Blame SOURCES/0069-test_pam_srv-add-test-for-certificate-with-EC-keys.patch

71e593
From a7421b5260cd2edd07ec5c0fefd240e76c5a0f03 Mon Sep 17 00:00:00 2001
71e593
From: Sumit Bose <sbose@redhat.com>
71e593
Date: Fri, 9 Nov 2018 14:01:20 +0100
71e593
Subject: [PATCH 69/74] test_pam_srv: add test for certificate with EC keys
71e593
71e593
Add an authentication test with a certificate with EC keys.
71e593
71e593
Related to https://pagure.io/SSSD/sssd/issue/3887
71e593
71e593
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593
---
71e593
 src/tests/cmocka/test_pam_srv.c | 114 ++++++++++++++++++++++++++++++++
71e593
 1 file changed, 114 insertions(+)
71e593
71e593
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
71e593
index b29961255..f55e6222e 100644
71e593
--- a/src/tests/cmocka/test_pam_srv.c
71e593
+++ b/src/tests/cmocka/test_pam_srv.c
71e593
@@ -42,9 +42,13 @@
71e593
 #ifdef HAVE_TEST_CA
71e593
 #include "tests/test_CA/SSSD_test_cert_x509_0001.h"
71e593
 #include "tests/test_CA/SSSD_test_cert_x509_0002.h"
71e593
+
71e593
+#include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h"
71e593
 #else
71e593
 #define SSSD_TEST_CERT_0001 ""
71e593
 #define SSSD_TEST_CERT_0002 ""
71e593
+
71e593
+#define SSSD_TEST_ECC_CERT_0001 ""
71e593
 #endif
71e593
 
71e593
 #define TESTS_PATH "tp_" BASE_FILE_STEM
71e593
@@ -58,10 +62,16 @@
71e593
 
71e593
 #define NSS_DB_PATH_2CERTS TESTS_PATH "_2certs"
71e593
 #define NSS_DB_2CERTS "sql:"NSS_DB_PATH_2CERTS
71e593
+
71e593
+#define NSS_DB_PATH_ECC TESTS_PATH "_ecc"
71e593
+#define NSS_DB_ECC "sql:"NSS_DB_PATH_ECC
71e593
+
71e593
 #ifdef HAVE_NSS
71e593
 #define CA_DB NSS_DB
71e593
+#define ECC_CA_DB NSS_DB_ECC
71e593
 #else
71e593
 #define CA_DB ABS_BUILD_DIR"/src/tests/test_CA/SSSD_test_CA.pem"
71e593
+#define ECC_CA_DB ABS_BUILD_DIR"/src/tests/test_ECC_CA/SSSD_test_ECC_CA.pem"
71e593
 #endif
71e593
 
71e593
 #define TEST_TOKEN_NAME "SSSD Test Token"
71e593
@@ -122,6 +132,13 @@ static errno_t setup_nss_db(void)
71e593
         return ret;
71e593
     }
71e593
 
71e593
+    ret = mkdir(NSS_DB_PATH_ECC, 0775);
71e593
+    if (ret != EOK) {
71e593
+        DEBUG(SSSDBG_FATAL_FAILURE,
71e593
+              "Failed to create " NSS_DB_PATH_ECC ".\n");
71e593
+        return ret;
71e593
+    }
71e593
+
71e593
     child_pid = fork();
71e593
     if (child_pid == 0) { /* child */
71e593
         ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d",
71e593
@@ -154,6 +171,22 @@ static errno_t setup_nss_db(void)
71e593
         return ret;
71e593
     }
71e593
 
71e593
+    child_pid = fork();
71e593
+    if (child_pid == 0) { /* child */
71e593
+        ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d",
71e593
+                     NSS_DB_ECC, NULL);
71e593
+        if (ret == -1) {
71e593
+            DEBUG(SSSDBG_FATAL_FAILURE, "execl() failed.\n");
71e593
+            exit(-1);
71e593
+        }
71e593
+    } else if (child_pid > 0) {
71e593
+        wait(&status);
71e593
+    } else {
71e593
+        ret = errno;
71e593
+        DEBUG(SSSDBG_FATAL_FAILURE, "fork() failed\n");
71e593
+        return ret;
71e593
+    }
71e593
+
71e593
     fp = fopen(NSS_DB_PATH"/pkcs11.txt", "w");
71e593
     if (fp == NULL) {
71e593
         DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n");
71e593
@@ -196,6 +229,27 @@ static errno_t setup_nss_db(void)
71e593
         return ret;
71e593
     }
71e593
 
