diff options
author | Matt Rogers <mrogers@redhat.com> | 2017-03-15 19:57:15 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2017-03-23 13:11:49 -0400 |
commit | 89634ca049e698d7dd2554f5c49bfc499be96188 (patch) | |
tree | 19e28a006e2aecc66fe8eec6b3de930d0592e619 /src/tests | |
parent | 01b1c0e26252a00f2215408b0e473b84aa0f6a87 (diff) | |
download | krb5-89634ca049e698d7dd2554f5c49bfc499be96188.zip krb5-89634ca049e698d7dd2554f5c49bfc499be96188.tar.gz krb5-89634ca049e698d7dd2554f5c49bfc499be96188.tar.bz2 |
Add the certauth dbmatch module
Add and enable the "dbmatch" builtin module. Add the
pkinit_client_cert_match() and crypto_req_cert_matching_data() helper
functions. Add dbmatch tests to t_pkinit.py. Add documentation to
krb5_conf.rst, pkinit.rst, and kadmin_local.rst.
[ghudson@mit.edu: simplified code, edited docs]
ticket: 8562 (new)
Diffstat (limited to 'src/tests')
-rwxr-xr-x | src/tests/t_pkinit.py | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index d1d4972..898dafb 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -292,6 +292,43 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) +# Match a single rule. +rule = '<SAN>^user@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist(realm.user_princ) + +# Match a combined rule (default prefix is &&). +rule = '<SUBJECT>CN=user$<KU>digitalSignature,keyEncipherment' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist(realm.user_princ) + +# Fail an && rule. +rule = '&&<SUBJECT>O=OTHER.COM<SAN>^user@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +msg = 'kinit: Certificate mismatch while getting initial credentials' +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity], + expected_code=1, expected_msg=msg) + +# Pass an || rule. +rule = '||<SUBJECT>O=KRBTEST.COM<SAN>^otheruser@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist(realm.user_princ) + +# Fail an || rule. +rule = '||<SUBJECT>O=OTHER.COM<SAN>^otheruser@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +msg = 'kinit: Certificate mismatch while getting initial credentials' +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity], + expected_code=1, expected_msg=msg) + if not have_soft_pkcs11: skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') |