|
 |
71e593 |
From a0cdc3bdf0e7f8ef15997f269b6f1ca5cab85825 Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Fri, 9 Nov 2018 14:06:03 +0100
|
|
|
71e593 |
Subject: [PATCH 68/74] tests: add ECC CA
|
|
|
71e593 |
|
|
|
71e593 |
To be able to test certificates with elliptic curve (EC) keys a new test
|
|
|
71e593 |
CA with this kind of keys is added.
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3887
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
---
|
|
|
71e593 |
Makefile.am | 6 +-
|
|
|
71e593 |
configure.ac | 1 +
|
|
|
71e593 |
src/tests/test_ECC_CA/Makefile.am | 95 +++++++++++++++++++
|
|
|
71e593 |
src/tests/test_ECC_CA/SSSD_test_ECC_CA.config | 47 +++++++++
|
|
|
71e593 |
.../test_ECC_CA/SSSD_test_ECC_CA_key.pem | 9 ++
|
|
|
71e593 |
.../SSSD_test_ECC_cert_0001.config | 20 ++++
|
|
|
71e593 |
.../SSSD_test_ECC_cert_key_0001.pem | 9 ++
|
|
|
71e593 |
7 files changed, 185 insertions(+), 2 deletions(-)
|
|
|
71e593 |
create mode 100644 src/tests/test_ECC_CA/Makefile.am
|
|
|
71e593 |
create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_CA.config
|
|
|
71e593 |
create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem
|
|
|
71e593 |
create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config
|
|
|
71e593 |
create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
71e593 |
index 3667856c6..430506028 100644
|
|
|
71e593 |
--- a/Makefile.am
|
|
|
71e593 |
+++ b/Makefile.am
|
|
|
71e593 |
@@ -21,7 +21,8 @@ if HAVE_MANPAGES
|
|
|
71e593 |
SUBDIRS += src/man
|
|
|
71e593 |
endif
|
|
|
71e593 |
|
|
|
71e593 |
-SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA
|
|
|
71e593 |
+SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA \
|
|
|
71e593 |
+ src/tests/test_ECC_CA
|
|
|
71e593 |
|
|
|
71e593 |
# Some old versions of automake don't define builddir
|
|
|
71e593 |
builddir ?= .
|
|
|
71e593 |
@@ -5394,8 +5395,9 @@ CLEANFILES += *.X */*.X */*/*.X
|
|
|
71e593 |
|
|
|
71e593 |
test_CA: test_CA.stamp
|
|
|
71e593 |
|
|
|
71e593 |
-test_CA.stamp: $(srcdir)/src/tests/test_CA/*
|
|
|
71e593 |
+test_CA.stamp: $(srcdir)/src/tests/test_CA/* $(srcdir)/src/tests/test_ECC_CA/*
|
|
|
71e593 |
$(MAKE) -C src/tests/test_CA ca_all
|
|
|
71e593 |
+ $(MAKE) -C src/tests/test_ECC_CA ca_all
|
|
|
71e593 |
touch $@
|
|
|
71e593 |
|
|
|
71e593 |
if BUILD_TEST_CA
|
|
|
71e593 |
diff --git a/configure.ac b/configure.ac
|
|
|
71e593 |
index 5816b04c6..fb01a7c3b 100644
|
|
|
71e593 |
--- a/configure.ac
|
|
|
71e593 |
+++ b/configure.ac
|
|
|
71e593 |
@@ -521,6 +521,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
|
|
|
71e593 |
src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd
|
|
|
71e593 |
po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
|
|
|
71e593 |
src/tests/intg/Makefile src/tests/test_CA/Makefile
|
|
|
71e593 |
+ src/tests/test_ECC_CA/Makefile
|
|
|
71e593 |
src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy
|
|
|
71e593 |
src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy
|
|
|
71e593 |
src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy
|
|
|
71e593 |
diff --git a/src/tests/test_ECC_CA/Makefile.am b/src/tests/test_ECC_CA/Makefile.am
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 000000000..47af991c3
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/tests/test_ECC_CA/Makefile.am
|
|
|
71e593 |
