1#!/bin/sh 2# 3# Copyright (c) 2006 - 2008 Kungliga Tekniska H�gskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33# 34# $Id: check-pkinit.in 22474 2008-01-17 11:16:25Z lha $ 35# 36 37srcdir="@srcdir@" 38objdir="@objdir@" 39EGREP="@EGREP@" 40 41testfailed="echo test failed; cat messages.log; exit 1" 42 43# If there is no useful db support compile in, disable test 44../db/have-db || exit 77 45 46R=TEST.H5L.SE 47 48port=@port@ 49 50kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" 51kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" 52 53server=host/datan.test.h5l.se 54cache="FILE:${objdir}/cache.krb5" 55keyfile="${srcdir}/../../lib/hx509/data/key.der" 56keyfile2="${srcdir}/../../lib/hx509/data/key2.der" 57 58kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" 59kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" 60kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" 61hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool" 62 63KRB5_CONFIG="${objdir}/krb5-pkinit.conf" 64export KRB5_CONFIG 65 66rsa=yes 67pkinit=no 68if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 69 rsa=no 70fi 71if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 72 rsa=no 73fi 74 75if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 76 pkinit=yes 77fi 78 79# If we doesn't support pkinit and have RSA, give up 80if test "$pkinit" != yes -o "$rsa" != yes ; then 81 exit 77 82fi 83 84 85rm -f current-db* 86rm -f out-* 87rm -f mkey.file* 88 89> messages.log 90 91echo Creating database 92${kadmin} \ 93 init \ 94 --realm-max-ticket-life=1day \ 95 --realm-max-renewable-life=1month \ 96 ${R} || exit 1 97 98${kadmin} add -p foo --use-defaults foo@${R} || exit 1 99${kadmin} add -p bar --use-defaults bar@${R} || exit 1 100${kadmin} add -p baz --use-defaults baz@${R} || exit 1 101${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1 102 103${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 104 105echo "Doing database check" 106${kadmin} check ${R} || exit 1 107 108echo "Setting up certificates" 109${hxtool} request-create \ 110 --subject="CN=kdc,DC=test,DC=h5l,DC=se" \ 111 --key=FILE:${keyfile2} \ 112 req-kdc.der || exit 1 113${hxtool} request-create \ 114 --subject="CN=bar,DC=test,DC=h5l,DC=se" \ 115 --key=FILE:${keyfile2} \ 116 req-pkinit.der || exit 1 117${hxtool} request-create \ 118 --subject="CN=baz,DC=test,DC=h5l,DC=se" \ 119 --key=FILE:${keyfile2} \ 120 req-pkinit2.der || exit 1 121 122echo "issue self-signed ca cert" 123${hxtool} issue-certificate \ 124 --self-signed \ 125 --issue-ca \ 126 --ca-private-key=FILE:${keyfile} \ 127 --subject="CN=CA,DC=test,DC=h5l,DC=se" \ 128 --certificate="FILE:ca.crt" || exit 1 129 130echo "issue kdc certificate" 131${hxtool} issue-certificate \ 132 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ 133 --type="pkinit-kdc" \ 134 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ 135 --req="PKCS10:req-kdc.der" \ 136 --certificate="FILE:kdc.crt" || exit 1 137 138echo "issue user certificate (pkinit san)" 139${hxtool} issue-certificate \ 140 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ 141 --type="pkinit-client" \ 142 --pk-init-principal="bar@TEST.H5L.SE" \ 143 --req="PKCS10:req-pkinit.der" \ 144 --certificate="FILE:pkinit.crt" || exit 1 145 146echo "issue user 2 certificate (no san)" 147${hxtool} issue-certificate \ 148 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ 149 --type="pkinit-client" \ 150 --req="PKCS10:req-pkinit2.der" \ 151 --certificate="FILE:pkinit2.crt" || exit 1 152 153echo "issue user 3 certificate (ms san)" 154${hxtool} issue-certificate \ 155 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ 156 --type="pkinit-client" \ 157 --ms-upn="bar@test.h5l.se" \ 158 --req="PKCS10:req-pkinit2.der" \ 159 --certificate="FILE:pkinit3.crt" || exit 1 160 161 162echo foo > ${objdir}/foopassword 163 164echo Starting kdc 165${kdc} & 166kdcpid=$! 167 168sh ${srcdir}/wait-kdc.sh 169if [ "$?" != 0 ] ; then 170 kill ${kdcpid} 171 exit 1 172fi 173 174trap "kill ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt ;exit 1;" EXIT 175 176ec=0 177 178echo "Trying pk-init (principal in cert)"; > messages.log 179base="${objdir}" 180${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ 181 { ec=1 ; eval "${testfailed}"; } 182${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 183${kdestroy} 184 185echo "Trying pk-init (principal in pki-mapping file) "; > messages.log 186${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ 187 { ec=1 ; eval "${testfailed}"; } 188${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 189${kdestroy} 190 191echo "Trying pk-init (principal subject in DB)"; > messages.log 192${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \ 193 { ec=1 ; eval "${testfailed}"; } 194${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 195${kdestroy} 196 197echo "Trying pk-init (ms upn)"; > messages.log 198${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \ 199 { ec=1 ; eval "${testfailed}"; } 200${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 201${kdestroy} 202 203KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf" 204export KRB5_CONFIG 205 206echo "Duplicated tests, now in windows 2000 mode" 207 208echo "Trying pk-init (principal in cert)"; > messages.log 209base="${objdir}" 210${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ 211 { ec=1 ; eval "${testfailed}"; } 212${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 213${kdestroy} 214 215echo "Trying pk-init (principal in pki-mapping file) "; > messages.log 216${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ 217 { ec=1 ; eval "${testfailed}"; } 218${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 219${kdestroy} 220 221echo "Trying pk-init (principal subject in DB)"; > messages.log 222${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \ 223 { ec=1 ; eval "${testfailed}"; } 224${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 225${kdestroy} 226 227echo "Trying pk-init (ms upn)"; > messages.log 228${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \ 229 { ec=1 ; eval "${testfailed}"; } 230${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 231${kdestroy} 232 233 234KRB5_CONFIG="${objdir}/krb5-pkinit.conf" 235export KRB5_CONFIG 236 237echo "Trying PKCS11 support" 238 239cat > test-rc-file.rc <<EOF 240certificate cert User certificate FILE:${base}/pkinit.crt,${keyfile2} 241app-fatal true 242EOF 243 244SOFTPKCS11RC="test-rc-file.rc" 245export SOFTPKCS11RC 246 247dir=${base}/../../lib/hx509 248file= 249 250for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do 251 if [ -f $dir/$a ] ; then 252 file=$dir/$a 253 break 254 fi 255done 256 257if [ X"$file" != X -a @DLOPEN@ ] ; then 258 259 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log 260 ${kinit} -C PKCS11:${file} foo@${R} || \ 261 { ec=1 ; eval "${testfailed}"; } 262 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 263 ${kdestroy} 264 265fi 266 267 268echo "killing kdc (${kdcpid})" 269kill $kdcpid || exit 1 270 271trap "" EXIT 272 273exit $ec 274