search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests: Use here-doc kadmin in Java test
[heimdal.git] / tests / kdc / check-pkinit.in
blob066d8e372b45993b7008c650374d48e7b35c9dd2
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33
34 top_builddir="@top_builddir@"
35 env_setup="@env_setup@"
36 objdir="@objdir@"
37
38 testfailed="echo test failed; cat messages.log; exit 1"
39
40 . ${env_setup}
41
42 # If there is no useful db support compiled in, disable test
43 ${have_db} || exit 77
44
45 R=TEST.H5L.SE
46
47 port=@port@
48
49 kadmin="${kadmin} -l -r $R"
50 kdc="${kdc} --addresses=localhost -P $port"
51
52 server=host/datan.test.h5l.se
53 cache="FILE:${objdir}/cache.krb5"
54 keyfile="${hx509_data}/key.der"
55 keyfile2="${hx509_data}/key2.der"
56
57 kinit="${kinit} -c $cache ${afs_no_afslog}"
58 klistjson="${klist} --json -c $cache"
59 klistplain="${klist} -c $cache"
60 klist="${klist} --hidden -v -c $cache"
61 kgetcred="${kgetcred} -c $cache"
62 kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
63 kx509="${kx509} -c $cache"
64
65 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
66 export KRB5_CONFIG
67 HEIM_PIDFILE_DIR=$objdir
68 export HEIM_PIDFILE_DIR
69 HEIM_IPC_DIR=$objdir
70 export HEIM_IPC_DIR
71
72
73 rsa=yes
74 pkinit=no
75 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
76 rsa=no
77 fi
78 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
79 rsa=no
80 fi
81
82 if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
83 pkinit=yes
84 fi
85
86 # If we doesn't support pkinit and have RSA, give up
87 if test "$pkinit" != yes -o "$rsa" != yes ; then
88 exit 77
89 fi
90
91
92 rm -f current-db*
93 rm -f out-*
94 rm -f mkey.file*
95
96 > messages.log
97
98 echo Creating database
99 ${kadmin} <<EOF || exit 1
100 init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
101 modify --max-ticket-life=5d krbtgt/${R}@${R}
102 add -p foo --use-defaults foo@${R}
103 add -p bar --use-defaults bar@${R}
104 add -p baz --use-defaults baz@${R}
105 add -p foo --use-defaults host/server.test.h5l.se@${R}
106 modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R}
107 add -p kaka --use-defaults ${server}@${R}
108 check ${R}
109 EOF
110 ${kadmin} modify --alias=baz2\\@test.h5l.se@${R} baz@${R} || exit 1
111
112 # XXX Do not use committed, in-tree private keys or certificates!
113 # XXX Add hxtool command to generate a private key w/o generating a CSR
114 # XXX Use hxtool to generate a fresh private key
115 # XXX Use hxtool to generate self-signed CA certs
116 # XXX Use PEM-FILE and store private key and certificate in same file
117 # XXX Update krb5.conf.in to use ${objdir}-relative keys and certificates
118
119 echo "Setting up certificates"
120 ${hxtool} request-create \
121 --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
122 --key=FILE:${keyfile2} \
123 req-kdc.der || exit 1
124 ${hxtool} request-create \
125 --subject="CN=bar,DC=test,DC=h5l,DC=se" \
126 --key=FILE:${keyfile2} \
127 req-pkinit.der || exit 1
128 ${hxtool} request-create \
129 --subject="CN=baz,DC=test,DC=h5l,DC=se" \
130 --key=FILE:${keyfile2} \
131 req-pkinit2.der || exit 1
132
133 echo "issue self-signed ca cert"
134 ${hxtool} issue-certificate \
135 --self-signed \
136 --issue-ca \
137 --ca-private-key=FILE:${keyfile} \
138 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
139 --certificate="FILE:ca.crt" || exit 1
140
141 echo "issue kdc certificate"
142 ${hxtool} issue-certificate \
143 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
144 --type="pkinit-kdc" \
145 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
146 --req="PKCS10:req-kdc.der" \
147 --certificate="FILE:kdc.crt" || exit 1
148
149 echo "issue user certificate (pkinit san)"
150 ${hxtool} issue-certificate \
151 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
152 --type="pkinit-client" \
153 --pk-init-principal="bar@TEST.H5L.SE" \
154 --req="PKCS10:req-pkinit.der" \
155 --lifetime=7d \
156 --certificate="FILE:pkinit.crt" || exit 1
157