@@ -0,0 +1,95 @@
|
|
|
71e593 |
+dist_noinst_DATA = \
|
|
|
71e593 |
+ SSSD_test_ECC_CA.config \
|
|
|
71e593 |
+ SSSD_test_ECC_CA_key.pem \
|
|
|
71e593 |
+ SSSD_test_ECC_cert_0001.config \
|
|
|
71e593 |
+ SSSD_test_ECC_cert_key_0001.pem
|
|
|
71e593 |
+
|
|
|
71e593 |
+openssl_ecc_ca_config = $(srcdir)/SSSD_test_ECC_CA.config
|
|
|
71e593 |
+openssl_ecc_ca_key = $(srcdir)/SSSD_test_ECC_CA_key.pem
|
|
|
71e593 |
+pwdfile = pwdfile
|
|
|
71e593 |
+
|
|
|
71e593 |
+configs := $(notdir $(wildcard $(srcdir)/SSSD_test_ECC_cert_*.config))
|
|
|
71e593 |
+ids := $(subst SSSD_test_ECC_cert_,,$(basename $(configs)))
|
|
|
71e593 |
+certs = $(addprefix SSSD_test_ECC_cert_x509_,$(addsuffix .pem,$(ids)))
|
|
|
71e593 |
+certs_h = $(addprefix SSSD_test_ECC_cert_x509_,$(addsuffix .h,$(ids)))
|
|
|
71e593 |
+pubkeys = $(addprefix SSSD_test_ECC_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
|
|
|
71e593 |
+pubkeys_h = $(addprefix SSSD_test_ECC_cert_pubsshkey_,$(addsuffix .h,$(ids)))
|
|
|
71e593 |
+pkcs12 = $(addprefix SSSD_test_ECC_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
|
|
71e593 |
+
|
|
|
71e593 |
+if HAVE_NSS
|
|
|
71e593 |
+extra = p11_ecc_nssdb
|
|
|
71e593 |
+else
|
|
|
71e593 |
+extra = softhsm2_ecc_one p11_ecc_nssdb
|
|
|
71e593 |
+endif
|
|
|
71e593 |
+
|
|
|
71e593 |
+# If openssl is run in parallel there might be conflicts with the serial
|
|
|
71e593 |
+.NOTPARALLEL:
|
|
|
71e593 |
+
|
|
|
71e593 |
+ca_all: clean serial SSSD_test_ECC_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra)
|
|
|
71e593 |
+
|
|
|
71e593 |
+$(pwdfile):
|
|
|
71e593 |
+ @echo "123456" > $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_CA.pem: $(openssl_ecc_ca_key) $(openssl_ecc_ca_config) serial
|
|
|
71e593 |
+ $(OPENSSL) req -batch -config ${openssl_ecc_ca_config} -x509 -new -nodes -key $< -sha384 -days 1024 -set_serial 0 -extensions v3_ca -out $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_req_%.pem: $(srcdir)/SSSD_test_ECC_cert_key_%.pem $(srcdir)/SSSD_test_ECC_cert_%.config
|
|
|
71e593 |
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_ECC_cert_$*.config -out $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_x509_%.pem: SSSD_test_ECC_cert_req_%.pem $(openssl_ecc_ca_config) SSSD_test_ECC_CA.pem
|
|
|
71e593 |
+ $(OPENSSL) ca -config ${openssl_ecc_ca_config} -batch -notext -keyfile $(openssl_ecc_ca_key) -in $< -days 200 -extensions usr_cert -out $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_pkcs12_%.pem: SSSD_test_ECC_cert_x509_%.pem $(srcdir)/SSSD_test_ECC_cert_key_%.pem $(pwdfile)
|
|
|
71e593 |
+ $(OPENSSL) pkcs12 -export -in SSSD_test_ECC_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_ECC_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_pubkey_%.pem: SSSD_test_ECC_cert_x509_%.pem
|
|
|
71e593 |
+ $(OPENSSL) x509 -in $< -pubkey -noout > $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_pubsshkey_%.pub: SSSD_test_ECC_cert_pubkey_%.pem
|
|
|
71e593 |
+ $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_x509_%.h: SSSD_test_ECC_cert_x509_%.pem
|
|
|
71e593 |
+ @echo "#define SSSD_TEST_ECC_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+SSSD_test_ECC_cert_pubsshkey_%.h: SSSD_test_ECC_cert_pubsshkey_%.pub
|
|
|
71e593 |
+ @echo "#define SSSD_TEST_ECC_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+
