diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-01-08 16:26:21 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-01-12 09:56:56 +0100 |
commit | c39d83ad2c8f5bfcc4445bfd5ade187e15e5aa45 (patch) | |
tree | aea0b292652eb83e45faa35f08e7af3e61cfa4c9 | |
parent | 33dffd30571d76fa0686fa5939507817cd5d7731 (diff) | |
download | gnutls-krb5.tar.gz |
tests: added check for the krb5_principal template optionkrb5
-rw-r--r-- | tests/cert-tests/Makefile.am | 5 | ||||
-rwxr-xr-x | tests/cert-tests/krb5-test | 107 | ||||
-rw-r--r-- | tests/cert-tests/template-krb5name.pem | 23 | ||||
-rw-r--r-- | tests/cert-tests/template-krb5name.tmpl | 68 |
4 files changed, 201 insertions, 2 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index a6d1ac844a..497138e6f1 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -36,7 +36,8 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \ name-constraints-ip.pem cert-invalid-utf8.der very-long-dn.pem \ provable3072.pem provable2048.pem provable-dsa2048.pem provable-dsa2048-fips.pem \ template-unique.tmpl template-unique.pem template-othername.tmpl template-othername.pem \ - template-othername-xmpp.tmpl template-othername-xmpp.pem + template-othername-xmpp.tmpl template-othername-xmpp.pem template-krb5name.tmpl \ + template-krb5name.pem dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ pkcs7 privkey-import name-constraints certtool-long-cn crl provable-privkey @@ -50,7 +51,7 @@ dist_check_SCRIPTS += crq endif if !WINDOWS -dist_check_SCRIPTS += template-test pem-decoding othername-test +dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test endif if ENABLE_DANE diff --git a/tests/cert-tests/krb5-test b/tests/cert-tests/krb5-test new file mode 100755 index 0000000000..4df9a4a01d --- /dev/null +++ b/tests/cert-tests/krb5-test @@ -0,0 +1,107 @@ +#!/bin/sh + +# Copyright (C) 2015 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" +OUTFILE=tmp-krb5name.pem +TMPLFILE=tmp-krb5name.tmpl + +export TZ="UTC" + +# Check for datefudge +TSTAMP=`datefudge "2006-09-23" date -u +%s || true` +if test "$TSTAMP" != "1158969600"; then + echo $TSTAMP + echo "You need datefudge to run this test" + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=3" +fi + +# Note that in rare cases this test may fail because the +# time set using datefudge could have changed since the generation +# (if example the system was busy) + +rc=1 +counter=1 + +while [ "${rc}" != "0" -a $counter -le 3 ]; do + datefudge "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-krb5name.tmpl" \ + --outfile ${OUTFILE} 2>/dev/null + + ${DIFF} "${srcdir}/template-krb5name.pem" ${OUTFILE} >/dev/null 2>&1 + rc=$? + test ${rc} != 0 && sleep 3 + counter=`expr $counter + 1` +done + +# We're done. +if test "${rc}" != "0"; then + echo "Test 1 failed" + exit ${rc} +fi + +# Negative tests. Check against values which may cause problems +cp template-krb5name.tmpl ${TMPLFILE} +echo "krb5_principal = 'xxxxxxxxxxxxxx'" >>${TMPLFILE} + +datefudge "2007-04-22" \ +${VALGRIND} "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template ${TMPLFILE} \ + --outfile ${OUTFILE} 2>/dev/null + +rc=$? + +# We're done. +if test "${rc}" != "1"; then + echo "Negative Test 1 failed" + exit ${rc} +fi + +cp template-krb5name.tmpl ${TMPLFILE} +echo "krb5_principal = 'comp1/comp2/comp3/comp4/comp5/comp6/comp7/comp8/comp9/comp10@REALM.COM'" >>${TMPLFILE} + +datefudge "2007-04-22" \ +${VALGRIND} "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template ${TMPLFILE} \ + --outfile ${OUTFILE} 2>/dev/null + +rc=$? + +# We're done. +if test "${rc}" != "1"; then + echo "Negative Test 2 failed" + exit ${rc} +fi + +rm -f ${OUTFILE} +rm -f ${TMPLFILE} + +exit 0 diff --git a/tests/cert-tests/template-krb5name.pem b/tests/cert-tests/template-krb5name.pem new file mode 100644 index 0000000000..3ee569dd43 --- /dev/null +++ b/tests/cert-tests/template-krb5name.