552 lines
22 KiB
Diff
552 lines
22 KiB
Diff
|
From 0e53e397599da4b5d86121f6ee3de50c0389783e Mon Sep 17 00:00:00 2001
|
||
|
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
|
Date: Thu, 14 Feb 2019 18:35:40 +0100
|
||
|
|
Subject: [PATCH] TESTS: simple CA to generate certificates for test
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
To avoid issue with certificate lifetimes a simple OpenSSL based CA is
|
||
|
|
used to generate certificates for tests.
|
||
|
|
|
||
|
|
To make management easy all related data is kept in
|
||
|
|
src/tests/test_CA. Since some header files will be generated the
|
||
|
|
generation of the needed files is added to BUILT_SOURCES as other
|
||
|
|
generated code.
|
||
|
|
|
||
|
|
Related to https://pagure.io/SSSD/sssd/issue/3436
|
||
|
|
|
||
|
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||
|
|
(cherry picked from commit 19f5dd0b8dc4eff3373a0ac9ea17c2440628fd4c)
|
||
|
|
---
|
||
|
|
Makefile.am | 15 ++-
|
||
|
|
configure.ac | 4 +-
|
||
|
|
contrib/sssd.spec.in | 8 ++
|
||
|
|
src/external/test_ca.m4 | 42 +++++++++
|
||
|
|
src/tests/test_CA/Makefile.am | 93 +++++++++++++++++++
|
||
|
|
src/tests/test_CA/README | 26 ++++++
|
||
|
|
src/tests/test_CA/SSSD_test_CA.config | 47 ++++++++++
|
||
|
|
src/tests/test_CA/SSSD_test_CA_key.pem | 52 +++++++++++
|
||
|
|
src/tests/test_CA/SSSD_test_cert_0001.config | 20 ++++
|
||
|
|
src/tests/test_CA/SSSD_test_cert_0002.config | 19 ++++
|
||
|
|
src/tests/test_CA/SSSD_test_cert_key_0001.pem | 28 ++++++
|
||
|
|
src/tests/test_CA/SSSD_test_cert_key_0002.pem | 28 ++++++
|
||
|
|
12 files changed, 380 insertions(+), 2 deletions(-)
|
||
|
|
create mode 100644 src/external/test_ca.m4
|
||
|
|
create mode 100644 src/tests/test_CA/Makefile.am
|
||
|
|
create mode 100644 src/tests/test_CA/README
|
||
|
|
create mode 100644 src/tests/test_CA/SSSD_test_CA.config
|
||
|
|
create mode 100644 src/tests/test_CA/SSSD_test_CA_key.pem
|
||
|
|
create mode 100644 src/tests/test_CA/SSSD_test_cert_0001.config
|
||
|
|
create mode 100644 src/tests/test_CA/SSSD_test_cert_0002.config
|
||
|
|
create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0001.pem
|
||
|
|
create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0002.pem
|
||
|
|
|
||
|
|
diff --git a/Makefile.am b/Makefile.am
|
||
|
|
index d52fe0670..d9477cb64 100644
|
||
|
|
--- a/Makefile.am
|
||
|
|
+++ b/Makefile.am
|
||
|
|
@@ -21,7 +21,7 @@ if HAVE_MANPAGES
|
||
|
|
SUBDIRS += src/man
|
||
|
|
endif
|
||
|
|
|
||
|
|
-SUBDIRS += . src/tests/cwrap src/tests/intg
|
||
|
|
+SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA
|
||
|
|
|
||
|
|
# Some old versions of automake don't define builddir
|
||
|
|
builddir ?= .
|
||
|
|
@@ -2411,6 +2411,7 @@ pam_srv_tests_SOURCES = \
|
||
|
|
$(NULL)
|
||
|
|
pam_srv_tests_CFLAGS = \
|
||
|
|
-U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
|
||
|
|
+ -I$(abs_builddir)/src \
|
||
|
|
$(AM_CFLAGS) \
|
||
|
|
$(NULL)
|
||
|
|
pam_srv_tests_LDFLAGS = \
|
||
|
|
@@ -3286,6 +3287,7 @@ test_cert_utils_SOURCES = \
|
||
|
|
$(NULL)
|
||
|
|
test_cert_utils_CFLAGS = \
|
||
|
|
$(AM_CFLAGS) \
|
||
|
|
+ -I$(abs_builddir)/src \
|
||
|
|
$(CRYPTO_CFLAGS) \
|
||
|
|
$(NULL)
|
||
|
|
test_cert_utils_LDADD = \
|
||
|
|
@@ -4975,6 +4977,17 @@ endif
|
||
|
|
|
||
|
|
CLEANFILES += *.X */*.X */*/*.X
|
||
|
|
|
||
|
|
+test_CA: test_CA.stamp
|
||
|
|
+
|
||
|
|
+test_CA.stamp: $(srcdir)/src/tests/test_CA/*
|
||
|
|
+ $(MAKE) -C src/tests/test_CA ca_all
|
||
|
|
+ touch $@
|
||
|
|
+
|
||
|
|
+if BUILD_TEST_CA
|
||
|
|
+BUILT_SOURCES += test_CA
|
||
|
|
+endif
|
||
|
|
+CLEANFILES += test_CA.stamp
|
||
|
|
+
|
||
|
|
tests: all $(check_PROGRAMS)
|
||
|
|
(cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1;
|
||
|
|
|
||
|
|
diff --git a/configure.ac b/configure.ac
|
||
|
|
index 69deb811e..725c28f52 100644
|
||
|
|
--- a/configure.ac
|
||
|
|
+++ b/configure.ac
|
||
|
|
@@ -208,6 +208,7 @@ m4_include([src/external/libresolv.m4])
|
||
|
|
m4_include([src/external/intgcheck.m4])
|
||
|
|
