Add a test for PIN prompting

If the openssl command-line utility is found during the build and
pam-krb5 is built with MIT Kerberos, prompting for a PKINIT PIN will
be tested by building a PKCS12 file from the provided PKINIT test
configuration.

diff --git a/configure.ac b/configure.ac
index fc94ff4c5d733683e76fd55896ccfef3c55698c2..77796f30f4848c1ffc8250fd517f5ac2bd117673 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -34,6 +34,11 @@ AC_CANONICAL_HOST
 RRA_LD_VERSION_SCRIPT
 
 dnl Only used for the test suite.
+AC_ARG_VAR([PATH_OPENSSL], [Path to openssl for the test suite])
+AC_PATH_PROG([PATH_OPENSSL], [openssl])
+AS_IF([test x"$PATH_OPENSSL" != x],
+    [AC_DEFINE_UNQUOTED([PATH_OPENSSL], ["$PATH_OPENSSL"],
+        [Define to the full path to openssl for some tests.])])
 AC_ARG_VAR([PATH_VALGRIND], [Path to valgrind for the test suite])
 AC_PATH_PROG([PATH_VALGRIND], [valgrind])
 

diff --git a/tests/data/scripts/pkinit/basic-debug-mit b/tests/data/scripts/pkinit/basic-debug-mit
deleted file mode 100644 (file)
index 92a3fcf..0000000
--- a/tests/data/scripts/pkinit/basic-debug-mit
+++ /dev/null
@@ -1,30 +0,0 @@
-# Test PKINIT auth without saving a ticket cache w/debug.  -*- conf -*-
-#
-# Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
-# Copyright 2010-2011
-#     The Board of Trustees of the Leland Stanford Junior University
-#
-# SPDX-License-Identifier: BSD-3-clause or GPL-1+
-
-[options]
-    auth    = debug no_ccache use_pkinit pkinit_user=FILE:%0
-    account = debug no_ccache
-    session = debug no_ccache
-
-[run]
-    authenticate  = PAM_SUCCESS
-    acct_mgmt     = PAM_SUCCESS
-    open_session  = PAM_SUCCESS
-    close_session = PAM_SUCCESS
-
-[output]
-    DEBUG pam_sm_authenticate: entry
-    INFO user %u authenticated as %u
-    DEBUG pam_sm_authenticate: exit (success)
-    DEBUG pam_sm_acct_mgmt: entry
-    DEBUG pam_sm_acct_mgmt: exit (success)
-    DEBUG pam_sm_open_session: entry
-    DEBUG pam_sm_open_session: exit (success)
-    DEBUG pam_sm_close_session: entry
-    DEBUG pam_sm_close_session: exit (success)

diff --git a/tests/data/scripts/pkinit/pin-mit b/tests/data/scripts/pkinit/pin-mit
new file mode 100644 (file)
index 0000000..01ceaeb
--- /dev/null
+++ b/tests/data/scripts/pkinit/pin-mit
@@ -0,0 +1,23 @@
+# Test PKINIT auth with a PIN prompt.  -*- conf -*-
+#
+# Disble freshness tokens since they otherwise require a second prompt because
+# the PKCS12 password apparently isn't retained.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache use_pkinit pkinit_user=PKCS12:%0 preauth_opt=disable_freshness
+
+[run]
+    authenticate  = PAM_SUCCESS
+
+[prompts]
+    echo_off = PKCS12:%0 PIN: |%1
+
+[output]
+    INFO user %u authenticated as %u

diff --git a/tests/module/pkinit-t.c b/tests/module/pkinit-t.c
index 1c3c1145b08a3707774f750b1c2bc0d02aa69aaf..6bbb6993b2af5337b87e933f1c98d7b838ae4f9b 100644 (file)
--- a/tests/module/pkinit-t.c
+++ b/tests/module/pkinit-t.c
@@ -17,6 +17,8 @@
 
 #include <tests/fakepam/script.h>
 #include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
 
 
 int
@@ -24,6 +26,10 @@ main(void)
 {
     struct script_config config;
     struct kerberos_config *krbconf;
+#if defined(HAVE_KRB5_MIT) && defined(PATH_OPENSSL)
+    const char **generate_pkcs12;
+    char *tmpdir, *pkcs12_path;
+#endif
 
     /* Load the Kerberos principal and certificate path. */
     krbconf = kerberos_setup(TAP_KRB_NEEDS_PKINIT);
@@ -38,26 +44,55 @@ main(void)
      */
     kerberos_generate_conf("bogus.example.com");
 
-    /*
-     * Currently, what we can test and how to test varies a lot by Kerberos
-     * implementation.  This will improve later.
-     */
+    /* Check things that are the same with both Kerberos implementations. */
     plan_lazy();
     run_script("data/scripts/pkinit/basic", &config);
-#ifdef HAVE_KRB5_HEIMDAL
     run_script("data/scripts/pkinit/basic-debug", &config);
-#else
-    run_script("data/scripts/pkinit/basic-debug-mit", &config);
-#endif
     run_script("data/scripts/pkinit/prompt-use", &config);
-    run_script("data/scripts/pkinit/try-pkinit", &config);
     run_script("data/scripts/pkinit/prompt-try", &config);
+    run_script("data/scripts/pkinit/try-pkinit", &config);
+
+    /* Debugging output is a little different between the implementations. */
 #ifdef HAVE_KRB5_HEIMDAL
     run_script("data/scripts/pkinit/try-pkinit-debug", &config);
 #else
     run_script("data/scripts/pkinit/try-pkinit-debug-mit", &config);
+#endif
+
+    /* Only MIT Kerberos supports setting preauth options. */
+#ifdef HAVE_KRB5_MIT
     run_script("data/scripts/pkinit/preauth-opt-mit", &config);
 #endif
 
+    /*
+     * If OpenSSL is available, test prompting with MIT Kerberos since we have
+     * to implement the prompting for the use_pkinit case ourselves.  To do
+     * this, convert the input PKINIT certificate to a PKCS12 file with a
+     * password.
+     */
+#if defined(HAVE_KRB5_MIT) && defined(PATH_OPENSSL)
+    tmpdir = test_tmpdir();
+    basprintf(&pkcs12_path, "%s/%s", tmpdir, "pkinit-pkcs12");
+    generate_pkcs12 = bcalloc_type(10, const char *);
+    generate_pkcs12[0] = PATH_OPENSSL;
+    generate_pkcs12[1] = "pkcs12";
+    generate_pkcs12[2] = "-export";
+    generate_pkcs12[3] = "-in";
+    generate_pkcs12[4] = krbconf->pkinit_cert;
+    generate_pkcs12[5] = "-password";
+    generate_pkcs12[6] = "pass:some-password";
+    generate_pkcs12[7] = "-out";
+    generate_pkcs12[8] = pkcs12_path;
+    generate_pkcs12[9] = NULL;
+    run_setup(generate_pkcs12);
+    free(generate_pkcs12);
+    config.extra[0] = pkcs12_path;
+    config.extra[1] = "some-password";
+    run_script("data/scripts/pkinit/pin-mit", &config);
+    unlink(pkcs12_path);
+    free(pkcs12_path);
+    test_tmpdir_free(tmpdir);
+#endif /* HAVE_KRB5_MIT && PATH_OPENSSL */
+
     return 0;
 }