RRA_LD_VERSION_SCRIPT
dnl Only used for the test suite.
+AC_ARG_VAR([PATH_OPENSSL], [Path to openssl for the test suite])
+AC_PATH_PROG([PATH_OPENSSL], [openssl])
+AS_IF([test x"$PATH_OPENSSL" != x],
+ [AC_DEFINE_UNQUOTED([PATH_OPENSSL], ["$PATH_OPENSSL"],
+ [Define to the full path to openssl for some tests.])])
AC_ARG_VAR([PATH_VALGRIND], [Path to valgrind for the test suite])
AC_PATH_PROG([PATH_VALGRIND], [valgrind])
+++ /dev/null
-# Test PKINIT auth without saving a ticket cache w/debug. -*- conf -*-
-#
-# Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
-# Copyright 2010-2011
-# The Board of Trustees of the Leland Stanford Junior University
-#
-# SPDX-License-Identifier: BSD-3-clause or GPL-1+
-
-[options]
- auth = debug no_ccache use_pkinit pkinit_user=FILE:%0
- account = debug no_ccache
- session = debug no_ccache
-
-[run]
- authenticate = PAM_SUCCESS
- acct_mgmt = PAM_SUCCESS
- open_session = PAM_SUCCESS
- close_session = PAM_SUCCESS
-
-[output]
- DEBUG pam_sm_authenticate: entry
- INFO user %u authenticated as %u
- DEBUG pam_sm_authenticate: exit (success)
- DEBUG pam_sm_acct_mgmt: entry
- DEBUG pam_sm_acct_mgmt: exit (success)
- DEBUG pam_sm_open_session: entry
- DEBUG pam_sm_open_session: exit (success)
- DEBUG pam_sm_close_session: entry
- DEBUG pam_sm_close_session: exit (success)
--- /dev/null
+# Test PKINIT auth with a PIN prompt. -*- conf -*-
+#
+# Disble freshness tokens since they otherwise require a second prompt because
+# the PKCS12 password apparently isn't retained.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+# The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+ auth = no_ccache use_pkinit pkinit_user=PKCS12:%0 preauth_opt=disable_freshness
+
+[run]
+ authenticate = PAM_SUCCESS
+
+[prompts]
+ echo_off = PKCS12:%0 PIN: |%1
+
+[output]
+ INFO user %u authenticated as %u
#include <tests/fakepam/script.h>
#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
int
{
struct script_config config;
struct kerberos_config *krbconf;
+#if defined(HAVE_KRB5_MIT) && defined(PATH_OPENSSL)
+ const char **generate_pkcs12;
+ char *tmpdir, *pkcs12_path;
+#endif
/* Load the Kerberos principal and certificate path. */
krbconf = kerberos_setup(TAP_KRB_NEEDS_PKINIT);
*/
kerberos_generate_conf("bogus.example.com");
- /*
- * Currently, what we can test and how to test varies a lot by Kerberos
- * implementation. This will improve later.
- */
+ /* Check things that are the same with both Kerberos implementations. */
plan_lazy();
run_script("data/scripts/pkinit/basic", &config);
-#ifdef HAVE_KRB5_HEIMDAL
run_script("data/scripts/pkinit/basic-debug", &config);
-#else
- run_script("data/scripts/pkinit/basic-debug-mit", &config);
-#endif
run_script("data/scripts/pkinit/prompt-use", &config);
- run_script("data/scripts/pkinit/try-pkinit", &config);
run_script("data/scripts/pkinit/prompt-try", &config);
+ run_script("data/scripts/pkinit/try-pkinit", &config);
+
+ /* Debugging output is a little different between the implementations. */
#ifdef HAVE_KRB5_HEIMDAL
run_script("data/scripts/pkinit/try-pkinit-debug", &config);
#else
run_script("data/scripts/pkinit/try-pkinit-debug-mit", &config);
+#endif
+
+ /* Only MIT Kerberos supports setting preauth options. */
+#ifdef HAVE_KRB5_MIT
run_script("data/scripts/pkinit/preauth-opt-mit", &config);
#endif
+ /*
+ * If OpenSSL is available, test prompting with MIT Kerberos since we have
+ * to implement the prompting for the use_pkinit case ourselves. To do
+ * this, convert the input PKINIT certificate to a PKCS12 file with a
+ * password.
+ */
+#if defined(HAVE_KRB5_MIT) && defined(PATH_OPENSSL)
+ tmpdir = test_tmpdir();
+ basprintf(&pkcs12_path, "%s/%s", tmpdir, "pkinit-pkcs12");
+ generate_pkcs12 = bcalloc_type(10, const char *);
+ generate_pkcs12[0] = PATH_OPENSSL;
+ generate_pkcs12[1] = "pkcs12";
+ generate_pkcs12[2] = "-export";
+ generate_pkcs12[3] = "-in";
+ generate_pkcs12[4] = krbconf->pkinit_cert;
+ generate_pkcs12[5] = "-password";
+ generate_pkcs12[6] = "pass:some-password";
+ generate_pkcs12[7] = "-out";
+ generate_pkcs12[8] = pkcs12_path;
+ generate_pkcs12[9] = NULL;
+ run_setup(generate_pkcs12);
+ free(generate_pkcs12);
+ config.extra[0] = pkcs12_path;
+ config.extra[1] = "some-password";
+ run_script("data/scripts/pkinit/pin-mit", &config);
+ unlink(pkcs12_path);
+ free(pkcs12_path);
+ test_tmpdir_free(tmpdir);
+#endif /* HAVE_KRB5_MIT && PATH_OPENSSL */
+
return 0;
}