158 echo "issue user certificate (pkinit san; synthetic principal)"
159 ${hxtool} issue-certificate \
160 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
161 --type="pkinit-client" \
162 --pk-init-principal="synthetized@TEST.H5L.SE" \
163 --req="PKCS10:req-pkinit.der" \
164 --lifetime=7d \
165 --certificate="FILE:pkinit-synthetic.crt" || exit 1
166
167 echo "issue user 2 certificate (no san)"
168 ${hxtool} issue-certificate \
169 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
170 --type="pkinit-client" \
171 --req="PKCS10:req-pkinit2.der" \
172 --certificate="FILE:pkinit2.crt" || exit 1
173
174 echo "issue user 3 certificate (ms san)"
175 ${hxtool} issue-certificate \
176 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
177 --type="pkinit-client" \
178 --ms-upn="bar@test.h5l.se" \
179 --req="PKCS10:req-pkinit2.der" \
180 --certificate="FILE:pkinit3.crt" || exit 1
181
182 echo "issue user 3 certificate (ms san, baz2)"
183 ${hxtool} issue-certificate \
184 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
185 --type="pkinit-client" \
186 --ms-upn="baz2\\@test.h5l.se@${R}" \
187 --req="PKCS10:req-pkinit2.der" \
188 --certificate="FILE:pkinit4.crt" || exit 1
189
190 echo "issue self-signed kx509 template cert"
191 ${hxtool} issue-certificate \
192 --self-signed \
193 --ca-private-key=FILE:${keyfile} \
194 --subject='CN=${principal-component0},DC=test,DC=h5l,DC=se' \
195 --certificate="FILE:kx509-template.crt" || exit 1
196
197 echo foo > ${objdir}/foopassword
198
199 echo Starting kdc ; > messages.log
200 KRB5_CONFIG="${objdir}/krb5-pkinit2.conf"
201 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
202 kdcpid=`getpid kdc`
203
204 cleanup() {
205 echo signal killing kdc
206 kill -9 ${kdcpid}
207 trap '' EXIT INT TERM
208 cat messages.log
209 cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt
210 exit 1
211 }
212 trap cleanup EXIT INT TERM
213
214 ec=0
215
216 echo "Trying pk-init (principal in cert; longer max_life)"; > messages.log
217 base="${objdir}"
218 ${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
219 { ec=1 ; eval "${testfailed}"; }
220 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
221 ${klist}
222 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
223 ${klistjson} |
224 jq -e '(((.tickets[0].Expires|
225 strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
226 (floor < 4)' >/dev/null &&
227 { ec=1 ; eval "${testfailed}"; }
228 fi
229 ${kdestroy}
230
231 echo "Trying pk-init (principal in cert; synthetic)"; > messages.log
232 base="${objdir}"
233 ${kinit} --lifetime=5d -C FILE:${base}/pkinit-synthetic.crt,${keyfile2} synthetized@${R} || \
234 { ec=1 ; eval "${testfailed}"; }
235 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
236 ${klist}
237 ${kdestroy}
238
239 echo "Restarting kdc ($kdcpid)"
240 sh ${leaks_kill} kdc $kdcpid || ec=1
241 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
242 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
243 kdcpid=`getpid kdc`
244
245 echo "Trying pk-init (principal in cert)"; > messages.log
246 base="${objdir}"
247 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
248 { ec=1 ; eval "${testfailed}"; }
249 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
250 ${klist}
251 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
252 ${klistjson} |
253 jq -e '(((.tickets[0].Expires|
254 strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
255 (floor > 1)' >/dev/null &&
256 { ec=1 ; eval "${testfailed}"; }
257 fi
258 ${kdestroy}
259
260 echo "Trying pk-init (principal in cert; longer max_life from cert ext)"; > messages.log
261 # Re-issue cert with --pkinit-max-life=7d
262 ${hxtool} issue-certificate \
263 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
264 --type="pkinit-client" \
265 --pk-init-principal="bar@TEST.H5L.SE" \
266 --req="PKCS10:req-pkinit.der" \
267 --lifetime=7d \
268 --pkinit-max-life=7d \
269 --certificate="FILE:pkinit.crt" || exit 1
270 base="${objdir}"
271 ${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
