[30028] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add PKINIT test case for generic client cert
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 29 19:38:39 2017
Date: Tue, 29 Aug 2017 19:36:33 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201708292336.v7TNaXXg000851@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/8c5d50888aab554239fd51306e79c5213833c898
commit 8c5d50888aab554239fd51306e79c5213833c898
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Aug 25 12:39:14 2017 -0400
Add PKINIT test case for generic client cert
In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.
ticket: 8562
src/tests/t_pkinit.py | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 898dafb..b790a7c 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12')
user_upn_p12 = os.path.join(certs, 'user-upn.p12')
user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
+generic_p12 = os.path.join(certs, 'generic.p12')
path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12
p12_upn_identity = 'PKCS12:%s' % user_upn_p12
p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
+p12_generic_identity = 'PKCS12:%s' % generic_p12
p12_enc_identity = 'PKCS12:%s' % user_enc_p12
p11_identity = 'PKCS11:soft-pkcs11.so'
p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
@@ -329,6 +331,14 @@ realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % p12_identity],
expected_code=1, expected_msg=msg)
+# Authorize a client cert with no PKINIT extensions using subject and
+# issuer. (Relies on EKU checking being turned off.)
+rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+realm.kinit(realm.user_princ,
+ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity])
+realm.klist(realm.user_princ)
+
if not have_soft_pkcs11:
skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5