Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/tests/t_certauth.py
34878 views
1
from k5test import *

2


3
# Skip this test if pkinit wasn't built.

4
if not pkinit_enabled:

5
    skip_rest('certauth tests', 'PKINIT module not built')

6


7
modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',

8
                       'certauth_test.so')

9
krb5_conf = {'plugins': {'certauth': {

10
    'module': ['test1:' + modpath, 'test2:' + modpath, 'test3:' + modpath],

11
    'enable_only': ['test1', 'test2', 'test3']}}}

12
kdc_conf = {'realms': {'$realm': {

13
    'default_principal_flags': '+preauth',

14
    'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}

15


16
realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, get_creds=False,

17
                pkinit=True)

18
realm.addprinc('nocert')

19


20
def check_indicators(inds):

21
    msg = '+97: [%s]' % inds

22
    realm.run(['./adata', realm.host_princ], expected_msg=msg)

23


24
# Test that authentication fails if no module accepts.

25
realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch')

26


27
# Let the test2 module match user to CN=user, with indicators.

28
realm.pkinit(realm.user_princ)

29
realm.klist(realm.user_princ)

30
check_indicators('test1, test2, user, indpkinit1, indpkinit2')

31


32
# Let the test2 module mismatch with user2 to CN=user.

33
realm.addprinc('[email protected]')

34
realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')

35


36
# Test the KRB5_CERTAUTH_HWAUTH return code.

37
mark('hw-authent flag tests')

38
# First test +requires_hwauth without causing the hw-authent ticket

39
# flag to be set.  This currently results in a preauth loop.

40
realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])

41
realm.pkinit(realm.user_princ, expected_code=1,

42
             expected_msg='Looping detected')

43
# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH and try again.

44
# Authentication should succeed whether or not another module accepts,

45
# but not if another module rejects.

46
realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'ok'])

47
realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'ok'])

48
realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'ok'])

49
realm.pkinit(realm.user_princ)

50
check_indicators('test1, test2, user, hwauth:ok, indpkinit1, indpkinit2')

51
realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')

52
realm.pkinit('nocert')

53
check_indicators('test1, hwauth:ok, indpkinit1, indpkinit2')

54


55
# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH_PASS and try

56
# again.  Authentication should succeed only if another module accepts.

57
realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'pass'])

58
realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'pass'])

59
realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'pass'])

60
realm.pkinit(realm.user_princ)

61
check_indicators('test1, test2, user, hwauth:pass, indpkinit1, indpkinit2')

62
realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')

63
realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch')

64


65
success("certauth tests")

66


67