272 { ec=1 ; eval "${testfailed}"; }
273 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
274 ${klist}
275 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
276 ${klistjson} |
277 jq -e '(((.tickets[0].Expires|
278 strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
279 (floor < 4)' >/dev/null &&
280 { ec=1 ; eval "${testfailed}"; }
281 fi
282
283 echo "Check kx509 certificate acquisition"
284 ${kx509} -s || { ec=1 ; eval "${testfailed}"; }
285 ${kx509} -o PEM-FILE:${objdir}/kx509.pem || { ec=1 ; eval "${testfailed}"; }
286 ${kdestroy}
287
288 echo "Check PKINIT w/ kx509 certificate"
289 ${kinit} -C PEM-FILE:${objdir}/kx509.pem bar@${R} || \
290 { ec=1 ; eval "${testfailed}"; }
291
292 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
293 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
294 { ec=1 ; eval "${testfailed}"; }
295 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
296 ${kdestroy}
297
298 echo "Trying pk-init (principal subject in DB)"; > messages.log
299 ${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
300 { ec=1 ; eval "${testfailed}"; }
301 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
302 ${kdestroy}
303
304 echo "Trying pk-init (ms upn)"; > messages.log
305 ${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
306 { ec=1 ; eval "${testfailed}"; }
307 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
308 ${kdestroy}
309
310 echo "Trying pk-init (ms upn, enterprise)"; > messages.log
311 ${kinit} --canonicalize --enterprise \
312 -C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se || \
313 { ec=1 ; eval "${testfailed}"; }
314 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
315 ${kdestroy}
316
317 echo "Trying pk-init (ms upn, enterprise, pk-enterprise)"; > messages.log
318 ${kinit} --canonicalize \
319 --pk-enterprise \
320 -C FILE:${base}/pkinit4.crt,${keyfile2} ${R} || \
321 { ec=1 ; eval "${testfailed}"; }
322 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
323 ${kdestroy}
324
325 KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf"
326 export KRB5_CONFIG
327
328 echo "Duplicated tests, now in windows 2000 mode"
329
330 echo "Trying pk-init (principal in cert)"; > messages.log
331 base="${objdir}"
332 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
333 { ec=1 ; eval "${testfailed}"; }
334 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
335 ${kdestroy}
336
337 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
338 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
339 { ec=1 ; eval "${testfailed}"; }
340 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
341 ${kdestroy}
342
343 echo "Trying pk-init (principal subject in DB)"; > messages.log
344 ${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
345 { ec=1 ; eval "${testfailed}"; }
346 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
347 ${kdestroy}
348
349 echo "Trying pk-init (ms upn)"; > messages.log
350 ${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
351 { ec=1 ; eval "${testfailed}"; }
352 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
353 ${kdestroy}
354
355
356 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
357 export KRB5_CONFIG
358
359 echo "Trying PKCS11 support"
360
361 cat > test-rc-file.rc <<EOF
362 certificate cert User certificate FILE:${base}/pkinit.crt,${keyfile2}
363 app-fatal true
364 EOF
365
366 SOFTPKCS11RC="test-rc-file.rc"
367 export SOFTPKCS11RC
368
369 dir=${base}/../../lib/hx509
370 file=
371
372 for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
373 if [ -f $dir/$a ] ; then
374 file=$dir/$a
375 break
376 fi
377 done
378
379 if [ X"$file" != X -a @DLOPEN@ ] ; then
380
381 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
382 ${kinit} -C PKCS11:${file} foo@${R} || \
383 { ec=1 ; eval "${testfailed}"; }
384 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
385 ${kdestroy}
386
387 fi
388
389
390 echo "killing kdc (${kdcpid})"
391 sh ${leaks_kill} kdc $kdcpid || ec=1
392
393 trap "" EXIT
394
395 exit $ec
Heimdal