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5DCCA02gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx +DzANBgNVBAgTBkF0dGlraTELMAkGA1UEBhMCR1IxGjAYBgNVBAQTEU1hdnJvZ2lh +bm5vcG91bG9zMREwDwYDVQQJEwhBcmthZGlhczAeFw0wNzA0MjIwMDAwMDBaFw0x +NDA1MjUwMDAwMDBaMFsxDDAKBgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQsw +CQYDVQQGEwJHUjEaMBgGA1UEBBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkT +CEFya2FkaWFzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4C +JxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAx +N3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vI +NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBtjCCAbIwDwYDVR0TAQH/BAUw +AwEB/zCCASkGA1UdEQSCASAwggEcghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cE +wKgBAaA+BgYrBgEFAgKgNDAyoBAbDktFUkJFUk9TLlJFQUxNoR4wHKADAgEKoRUw +ExsRdXNlckBlbWFpbC5kb21haW6gLAYGKwYBBQICoCIwIKALGwlSRUFMTS5DT02h +ETAPoAMCAQGhCDAGGwR1c2VyoDIGBisGAQUCAqAoMCagCxsJUkVBTE0uQ09NoRcw +FaADAgEBoQ4wDBsESFRUUBsEdXNlcqA6BgYrBgEFAgKgMDAuoAsbCVJFQUxNLkNP +TaEfMB2gAwIBAaEWMBQbBWNvbXAxGwVjb21wMhsEdXNlcoENbm9uZUBub25lLm9y +Z4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDgYDVR0PAQH/ +BAQDAgYAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAl +MCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0B +AQsFAAOBgQBgS49vcMkfwOD3RKrIV65yf/tp8O9AYmZaC4iRrJsTIHcbQd3KDm72 +FptWb/dYVxBCBHKYeAPaSMMPm/6bPFScXPkfeDKQIwQP/aBNnv+ih1hcoNWAcOfW +ov8hAz53V2jqpiH3Z46a32MS8X54faxt61Ofzv4YYRiKK2U1KG/Vew== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/template-krb5name.tmpl b/tests/cert-tests/template-krb5name.tmpl new file mode 100644 index 0000000000..8fe1e14598 --- /dev/null +++ b/tests/cert-tests/template-krb5name.tmpl @@ -0,0 +1,68 @@ +# X.509 Certificate options +# +# DN options + +dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" + +# The serial number of the certificate +serial = 7 + +# In how many days, counting from today, this certificate will expire. +expiration_days = 2590 + +# X.509 v3 extensions + +krb5_principal = user@email.domain@KERBEROS.REALM +krb5_principal = user@REALM.COM +krb5_principal = HTTP/user@REALM.COM +krb5_principal = comp1/comp2/user@REALM.COM + +# An IP address in case of a server. +ip_address = "192.168.1.1" + +dns_name = "www.evenmorethanone.org" + +# An email in case of a person +email = "none@none.org" + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +crl_dist_points = "http://www.getcrl.crl/getcrl/" + +email = "where@none.org" + +# Whether this is a CA certificate or not +ca + +# Whether this certificate will be used for a TLS client +#tls_www_client + +# Whether this certificate will be used for a TLS server +#tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. +#encryption_key + +# Whether this key will be used to sign other certificates. +cert_signing_key + +# Whether this key will be used to sign CRLs. +#crl_signing_key + +# Whether this key will be used to sign code. +#code_signing_key + +# Whether this key will be used to sign OCSP data. +ocsp_signing_key + +# Whether this key will be used for time stamping. +#time_stamping_key + +# Whether this key will be used for IPsec IKE operations. +#ipsec_ike_key |