|
 |
b833e0 |
From f633f37e712cb0f7524a2ee257e15f34468149b4 Mon Sep 17 00:00:00 2001
|
|
|
b833e0 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b833e0 |
Date: Tue, 3 Nov 2020 09:58:52 +0100
|
|
|
b833e0 |
Subject: [PATCH 16/16] add tests multiple certs same id
|
|
|
b833e0 |
|
|
|
b833e0 |
Add unit test for the case that two certificates use the same key.
|
|
|
b833e0 |
|
|
|
b833e0 |
Resolves: https://github.com/SSSD/sssd/issues/5400
|
|
|
b833e0 |
|
|
|
b833e0 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
b833e0 |
---
|
|
|
b833e0 |
src/tests/cmocka/test_pam_srv.c | 116 +++++++++++++++++++
|
|
|
b833e0 |
src/tests/test_CA/Makefile.am | 26 ++++-
|
|
|
b833e0 |
src/tests/test_CA/SSSD_test_cert_0006.config | 20 ++++
|
|
|
b833e0 |
3 files changed, 161 insertions(+), 1 deletion(-)
|
|
|
b833e0 |
create mode 100644 src/tests/test_CA/SSSD_test_cert_0006.config
|
|
|
b833e0 |
|
|
|
b833e0 |
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
|
b833e0 |
index 5506fbf34..8ca5abd43 100644
|
|
|
b833e0 |
--- a/src/tests/cmocka/test_pam_srv.c
|
|
|
b833e0 |
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
|
b833e0 |
@@ -40,12 +40,14 @@
|
|
|
b833e0 |
#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
|
|
|
b833e0 |
#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
|
|
|
b833e0 |
#include "tests/test_CA/SSSD_test_cert_x509_0005.h"
|
|
|
b833e0 |
+#include "tests/test_CA/SSSD_test_cert_x509_0006.h"
|
|
|
b833e0 |
|
|
|
b833e0 |
#include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h"
|
|
|
b833e0 |
#else
|
|
|
b833e0 |
#define SSSD_TEST_CERT_0001 ""
|
|
|
b833e0 |
#define SSSD_TEST_CERT_0002 ""
|
|
|
b833e0 |
#define SSSD_TEST_CERT_0005 ""
|
|
|
b833e0 |
+#define SSSD_TEST_CERT_0006 ""
|
|
|
b833e0 |
|
|
|
b833e0 |
#define SSSD_TEST_ECC_CERT_0001 ""
|
|
|
b833e0 |
#endif
|
|
|
b833e0 |
@@ -1093,6 +1095,13 @@ static int test_pam_creds_insufficient_check(uint32_t status,
|
|
|
b833e0 |
return EOK;
|
|
|
b833e0 |
}
|
|
|
b833e0 |
|
|
|
b833e0 |
+static int test_pam_auth_err_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
b833e0 |
+{
|
|
|
b833e0 |
+ /* PAM_AUTH_ERR is returned for different types of error, we use different
|
|
|
b833e0 |
+ * names for the check functions to make the purpose more clear. */
|
|
|
b833e0 |
+ return test_pam_wrong_pw_offline_auth_check(status, body, blen);
|
|
|
b833e0 |
+}
|
|
|
b833e0 |
+
|
|
|
b833e0 |
static int test_pam_user_unknown_check(uint32_t status,
|
|
|
b833e0 |
uint8_t *body, size_t blen)
|
|
|
b833e0 |
{
|
|
|
b833e0 |
@@ -2500,6 +2509,107 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
|
|
|
b833e0 |
assert_int_equal(ret, EOK);
|
|
|
b833e0 |
}
|
|
|
b833e0 |
|
|
|
b833e0 |
+/* The following three tests cover a use case where multiple certificates are
|
|
|
b833e0 |
+ * using the same key-pair. According to PKCS#11 specs "The CKA_ID field is
|
|
|
b833e0 |
+ * intended to distinguish among multiple keys. In the case of public and
|
|
|
b833e0 |
+ * private keys, this field assists in handling multiple keys held by the same
|
|
|
b833e0 |
+ * subject; the key identifier for a public key and its corresponding private
|
|
|
b833e0 |
+ * key should be the same. The key identifier should also be the same as for
|
|
|
b833e0 |
+ * the corresponding certificate, if one exists. Cryptoki does not enforce
|
|
|
b833e0 |
+ * these associations, however." As a result certificates sharing the same
|
|
|
b833e0 |
+ * key-pair will have the same id on the Smartcard. This means a second
|
|
|
b833e0 |
+ * parameter is needed to distinguish them. We use the label here.