|
|
|
71e593 |
+p11_ecc_nssdb: SSSD_test_ECC_cert_pkcs12_0001.pem SSSD_test_ECC_CA.pem $(pwdfile)
|
|
|
71e593 |
+ mkdir $@
|
|
|
71e593 |
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
|
|
|
71e593 |
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test ECC CA' -t CT,CT,CT -a -i SSSD_test_ECC_CA.pem -f $(pwdfile)
|
|
|
71e593 |
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_ECC_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
|
|
|
71e593 |
+
|
|
|
71e593 |
+
|
|
|
71e593 |
+softhsm2_ecc_one: softhsm2_ecc_one.conf
|
|
|
71e593 |
+ mkdir $@
|
|
|
71e593 |
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test ECC Token" --pin 123456 --so-pin 123456 --free
|
|
|
71e593 |
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_ECC_cert_x509_0001.pem --login --label 'SSSD test ECC cert 0001' --id '190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB'
|
|
|
71e593 |
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_ECC_cert_key_0001.pem --login --label 'SSSD test ECC cert 0001' --id '190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB'
|
|
|
71e593 |
+
|
|
|
71e593 |
+softhsm2_ecc_one.conf:
|
|
|
71e593 |
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_ECC_CA/softhsm2_ecc_one" > $@
|
|
|
71e593 |
+ @echo "objectstore.backend = file" >> $@
|
|
|
71e593 |
+ @echo "slots.removable = true" >> $@
|
|
|
71e593 |
+
|
|
|
71e593 |
+CLEANFILES = \
|
|
|
71e593 |
+ index.txt index.txt.attr \
|
|
|
71e593 |
+ index.txt.attr.old index.txt.old \
|
|
|
71e593 |
+ serial serial.old \
|
|
|
71e593 |
+ SSSD_test_ECC_CA.pem $(pwdfile) \
|
|
|
71e593 |
+ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \
|
|
|
71e593 |
+ softhsm2_*.conf \
|
|
|
71e593 |
+ $(NULL)
|
|
|
71e593 |
+
|
|
|
71e593 |
+clean-local:
|
|
|
71e593 |
+ rm -rf newcerts
|
|
|
71e593 |
+ rm -rf p11_ecc_nssdb
|
|
|
71e593 |
+ rm -rf softhsm*
|
|
|
71e593 |
+
|
|
|
71e593 |
+serial: clean
|
|
|
71e593 |
+ touch index.txt
|
|
|
71e593 |
+ touch index.txt.attr
|
|
|
71e593 |
+ mkdir newcerts
|
|
|
71e593 |
+ echo -n 01 > serial
|
|
|
71e593 |
diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_CA.config b/src/tests/test_ECC_CA/SSSD_test_ECC_CA.config
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 000000000..c1e4e22a6
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/tests/test_ECC_CA/SSSD_test_ECC_CA.config
|
|
|
71e593 |
@@ -0,0 +1,47 @@
|
|
|
71e593 |
+[ ca ]
|
|
|
71e593 |
+default_ca = ECC_CA_default
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ ECC_CA_default ]
|
|
|
71e593 |
+dir = .
|
|
|
71e593 |
+database = $dir/index.txt
|
|
|
71e593 |
+new_certs_dir = $dir/newcerts
|
|
|
71e593 |
+
|
|
|
71e593 |
+certificate = $dir/SSSD_test_ECC_CA.pem
|
|
|
71e593 |
+serial = $dir/serial
|
|
|
71e593 |
+private_key = $dir/SSSD_test_ECC_CA_key.pem
|
|
|
71e593 |
+RANDFILE = $dir/rand
|
|
|
71e593 |
+
|
|
|
71e593 |
+default_days = 365
|
|
|
71e593 |
+default_crl_days = 30
|
|
|
71e593 |
+default_md = sha256
|
|
|
71e593 |
+
|
|
|
71e593 |
+policy = policy_any
|
|
|
71e593 |
+email_in_dn = no
|
|
|
71e593 |
+
|
|
|
71e593 |
+name_opt = ca_default
|
|
|
71e593 |
+cert_opt = ca_default
|
|
|
71e593 |
+copy_extensions = copy
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ usr_cert ]
|
|
|
71e593 |
+authorityKeyIdentifier = keyid, issuer