m4_include([src/external/systemtap.m4])
|
||
|
|
m4_include([src/external/service.m4])
|
||
|
|
+m4_include([src/external/test_ca.m4])
|
||
|
|
|
||
|
|
if test x$with_secrets = xyes; then
|
||
|
|
m4_include([src/external/libhttp_parser.m4])
|
||
|
|
@@ -483,6 +484,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
|
||
|
|
AM_CHECK_CMOCKA
|
||
|
|
AM_CHECK_UID_WRAPPER
|
||
|
|
AM_CHECK_NSS_WRAPPER
|
||
|
|
+AM_CHECK_TEST_CA
|
||
|
|
|
||
|
|
# Check if the user wants SSSD to be compiled with systemtap probes
|
||
|
|
AM_CHECK_SYSTEMTAP
|
||
|
|
@@ -506,7 +508,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
|
||
|
|
contrib/sssd-pcsc.rules
|
||
|
|
src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd
|
||
|
|
po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
|
||
|
|
- src/tests/intg/Makefile
|
||
|
|
+ src/tests/intg/Makefile src/tests/test_CA/Makefile
|
||
|
|
src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy
|
||
|
|
src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy
|
||
|
|
src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy
|
||
|
|
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||
|
|
index f69f192fe..25314596b 100644
|
||
|
|
--- a/contrib/sssd.spec.in
|
||
|
|
+++ b/contrib/sssd.spec.in
|
||
|
|
@@ -209,6 +209,14 @@ BuildRequires: selinux-policy-targeted
|
||
|
|
BuildRequires: libcmocka-devel >= 1.0.0
|
||
|
|
BuildRequires: uid_wrapper
|
||
|
|
BuildRequires: nss_wrapper
|
||
|
|
+
|
||
|
|
+# Test CA requires openssl independent if SSSD is build with NSS or openssl,
|
||
|
|
+# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
|
||
|
|
+# Currently only cmocka based tests use the test CA. If it is used elsewhere
|
||
|
|
+# you might want to move the following requires out of the if-block.
|
||
|
|
+BuildRequires: openssl
|
||
|
|
+BuildRequires: openssh
|
||
|
|
+BuildRequires: nss-tools
|
||
|
|
%endif
|
||
|
|
BuildRequires: libnl3-devel
|
||
|
|
%if (0%{?use_systemd} == 1)
|
||
|
|
diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..eb624acf3
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/external/test_ca.m4
|
||
|
|
@@ -0,0 +1,42 @@
|
||
|
|
+dnl Check for tools needed to run the test CA
|
||
|
|
+AC_DEFUN([AM_CHECK_TEST_CA],
|
||
|
|
+[
|
||
|
|
+ AC_PATH_PROG([OPENSSL], [openssl])
|
||
|
|
+ if test ! -x "$OPENSSL"; then
|
||
|
|
+ AC_MSG_NOTICE([Could not find openssl])
|
||
|
|
+ fi
|
||
|
|
+
|
||
|
|
+ AC_PATH_PROG([SSH_KEYGEN], [ssh-keygen])
|
||
|
|
+ if test ! -x "$SSH_KEYGEN"; then
|
||
|
|
+ AC_MSG_NOTICE([Could not find ssh-keygen])
|
||
|
|
+ else
|
||
|
|
+ AC_MSG_CHECKING([for -m option of ssh-keygen])
|
||
|
|
+ if AC_RUN_LOG([$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null]); then
|
||
|
|
+ AC_MSG_RESULT([yes])
|
||
|
|
+ else
|
||
|
|
+ SSH_KEYGEN=""
|
||
|
|
+ AC_MSG_RESULT([no])
|
||
|
|
+ fi
|
||
|
|
+ fi
|
||
|
|
+
|
||
|
|
+ if test x$cryptolib = xnss; then
|
||
|
|
+ AC_PATH_PROG([CERTUTIL], [certutil])
|
||
|
|
+ if test ! -x "$CERTUTIL"; then
|
||
|
|
+ AC_MSG_NOTICE([Could not find certutil])
|
||
|
|
+ fi
|
||
|
|
+
|
||
|
|
+ AC_PATH_PROG([PK12UTIL], [pk12util])
|
||
|
|
+ if test ! -x "$PK12UTIL"; then
|
||
|
|
+ AC_MSG_NOTICE([Could not find pk12util])
|
||
|
|
+ fi
|
||
|
|
+
|
||
|
|
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"])
|
||
|
|
+ else
|
||
|
|
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN"])
|
||
|
|
+ fi
|
||
|
|
+
|
||
|
|
+ AM_COND_IF([BUILD_TEST_CA],
|
||
|
|
+ [AC_DEFINE_UNQUOTED(HAVE_TEST_CA, 1,
|
||
|
|
+ [Build with certificates from test CA])],
|
||
|
|
+ [AC_MSG_WARN([Test CA cannot be build, skiping some tests])])
|
||
|
|
+])
|
||
|
|
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..a23a3feef
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/Makefile.am
|
||
|
|
@@ -0,0 +1,93 @@
|
||
|
|
+dist_noinst_DATA = \
|
||
|
|
+ SSSD_test_CA.config \
|
||
|
|
+ SSSD_test_CA_key.pem \
|
||
|
|
+ SSSD_test_cert_0001.config \
|
||
|
|
+ SSSD_test_cert_0002.config \
|
||
|
|
+ SSSD_test_cert_key_0001.pem \
