%s' % realm.realm])
- realm.klist('user@%s' % realm.realm)
- realm.run([kvno, realm.host_princ])
-else:
- skipped('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
+# PKINIT with PKCS11: identity, with a PIN supplied by the responder.
+# Supply the response in raw form.
+realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity,
+ '-r', 'pkinit={"%s": "encrypted"}' % p11_token_identity,
+ '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ])
+# Supply the response through the convenience API.
+realm.run(['./responder', '-X', 'X509_user_identity=%s' % p11_identity,
+ '-p', '%s=%s' % (p11_token_identity, 'encrypted'),
+ realm.user_princ])
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
-success('Authenticated PKINIT')
+success('PKINIT tests')
More information about the cvs-krb5
mailing list