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ v3_ca ]
|
|
|
71e593 |
+subjectKeyIdentifier = hash
|
|
|
71e593 |
+authorityKeyIdentifier = keyid:always,issuer:always
|
|
|
71e593 |
+basicConstraints = CA:true
|
|
|
71e593 |
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ policy_any ]
|
|
|
71e593 |
+organizationName = supplied
|
|
|
71e593 |
+organizationalUnitName = supplied
|
|
|
71e593 |
+commonName = supplied
|
|
|
71e593 |
+emailAddress = optional
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ req ]
|
|
|
71e593 |
+distinguished_name = req_distinguished_name
|
|
|
71e593 |
+prompt = no
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ req_distinguished_name ]
|
|
|
71e593 |
+O = SSSD
|
|
|
71e593 |
+OU = SSSD test
|
|
|
71e593 |
+CN = SSSD test ECC CA
|
|
|
71e593 |
diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem b/src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 000000000..c5cb3ef42
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem
|
|
|
71e593 |
@@ -0,0 +1,9 @@
|
|
|
71e593 |
+-----BEGIN EC PARAMETERS-----
|
|
|
71e593 |
+BgUrgQQAIg==
|
|
|
71e593 |
+-----END EC PARAMETERS-----
|
|
|
71e593 |
+-----BEGIN EC PRIVATE KEY-----
|
|
|
71e593 |
+MIGkAgEBBDBKk+ue3IyidXo3+befiqrcKrpVpy/pWz9CMTIALHMBc/a83Q3h9yEB
|
|
|
71e593 |
+CNpdsF8B2zegBwYFK4EEACKhZANiAAR/mCPIYxyT4tbjgpJT+oKCGfGjfs3FVnRr
|
|
|
71e593 |
+GLnNnT/L2b9PACMjjugM/1RNOuLdzRFBVWlQ80ISH5w17R2uhbiDJ/Q254Ele4Ak
|
|
|
71e593 |
+5e2nR/9x0ZIAqc05tkBDhsXfJ3id3/0=
|
|
|
71e593 |
+-----END EC PRIVATE KEY-----
|
|
|
71e593 |
diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 000000000..17c9192d4
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config
|
|
|
71e593 |
@@ -0,0 +1,20 @@
|
|
|
71e593 |
+# This certificate is used in
|
|
|
71e593 |
+# - src/tests/cmocka/test_cert_utils.c
|
|
|
71e593 |
+# - src/tests/cmocka/test_pam_srv.c
|
|
|
71e593 |
+[ req ]
|
|
|
71e593 |
+distinguished_name = req_distinguished_name
|
|
|
71e593 |
+prompt = no
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ req_distinguished_name ]
|
|
|
71e593 |
+O = SSSD
|
|
|
71e593 |
+OU = SSSD test ECC
|
|
|
71e593 |
+CN = SSSD test ECC cert 0001
|
|
|
71e593 |
+
|
|
|
71e593 |
+[ req_exts ]
|
|
|
71e593 |
+basicConstraints = CA:FALSE
|
|
|
71e593 |
+nsCertType = client, email
|
|
|
71e593 |
+nsComment = "SSSD test Certificate"
|
|
|
71e593 |
+subjectKeyIdentifier = hash
|
|
|
71e593 |
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
|
71e593 |
+extendedKeyUsage = clientAuth, emailProtection
|
|
|
71e593 |
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
|
|
|
71e593 |
diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 000000000..8c9321048
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem
|
|
|
71e593 |
@@ -0,0 +1,9 @@
|
|
|
71e593 |
+-----BEGIN EC PARAMETERS-----
|
|
|
71e593 |
+BgUrgQQAIg==
|
|
|
71e593 |
+-----END EC PARAMETERS-----
|
|
|
71e593 |
+-----BEGIN EC PRIVATE KEY-----
|
|
|
71e593 |
+MIGkAgEBBDDVZu1S6+U+1Fs1eAn/6O1iX7LH2w4AaToxqutXtkrdEpuTX7SZskTQ
|
|
|
71e593 |
+UCL0Lf5oQjigBwYFK4EEACKhZANiAAQheZFBntzcARA52Gba7c01BElFRds1F439
|
|
|
71e593 |
+KotFOoDx4fJf67hmD69bKuTbWLvc7l3Lf2TKdI5GCp/u9SPhGtve0CaYm9Hcoxwp
|
|
|
71e593 |
+2yYnhq3stoW+far//4h3mQxU/hG9pj0=
|
|
|
71e593 |
+-----END EC PRIVATE KEY-----
|
|
|
71e593 |
--
|
|
|
71e593 |
2.19.1
|
|
|
71e593 |
|