From a0cdc3bdf0e7f8ef15997f269b6f1ca5cab85825 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Nov 2018 14:06:03 +0100 Subject: [PATCH 68/74] tests: add ECC CA To be able to test certificates with elliptic curve (EC) keys a new test CA with this kind of keys is added. Related to https://pagure.io/SSSD/sssd/issue/3887 Reviewed-by: Jakub Hrozek --- Makefile.am | 6 +- configure.ac | 1 + src/tests/test_ECC_CA/Makefile.am | 95 +++++++++++++++++++ src/tests/test_ECC_CA/SSSD_test_ECC_CA.config | 47 +++++++++ .../test_ECC_CA/SSSD_test_ECC_CA_key.pem | 9 ++ .../SSSD_test_ECC_cert_0001.config | 20 ++++ .../SSSD_test_ECC_cert_key_0001.pem | 9 ++ 7 files changed, 185 insertions(+), 2 deletions(-) create mode 100644 src/tests/test_ECC_CA/Makefile.am create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_CA.config create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config create mode 100644 src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem diff --git a/Makefile.am b/Makefile.am index 3667856c6..430506028 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,7 +21,8 @@ if HAVE_MANPAGES SUBDIRS += src/man endif -SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA +SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA \ + src/tests/test_ECC_CA # Some old versions of automake don't define builddir builddir ?= . @@ -5394,8 +5395,9 @@ CLEANFILES += *.X */*.X */*/*.X test_CA: test_CA.stamp -test_CA.stamp: $(srcdir)/src/tests/test_CA/* +test_CA.stamp: $(srcdir)/src/tests/test_CA/* $(srcdir)/src/tests/test_ECC_CA/* $(MAKE) -C src/tests/test_CA ca_all + $(MAKE) -C src/tests/test_ECC_CA ca_all touch $@ if BUILD_TEST_CA diff --git a/configure.ac b/configure.ac index 5816b04c6..fb01a7c3b 100644 --- a/configure.ac +++ b/configure.ac @@ -521,6 +521,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile src/tests/intg/Makefile src/tests/test_CA/Makefile + src/tests/test_ECC_CA/Makefile src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy diff --git a/src/tests/test_ECC_CA/Makefile.am b/src/tests/test_ECC_CA/Makefile.am new file mode 100644 index 000000000..47af991c3 --- /dev/null +++ b/src/tests/test_ECC_CA/Makefile.am @@ -0,0 +1,95 @@ +dist_noinst_DATA = \ + SSSD_test_ECC_CA.config \ + SSSD_test_ECC_CA_key.pem \ + SSSD_test_ECC_cert_0001.config \ + SSSD_test_ECC_cert_key_0001.pem + +openssl_ecc_ca_config = $(srcdir)/SSSD_test_ECC_CA.config +openssl_ecc_ca_key = $(srcdir)/SSSD_test_ECC_CA_key.pem +pwdfile = pwdfile + +configs := $(notdir $(wildcard $(srcdir)/SSSD_test_ECC_cert_*.config)) +ids := $(subst SSSD_test_ECC_cert_,,$(basename $(configs))) +certs = $(addprefix SSSD_test_ECC_cert_x509_,$(addsuffix .pem,$(ids))) +certs_h = $(addprefix SSSD_test_ECC_cert_x509_,$(addsuffix .h,$(ids))) +pubkeys = $(addprefix SSSD_test_ECC_cert_pubsshkey_,$(addsuffix .pub,$(ids))) +pubkeys_h = $(addprefix SSSD_test_ECC_cert_pubsshkey_,$(addsuffix .h,$(ids))) +pkcs12 = $(addprefix SSSD_test_ECC_cert_pkcs12_,$(addsuffix .pem,$(ids))) + +if HAVE_NSS +extra = p11_ecc_nssdb +else +extra = softhsm2_ecc_one p11_ecc_nssdb +endif + +# If openssl is run in parallel there might be conflicts with the serial +.NOTPARALLEL: + +ca_all: clean serial SSSD_test_ECC_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra) + +$(pwdfile): + @echo "123456" > $@ + +SSSD_test_ECC_CA.pem: $(openssl_ecc_ca_key) $(openssl_ecc_ca_config) serial + $(OPENSSL) req -batch -config ${openssl_ecc_ca_config} -x509 -new -nodes -key $< -sha384 -days 1024 -set_serial 0 -extensions v3_ca -out $@ + + +SSSD_test_ECC_cert_req_%.pem: $(srcdir)/SSSD_test_ECC_cert_key_%.pem $(srcdir)/SSSD_test_ECC_cert_%.config + $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_ECC_cert_$*.config -out $@ + +SSSD_test_ECC_cert_x509_%.pem: SSSD_test_ECC_cert_req_%.pem $(openssl_ecc_ca_config) SSSD_test_ECC_CA.pem + $(OPENSSL) ca -config ${openssl_ecc_ca_config} -batch -notext -keyfile $(openssl_ecc_ca_key) -in $< -days 200 -extensions usr_cert -out $@ + +SSSD_test_ECC_cert_pkcs12_%.pem: SSSD_test_ECC_cert_x509_%.pem $(srcdir)/SSSD_test_ECC_cert_key_%.pem $(pwdfile) + $(OPENSSL) pkcs12 -export -in SSSD_test_ECC_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_ECC_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ + +SSSD_test_ECC_cert_pubkey_%.pem: SSSD_test_ECC_cert_x509_%.pem + $(OPENSSL) x509 -in $< -pubkey -noout > $@ + +SSSD_test_ECC_cert_pubsshkey_%.pub: SSSD_test_ECC_cert_pubkey_%.pem + $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@ + +SSSD_test_ECC_cert_x509_%.h: SSSD_test_ECC_cert_x509_%.pem + @echo "#define SSSD_TEST_ECC_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@ + +SSSD_test_ECC_cert_pubsshkey_%.h: SSSD_test_ECC_cert_pubsshkey_%.pub + @echo "#define SSSD_TEST_ECC_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@ + + +p11_ecc_nssdb: SSSD_test_ECC_cert_pkcs12_0001.pem SSSD_test_ECC_CA.pem $(pwdfile) + mkdir $@ + $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile) + $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test ECC CA' -t CT,CT,CT -a -i SSSD_test_ECC_CA.pem -f $(pwdfile) + $(PK12UTIL) -d sql:./$@ -i SSSD_test_ECC_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile) + + +softhsm2_ecc_one: softhsm2_ecc_one.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test ECC Token" --pin 123456 --so-pin 123456 --free + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_ECC_cert_x509_0001.pem --login --label 'SSSD test ECC cert 0001' --id '190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_ECC_cert_key_0001.pem --login --label 'SSSD test ECC cert 0001' --id '190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB' + +softhsm2_ecc_one.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_ECC_CA/softhsm2_ecc_one" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +CLEANFILES = \ + index.txt index.txt.attr \ + index.txt.attr.old index.txt.old \ + serial serial.old \ + SSSD_test_ECC_CA.pem $(pwdfile) \ + $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \ + softhsm2_*.conf \ + $(NULL) + +clean-local: + rm -rf newcerts + rm -rf p11_ecc_nssdb + rm -rf softhsm* + +serial: clean + touch index.txt + touch index.txt.attr + mkdir newcerts + echo -n 01 > serial diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_CA.config b/src/tests/test_ECC_CA/SSSD_test_ECC_CA.config new file mode 100644 index 000000000..c1e4e22a6 --- /dev/null +++ b/src/tests/test_ECC_CA/SSSD_test_ECC_CA.config @@ -0,0 +1,47 @@ +[ ca ] +default_ca = ECC_CA_default + +[ ECC_CA_default ] +dir = . +database = $dir/index.txt +new_certs_dir = $dir/newcerts + +certificate = $dir/SSSD_test_ECC_CA.pem +serial = $dir/serial +private_key = $dir/SSSD_test_ECC_CA_key.pem +RANDFILE = $dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = SSSD +OU = SSSD test +CN = SSSD test ECC CA diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem b/src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem new file mode 100644 index 000000000..c5cb3ef42 --- /dev/null +++ b/src/tests/test_ECC_CA/SSSD_test_ECC_CA_key.pem @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDBKk+ue3IyidXo3+befiqrcKrpVpy/pWz9CMTIALHMBc/a83Q3h9yEB +CNpdsF8B2zegBwYFK4EEACKhZANiAAR/mCPIYxyT4tbjgpJT+oKCGfGjfs3FVnRr +GLnNnT/L2b9PACMjjugM/1RNOuLdzRFBVWlQ80ISH5w17R2uhbiDJ/Q254Ele4Ak +5e2nR/9x0ZIAqc05tkBDhsXfJ3id3/0= +-----END EC PRIVATE KEY----- diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config new file mode 100644 index 000000000..17c9192d4 --- /dev/null +++ b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_0001.config @@ -0,0 +1,20 @@ +# This certificate is used in +# - src/tests/cmocka/test_cert_utils.c +# - src/tests/cmocka/test_pam_srv.c +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = SSSD +OU = SSSD test ECC +CN = SSSD test ECC cert 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "SSSD test Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// diff --git a/src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem new file mode 100644 index 000000000..8c9321048 --- /dev/null +++ b/src/tests/test_ECC_CA/SSSD_test_ECC_cert_key_0001.pem @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDDVZu1S6+U+1Fs1eAn/6O1iX7LH2w4AaToxqutXtkrdEpuTX7SZskTQ +UCL0Lf5oQjigBwYFK4EEACKhZANiAAQheZFBntzcARA52Gba7c01BElFRds1F439 +KotFOoDx4fJf67hmD69bKuTbWLvc7l3Lf2TKdI5GCp/u9SPhGtve0CaYm9Hcoxwp +2yYnhq3stoW+far//4h3mQxU/hG9pj0= +-----END EC PRIVATE KEY----- -- 2.19.1