|
|
|
b833e0 |
+ *
|
|
|
b833e0 |
+ * The first test makes sure authentication fails is the label is missing, the
|
|
|
b833e0 |
+ * second and third test make sure that each certificate can be selected with
|
|
|
b833e0 |
+ * the proper label. */
|
|
|
b833e0 |
+void test_pam_cert_auth_2certs_same_id_no_label(void **state)
|
|
|
b833e0 |
+{
|
|
|
b833e0 |
+ int ret;
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
|
b833e0 |
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
|
b833e0 |
+ TEST_MODULE_NAME,
|
|
|
b833e0 |
+ "11111111",
|
|
|
b833e0 |
+ NULL, NULL,
|
|
|
b833e0 |
+ NULL, SSSD_TEST_CERT_0001);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
|
b833e0 |
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ /* Assume backend cannot handle Smartcard credentials */
|
|
|
b833e0 |
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ set_cmd_cb(test_pam_auth_err_check);
|
|
|
b833e0 |
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
|
b833e0 |
+ pam_test_ctx->pam_cmds);
|
|
|
b833e0 |
+ assert_int_equal(ret, EOK);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ /* Wait until the test finishes with EOK */
|
|
|
b833e0 |
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
|
b833e0 |
+ assert_int_equal(ret, EOK);
|
|
|
b833e0 |
+}
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+void test_pam_cert_auth_2certs_same_id_with_label_1(void **state)
|
|
|
b833e0 |
+{
|
|
|
b833e0 |
+ int ret;
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
|
b833e0 |
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
|
b833e0 |
+ TEST_MODULE_NAME,
|
|
|
b833e0 |
+ "11111111",
|
|
|
b833e0 |
+ "SSSD test cert 0001", NULL,
|
|
|
b833e0 |
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
|
b833e0 |
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ /* Assume backend cannot handle Smartcard credentials */
|
|
|
b833e0 |
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ set_cmd_cb(test_pam_simple_check_success);
|
|
|
b833e0 |
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
|
b833e0 |
+ pam_test_ctx->pam_cmds);
|
|
|
b833e0 |
+ assert_int_equal(ret, EOK);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ /* Wait until the test finishes with EOK */
|
|
|
b833e0 |
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
|
b833e0 |
+ assert_int_equal(ret, EOK);
|
|
|
b833e0 |
+}
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+void test_pam_cert_auth_2certs_same_id_with_label_6(void **state)
|
|
|
b833e0 |
+{
|
|
|
b833e0 |
+ int ret;
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
|
b833e0 |
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
|
b833e0 |
+ TEST_MODULE_NAME,
|
|
|
b833e0 |
+ "11111111",
|
|
|
b833e0 |
+ "SSSD test cert 0006", NULL,
|
|
|
b833e0 |
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0006);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
|
b833e0 |
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ /* Assume backend cannot handle Smartcard credentials */
|
|
|
b833e0 |
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ set_cmd_cb(test_pam_simple_check_success);
|
|
|
b833e0 |
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
|
b833e0 |
+ pam_test_ctx->pam_cmds);
|
|
|
b833e0 |
+ assert_int_equal(ret, EOK);
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+ /* Wait until the test finishes with EOK */
|
|
|
b833e0 |
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
|
b833e0 |
+ assert_int_equal(ret, EOK);
|
|
|
b833e0 |
+}
|
|
|
b833e0 |
+
|
|
|
b833e0 |
void test_pam_cert_preauth_uri_token1(void **state)
|
|
|
b833e0 |
{
|
|
|
b833e0 |
int ret;
|
|
|
b833e0 |
@@ -3179,6 +3289,12 @@ int main(int argc, const char *argv[])
|
|
|
b833e0 |
pam_test_setup, pam_test_teardown),
|
|
|
b833e0 |
cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
|
|
|
b833e0 |
pam_test_setup, pam_test_teardown),
|
|
|
b833e0 |
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_no_label,
|
|
|
b833e0 |
+ pam_test_setup, pam_test_teardown),
|
|
|
b833e0 |
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_1,
|
|
|
b833e0 |
+ pam_test_setup, pam_test_teardown),
|
|
|
b833e0 |
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_6,
|
|
|
b833e0 |
+ pam_test_setup, pam_test_teardown),
|
|
|
b833e0 |
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
|
|
|
b833e0 |
pam_test_setup, pam_test_teardown),
|
|
|
b833e0 |
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
|
|
b833e0 |
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
|
|
b833e0 |
index 0e0122737..8765d0fd6 100644
|
|
|
b833e0 |
--- a/src/tests/test_CA/Makefile.am
|
|
|
b833e0 |
+++ b/src/tests/test_CA/Makefile.am
|
|
|
b833e0 |
