diff options
author | Greg Hudson <ghudson@mit.edu> | 2017-08-25 12:39:14 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2017-08-29 16:41:45 -0400 |
commit | 8c5d50888aab554239fd51306e79c5213833c898 (patch) | |
tree | 459b93a1a2b150837951dc3c0058e7e7672e79aa /src/tests/t_pkinit.py | |
parent | 0d23835660ab131d244d395e4568969b5c0dc678 (diff) | |
download | krb5-8c5d50888aab554239fd51306e79c5213833c898.zip krb5-8c5d50888aab554239fd51306e79c5213833c898.tar.gz krb5-8c5d50888aab554239fd51306e79c5213833c898.tar.bz2 |
Add PKINIT test case for generic client cert
In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.
ticket: 8562
Diffstat (limited to 'src/tests/t_pkinit.py')
-rwxr-xr-x | src/tests/t_pkinit.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index 898dafb..b790a7c 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12') user_upn_p12 = os.path.join(certs, 'user-upn.p12') user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') +generic_p12 = os.path.join(certs, 'generic.p12') path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') @@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12 p12_upn_identity = 'PKCS12:%s' % user_upn_p12 p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 +p12_generic_identity = 'PKCS12:%s' % generic_p12 p12_enc_identity = 'PKCS12:%s' % user_enc_p12 p11_identity = 'PKCS11:soft-pkcs11.so' p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' @@ -329,6 +331,14 @@ realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % p12_identity], expected_code=1, expected_msg=msg) +# Authorize a client cert with no PKINIT extensions using subject and +# issuer. (Relies on EKU checking being turned off.) +rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_generic_identity]) +realm.klist(realm.user_princ) + if not have_soft_pkcs11: skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') |