1from k5test import *
2
3# Skip this test if pkinit wasn't built.
4if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
5    skip_rest('certauth tests', 'PKINIT module not built')
6
7certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
8ca_pem = os.path.join(certs, 'ca.pem')
9kdc_pem = os.path.join(certs, 'kdc.pem')
10privkey_pem = os.path.join(certs, 'privkey.pem')
11user_pem = os.path.join(certs, 'user.pem')
12
13modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
14                       'certauth_test.so')
15pkinit_krb5_conf = {'realms': {'$realm': {
16            'pkinit_anchors': 'FILE:%s' % ca_pem}},
17            'plugins': {'certauth': {'module': ['test1:' + modpath,
18                                                'test2:' + modpath],
19                                     'enable_only': ['test1', 'test2']}}}
20pkinit_kdc_conf = {'realms': {'$realm': {
21            'default_principal_flags': '+preauth',
22            'pkinit_eku_checking': 'none',
23            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
24            'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
25
26file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
27
28realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
29                get_creds=False)
30
31# Let the test module match user to CN=user, with indicators.
32realm.kinit(realm.user_princ,
33            flags=['-X', 'X509_user_identity=%s' % file_identity])
34realm.klist(realm.user_princ)
35realm.run([kvno, realm.host_princ])
36realm.run(['./adata', realm.host_princ],
37          expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]')
38
39# Let the test module mismatch with user2 to CN=user.
40realm.addprinc("user2@KRBTEST.COM")
41out = realm.kinit("user2@KRBTEST.COM",
42                  flags=['-X', 'X509_user_identity=%s' % file_identity],
43                  expected_code=1,
44                  expected_msg='kinit: Certificate mismatch')
45
46# Test the KRB5_CERTAUTH_HWAUTH return code.
47mark('hw-authent flag tests')
48# First test +requires_hwauth without causing the hw-authent ticket
49# flag to be set.  This currently results in a preauth loop.
50realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])
51realm.kinit(realm.user_princ,
52            flags=['-X', 'X509_user_identity=%s' % file_identity],
53            expected_code=1, expected_msg='Looping detected')
54# Cause the test2 module to return KRB5_CERTAUTH_HWAUTH and try again.
55realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'x'])
56realm.kinit(realm.user_princ,
57            flags=['-X', 'X509_user_identity=%s' % file_identity])
58
59success("certauth tests")
60