@@ -6,6 +6,7 @@ dist_noinst_DATA = \
|
|
|
b833e0 |
SSSD_test_cert_0003.config \
|
|
|
b833e0 |
SSSD_test_cert_0004.config \
|
|
|
b833e0 |
SSSD_test_cert_0005.config \
|
|
|
b833e0 |
+ SSSD_test_cert_0006.config \
|
|
|
b833e0 |
SSSD_test_cert_key_0001.pem \
|
|
|
b833e0 |
SSSD_test_cert_key_0002.pem \
|
|
|
b833e0 |
SSSD_test_cert_key_0003.pem \
|
|
|
b833e0 |
@@ -25,7 +26,7 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
|
|
|
b833e0 |
pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
|
|
|
b833e0 |
pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
|
|
b833e0 |
|
|
|
b833e0 |
-extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp
|
|
|
b833e0 |
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id
|
|
|
b833e0 |
if HAVE_FAKETIME
|
|
|
b833e0 |
extra += SSSD_test_CA_expired_crl.pem
|
|
|
b833e0 |
endif
|
|
|
b833e0 |
@@ -41,6 +42,14 @@ $(pwdfile):
|
|
|
b833e0 |
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
|
|
|
b833e0 |
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
|
|
|
b833e0 |
|
|
|
b833e0 |
+# SSSD_test_cert_0006 should use the same key as SSSD_test_cert_0001
|
|
|
b833e0 |
+.INTERMEDIATE: SSSD_test_cert_req_0006.pem
|
|
|
b833e0 |
+SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSSD_test_cert_0006.config
|
|
|
b833e0 |
+ if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0006.config) -eq 0 ]; then \
|
|
|
b833e0 |
+ $(OPENSSL) req -new -nodes -key $< -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
|
|
|
b833e0 |
+ else \
|
|
|
b833e0 |
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
|
|
|
b833e0 |
+ fi
|
|
|
b833e0 |
|
|
|
b833e0 |
SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
|
|
|
b833e0 |
if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_$*.config) -eq 0 ]; then \
|
|
|
b833e0 |
@@ -52,6 +61,9 @@ SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test
|
|
|
b833e0 |
SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
|
|
|
b833e0 |
$(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
|
|
|
b833e0 |
|
|
|
b833e0 |
+SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test_cert_key_0001.pem $(pwdfile)
|
|
|
b833e0 |
+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@
|
|
|
b833e0 |
+
|
|
|
b833e0 |
SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
|
|
|
b833e0 |
$(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
|
|
|
b833e0 |
|
|
|
b833e0 |
@@ -130,6 +142,18 @@ softhsm2_ocsp.conf:
|
|
|
b833e0 |
@echo "objectstore.backend = file" >> $@
|
|
|
b833e0 |
@echo "slots.removable = true" >> $@
|
|
|
b833e0 |
|
|
|
b833e0 |
+softhsm2_2certs_same_id: softhsm2_2certs_same_id.conf SSSD_test_cert_x509_0001.pem SSSD_test_cert_x509_0006.pem
|
|
|
b833e0 |
+ mkdir $@
|
|
|
b833e0 |
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
|
|
|
b833e0 |
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0006.pem --login --label 'SSSD test cert 0006' --id '11111111'
|
|
|
b833e0 |
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
|
|
|
b833e0 |
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+softhsm2_2certs_same_id.conf:
|
|
|
b833e0 |
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2certs_same_id" > $@
|
|
|
b833e0 |
+ @echo "objectstore.backend = file" >> $@
|
|
|
b833e0 |
+ @echo "slots.removable = true" >> $@
|
|
|
b833e0 |
+
|
|
|
b833e0 |
CLEANFILES = \
|
|
|
b833e0 |
index.txt index.txt.attr \
|
|
|
b833e0 |
index.txt.attr.old index.txt.old \
|
|
|
b833e0 |
diff --git a/src/tests/test_CA/SSSD_test_cert_0006.config b/src/tests/test_CA/SSSD_test_cert_0006.config
|
|
|
b833e0 |
new file mode 100644
|
|
|
b833e0 |
index 000000000..762de55cd
|
|
|
b833e0 |
--- /dev/null
|
|
|
b833e0 |
+++ b/src/tests/test_CA/SSSD_test_cert_0006.config
|
|
|
b833e0 |
@@ -0,0 +1,20 @@
|
|
|
b833e0 |
+# This certificate is used in
|
|
|
b833e0 |
+# - src/tests/cmocka/test_pam_srv.c
|
|
|
b833e0 |
+# and should use the same key-pair as SSSD_test_cert_0001
|
|
|
b833e0 |
+[ req ]
|
|
|
b833e0 |
+distinguished_name = req_distinguished_name
|
|
|
b833e0 |
+prompt = no
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+[ req_distinguished_name ]
|
|
|
b833e0 |
+O = SSSD
|
|
|
b833e0 |
+OU = SSSD test
|
|
|
b833e0 |
+CN = SSSD test cert 0006
|
|
|
b833e0 |
+
|
|
|
b833e0 |
+[ req_exts ]
|
|
|
b833e0 |
+basicConstraints = CA:FALSE
|
|
|
b833e0 |
+nsCertType = client, email
|
|
|
b833e0 |
+nsComment = "SSSD test Certificate"
|
|
|
b833e0 |
+subjectKeyIdentifier = hash
|
|
|
b833e0 |
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
b833e0 |
+extendedKeyUsage = clientAuth, emailProtection
|
|
|
b833e0 |
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd//
|
|
|
b833e0 |
--
|
|
|
b833e0 |
2.21.3
|
|
|
b833e0 |
|