71e593
+    fp = fopen(NSS_DB_PATH_ECC"/pkcs11.txt", "w");
71e593
+    if (fp == NULL) {
71e593
+        DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n");
71e593
+        return ret;
71e593
+    }
71e593
+    ret = fprintf(fp, "library=libsoftokn3.so\nname=soft\n");
71e593
+    if (ret < 0) {
71e593
+        DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
71e593
+        return ret;
71e593
+    }
71e593
+    ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_ECC_CA/p11_ecc_nssdb' dbSlotDescription='SSSD Test ECC Slot' dbTokenDescription='SSSD Test ECC Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
71e593
+    if (ret < 0) {
71e593
+        DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
71e593
+        return ret;
71e593
+    }
71e593
+    ret = fclose(fp);
71e593
+    if (ret != 0) {
71e593
+        DEBUG(SSSDBG_FATAL_FAILURE, "fclose() failed.\n");
71e593
+        return ret;
71e593
+    }
71e593
+
71e593
     return EOK;
71e593
 }
71e593
 
71e593
@@ -242,6 +296,26 @@ static void cleanup_nss_db(void)
71e593
     if (ret != EOK) {
71e593
         DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n");
71e593
     }
71e593
+
71e593
+    ret = unlink(NSS_DB_PATH_ECC"/cert9.db");
71e593
+    if (ret != EOK) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to remove cert9.db.\n");
71e593
+    }
71e593
+
71e593
+    ret = unlink(NSS_DB_PATH_ECC"/key4.db");
71e593
+    if (ret != EOK) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to remove key4.db.\n");
71e593
+    }
71e593
+
71e593
+    ret = unlink(NSS_DB_PATH_ECC"/pkcs11.txt");
71e593
+    if (ret != EOK) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to remove pkcs11.db.\n");
71e593
+    }
71e593
+
71e593
+    ret = rmdir(NSS_DB_PATH_ECC);
71e593
+    if (ret != EOK) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n");
71e593
+    }
71e593
 }
71e593
 
71e593
 struct pam_ctx *mock_pctx(TALLOC_CTX *mem_ctx)
71e593
@@ -2347,6 +2421,44 @@ void test_pam_cert_auth(void **state)
71e593
     assert_int_equal(ret, EOK);
71e593
 }
71e593
 
71e593
+void test_pam_ecc_cert_auth(void **state)
71e593
+{
71e593
+    int ret;
71e593
+
71e593
+#ifndef HAVE_NSS
71e593
+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_ECC_CA/softhsm2_ecc_one.conf"));
71e593
+#endif
71e593
+    set_cert_auth_param(pam_test_ctx->pctx, ECC_CA_DB);
71e593
+
71e593
+    /* Here the last option must be set to true because the backend is only
71e593
+     * connected once. During authentication the backend is connected first to
71e593
+     * see if it can handle Smartcard authentication, but before that the user
71e593
+     * is looked up. Since the first mocked reply already adds the certificate
71e593
+     * to the user entry the lookup by certificate will already find the user
71e593
+     * in the cache and no second request to the backend is needed. */
71e593
+    mock_input_pam_cert(pam_test_ctx, "pamuser", "123456",
71e593
+                        "SSSD Test ECC Token",
71e593
+                        TEST_MODULE_NAME,
71e593
+                        "190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB", NULL,
71e593
+                        test_lookup_by_cert_cb, SSSD_TEST_ECC_CERT_0001, true);
71e593
+
71e593
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
71e593
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
71e593
+
71e593
+    /* Assume backend cannot handle Smartcard credentials */
71e593
+    pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
71e593
+
71e593
+
71e593
+    set_cmd_cb(test_pam_simple_check_success);
71e593
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
71e593
+                          pam_test_ctx->pam_cmds);
71e593
+    assert_int_equal(ret, EOK);
71e593
+
71e593
+    /* Wait until the test finishes with EOK */
71e593
+    ret = test_ev_loop(pam_test_ctx->tctx);
71e593
+    assert_int_equal(ret, EOK);
71e593
+}
71e593
+
71e593
 void test_pam_cert_auth_no_logon_name(void **state)
71e593
 {
71e593
     int ret;
71e593
@@ -3022,6 +3134,8 @@ int main(int argc, const char *argv[])
71e593
         cmocka_unit_test_setup_teardown(test_pam_cert_auth,
71e593
                                         pam_test_setup_no_verification,
71e593
                                         pam_test_teardown),
71e593
+        cmocka_unit_test_setup_teardown(test_pam_ecc_cert_auth,
71e593
+                                        pam_test_setup, pam_test_teardown),
71e593
         cmocka_unit_test_setup_teardown(test_pam_cert_auth_double_cert,
71e593
                                         pam_test_setup, pam_test_teardown),
71e593
         cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_one_mapping,
71e593
-- 
71e593
2.19.1
71e593