diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-07-19 11:33:20 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-07-22 12:25:31 -0400 |
commit | b37a0be87e5146d730b89abd1378a3043d5015b2 (patch) | |
tree | 32392f8837c320b186ce146384045afce3150fd4 /src/tests | |
parent | 744d6f873393b6bbd12e1c1884738676a089fa65 (diff) | |
download | krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.zip krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.gz krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.bz2 |
Don't ask empty responder questions in PKINIT
When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.
[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/responder.c | 8 | ||||
-rw-r--r-- | src/tests/t_pkinit.py | 28 |
2 files changed, 27 insertions, 9 deletions
diff --git a/src/tests/responder.c b/src/tests/responder.c index 57106ff..13623d8 100644 --- a/src/tests/responder.c +++ b/src/tests/responder.c @@ -100,11 +100,11 @@ responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx) *value++ = '\0'; /* Read the challenge. */ challenge = krb5_responder_get_challenge(ctx, rctx, key); - if (challenge == NULL) - challenge = ""; - /* See if the expected challenge looks like JSON-encoded data. */ err = k5_json_decode(value, &decoded1); - if (err != 0) { + /* Check for "no challenge". */ + if (challenge == NULL && *value == '\0') { + fprintf(stderr, "OK: (no challenge) == (no challenge)\n"); + } else if (err != 0) { /* It's not JSON, so assume we're just after a string compare. */ if (strcmp(challenge, value) == 0) { fprintf(stderr, "OK: \"%s\" == \"%s\"\n", challenge, value); diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index fd1db92..7b20fa3 100644 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -89,7 +89,7 @@ realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS') # Run the basic test - PKINIT with FILE: identity, with no password on the key. realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % file_identity, 'user@%s' % realm.realm]) @@ -144,7 +144,7 @@ shutil.copy(user_pem, os.path.join(path, 'user.crt')) shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % dir_identity, 'user@%s' % realm.realm]) @@ -195,7 +195,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with no password on the bundle. realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % p12_identity, 'user@%s' % realm.realm]) @@ -243,13 +243,31 @@ realm.run([kvno, realm.host_princ]) if have_soft_pkcs11: softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') + realm.env['SOFTPKCS11RC'] = softpkcs11rc + + # PKINIT with PKCS11: identity, with no need for a PIN. conf = open(softpkcs11rc, 'w') conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, - privkey_enc_pem)) + privkey_pem)) conf.close() - realm.env['SOFTPKCS11RC'] = softpkcs11rc + # Expect to succeed without having to supply any more information. + realm.run(['./responder', + '-x', + 'pkinit=', + '-X', + 'X509_user_identity=%s' % p11_identity, + 'user@%s' % realm.realm]) + realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p11_identity]) + realm.klist('user@%s' % realm.realm) + realm.run([kvno, realm.host_princ]) # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. + os.remove(softpkcs11rc) + conf = open(softpkcs11rc, 'w') + conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, + privkey_enc_pem)) + conf.close() # Expect failure if the responder does nothing, and there's no prompter realm.run(['./responder', '-x', |