etc/services - sync with NetBSD-8
[minix.git] / crypto / external / bsd / heimdal / dist / tests / kdc / check-pkinit.in
blob723cc142b14813cde87563137fb633f55aa9c11f
1 #!/bin/sh
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
34 top_builddir="@top_builddir@"
35 env_setup="@env_setup@"
36 objdir="@objdir@"
38 testfailed="echo test failed; cat messages.log; exit 1"
40 . ${env_setup}
42 # If there is no useful db support compile in, disable test
43 ${have_db} || exit 77
45 R=TEST.H5L.SE
47 port=@port@
49 kadmin="${kadmin} -l -r $R"
50 kdc="${kdc} --addresses=localhost -P $port"
52 server=host/datan.test.h5l.se
53 cache="FILE:${objdir}/cache.krb5"
54 keyfile="${hx509_data}/key.der"
55 keyfile2="${hx509_data}/key2.der"
57 kinit="${kinit} -c $cache ${afs_no_afslog}"
58 kgetcred="${kgetcred} -c $cache"
59 kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
61 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
62 export KRB5_CONFIG
64 rsa=yes
65 pkinit=no
66 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
67 rsa=no
69 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
70 rsa=no
73 if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
74 pkinit=yes
77 # If we doesn't support pkinit and have RSA, give up
78 if test "$pkinit" != yes -o "$rsa" != yes ; then
79 exit 77
83 rm -f current-db*
84 rm -f out-*
85 rm -f mkey.file*
87 > messages.log
89 echo Creating database
90 ${kadmin} \
91 init \
92 --realm-max-ticket-life=1day \
93 --realm-max-renewable-life=1month \
94 ${R} || exit 1
96 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
97 ${kadmin} add -p bar --use-defaults bar@${R} || exit 1
98 ${kadmin} add -p baz --use-defaults baz@${R} || exit 1
99 ${kadmin} modify --alias=baz2@test.h5l.se baz@${R} || exit 1
100 ${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
102 ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
104 echo "Doing database check"
105 ${kadmin} check ${R} || exit 1
107 echo "Setting up certificates"
108 ${hxtool} request-create \
109 --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
110 --key=FILE:${keyfile2} \
111 req-kdc.der || exit 1
112 ${hxtool} request-create \
113 --subject="CN=bar,DC=test,DC=h5l,DC=se" \
114 --key=FILE:${keyfile2} \
115 req-pkinit.der || exit 1
116 ${hxtool} request-create \
117 --subject="CN=baz,DC=test,DC=h5l,DC=se" \
118 --key=FILE:${keyfile2} \
119 req-pkinit2.der || exit 1
121 echo "issue self-signed ca cert"
122 ${hxtool} issue-certificate \
123 --self-signed \
124 --issue-ca \
125 --ca-private-key=FILE:${keyfile} \
126 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
127 --certificate="FILE:ca.crt" || exit 1
129 echo "issue kdc certificate"
130 ${hxtool} issue-certificate \
131 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
132 --type="pkinit-kdc" \
133 --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
134 --req="PKCS10:req-kdc.der" \
135 --certificate="FILE:kdc.crt" || exit 1
137 echo "issue user certificate (pkinit san)"
138 ${hxtool} issue-certificate \
139 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
140 --type="pkinit-client" \
141 --pk-init-principal="bar@TEST.H5L.SE" \
142 --req="PKCS10:req-pkinit.der" \
143 --certificate="FILE:pkinit.crt" || exit 1
145 echo "issue user 2 certificate (no san)"
146 ${hxtool} issue-certificate \
147 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
148 --type="pkinit-client" \
149 --req="PKCS10:req-pkinit2.der" \
150 --certificate="FILE:pkinit2.crt" || exit 1
152 echo "issue user 3 certificate (ms san)"
153 ${hxtool} issue-certificate \
154 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
155 --type="pkinit-client" \
156 --ms-upn="bar@test.h5l.se" \
157 --req="PKCS10:req-pkinit2.der" \
158 --certificate="FILE:pkinit3.crt" || exit 1
160 echo "issue user 3 certificate (ms san, baz2)"
161 ${hxtool} issue-certificate \
162 --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
163 --type="pkinit-client" \
164 --ms-upn="baz2@test.h5l.se" \
165 --req="PKCS10:req-pkinit2.der" \
166 --certificate="FILE:pkinit4.crt" || exit 1
169 echo foo > ${objdir}/foopassword
171 echo Starting kdc
172 ${kdc} &
173 kdcpid=$!
175 sh ${wait_kdc}
176 if [ "$?" != 0 ] ; then
177 kill -9 ${kdcpid}
178 exit 1
181 trap "kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt ;exit 1;" EXIT
183 ec=0
185 echo "Trying pk-init (principal in cert)"; > messages.log
186 base="${objdir}"
187 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
188 { ec=1 ; eval "${testfailed}"; }
189 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
190 ${kdestroy}
192 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
193 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
194 { ec=1 ; eval "${testfailed}"; }
195 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
196 ${kdestroy}
198 echo "Trying pk-init (principal subject in DB)"; > messages.log
199 ${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
200 { ec=1 ; eval "${testfailed}"; }
201 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
202 ${kdestroy}
204 echo "Trying pk-init (ms upn)"; > messages.log
205 ${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
206 { ec=1 ; eval "${testfailed}"; }
207 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
208 ${kdestroy}
210 echo "Trying pk-init (ms upn, enterprise)"; > messages.log
211 ${kinit} --canonicalize \
212 -C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se@${R} || \
213 { ec=1 ; eval "${testfailed}"; }
214 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
215 ${kdestroy}
217 echo "Trying pk-init (ms upn, enterprise, pk-enterprise)"; > messages.log
218 ${kinit} --canonicalize \
219 --pk-enterprise \
220 -C FILE:${base}/pkinit4.crt,${keyfile2} ${R} || \
221 { ec=1 ; eval "${testfailed}"; }
222 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
223 ${kdestroy}
225 KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf"
226 export KRB5_CONFIG
228 echo "Duplicated tests, now in windows 2000 mode"
230 echo "Trying pk-init (principal in cert)"; > messages.log
231 base="${objdir}"
232 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
233 { ec=1 ; eval "${testfailed}"; }
234 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
235 ${kdestroy}
237 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
238 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
239 { ec=1 ; eval "${testfailed}"; }
240 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
241 ${kdestroy}
243 echo "Trying pk-init (principal subject in DB)"; > messages.log
244 ${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
245 { ec=1 ; eval "${testfailed}"; }
246 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
247 ${kdestroy}
249 echo "Trying pk-init (ms upn)"; > messages.log
250 ${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
251 { ec=1 ; eval "${testfailed}"; }
252 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
253 ${kdestroy}
256 KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
257 export KRB5_CONFIG
259 echo "Trying PKCS11 support"
261 cat > test-rc-file.rc <<EOF
262 certificate cert User certificate FILE:${base}/pkinit.crt,${keyfile2}
263 app-fatal true
266 SOFTPKCS11RC="test-rc-file.rc"
267 export SOFTPKCS11RC
269 dir=${base}/../../lib/hx509
270 file=
272 for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
273 if [ -f $dir/$a ] ; then
274 file=$dir/$a
275 break
277 done
279 if [ X"$file" != X -a @DLOPEN@ ] ; then
281 echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
282 ${kinit} -C PKCS11:${file} foo@${R} || \
283 { ec=1 ; eval "${testfailed}"; }
284 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
285 ${kdestroy}
290 echo "killing kdc (${kdcpid})"
291 sh ${leaks_kill} kdc $kdcpid || exit 1
293 trap "" EXIT
295 exit $ec