|
||
|
|
+ SSSD_test_cert_key_0002.pem \
|
||
|
|
+ $(NULL)
|
||
|
|
+
|
||
|
|
+openssl_ca_config = $(srcdir)/SSSD_test_CA.config
|
||
|
|
+openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem
|
||
|
|
+pwdfile = pwdfile
|
||
|
|
+
|
||
|
|
+configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config))
|
||
|
|
+ids := $(subst SSSD_test_cert_,,$(basename $(configs)))
|
||
|
|
+certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids)))
|
||
|
|
+certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids)))
|
||
|
|
+pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
|
||
|
|
+pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
|
||
|
|
+pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
||
|
|
+
|
||
|
|
+if HAVE_NSS
|
||
|
|
+nssdb = p11_nssdb p11_nssdb_2certs
|
||
|
|
+endif
|
||
|
|
+
|
||
|
|
+# If openssl is run in parallel there might be conflicts with the serial
|
||
|
|
+.NOTPARALLEL:
|
||
|
|
+
|
||
|
|
+ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(nssdb)
|
||
|
|
+
|
||
|
|
+$(pwdfile):
|
||
|
|
+ @echo "12345678" > $@
|
||
|
|
+
|
||
|
|
+SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
|
||
|
|
+ $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
|
||
|
|
+
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
|
||
|
|
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
|
||
|
|
+ $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
|
||
|
|
+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem
|
||
|
|
+ $(OPENSSL) x509 -in $< -pubkey -noout > $@
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem
|
||
|
|
+ $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem
|
||
|
|
+ @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@
|
||
|
|
+
|
||
|
|
+SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
|
||
|
|
+ @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@
|
||
|
|
+
|
||
|
|
+# This nss db is used in
|
||
|
|
+# - src/tests/cmocka/test_cert_utils.c (validation only)
|
||
|
|
+# - src/tests/cmocka/test_pam_srv.c
|
||
|
|
+p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
|
||
|
|
+ mkdir $@
|
||
|
|
+ $(CERTUTIL) -d sql:./$@ -N --empty-password
|
||
|
|
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
|
||
|
|
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
|
||
|
|
+
|
||
|
|
+# This nss db is used in
|
||
|
|
+# - src/tests/cmocka/test_pam_srv.c
|
||
|
|
+p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
|
||
|
|
+ mkdir $@
|
||
|
|
+ $(CERTUTIL) -d sql:./$@ -N --empty-password
|
||
|
|
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
|
||
|
|
+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
|
||
|
|
+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
|
||
|
|
+
|
||
|
|
+CLEANFILES = \
|
||
|
|
+ index.txt index.txt.attr \
|
||
|
|
+ index.txt.attr.old index.txt.old \
|
||
|
|
+ serial serial.old \
|
||
|
|
+ SSSD_test_CA.pem $(pwdfile) \
|
||
|
|
+ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \
|
||
|
|
+ $(NULL)
|
||
|
|
+
|
||
|
|
+clean-local:
|
||
|
|
+ rm -rf newcerts
|
||
|
|
+ rm -rf p11_nssdb
|
||
|
|
+ rm -rf p11_nssdb_2certs
|
||
|
|
+
|
||
|
|
+serial: clean
|
||
|
|
+ touch index.txt
|
||
|
|
+ mkdir newcerts
|
||
|
|
+ echo -n 01 > serial
|
||
|
|
diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..342fd5890
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/README
|
||
|
|
@@ -0,0 +1,26 @@
|
||
|
|
+Simple CA for SSSD tests
|
||
|
|
+
|
||
|
|
+To avoid issues with certificate lifetimes during tests certificates can be
|
||
|
|
+generated with a simple OpenSSL based CA.
|
||
|
|
+
|
||
|
|
+To create a new certificate add a suitable and valid OpenSSL config file with a
|
||
|
|
+[req] section for a certificate signing request (CSR) which must use the name
|
||
|
|
+pattern SSSD_test_cert_*.config. Additionally a matching key file
|
||
|
|
+SSSD_test_cert_key_%.pem should be added e.g. with
|
||
|
|
+
|
||
|
|
+ openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048
|
||
|
|
+
|
||
|
|
+It would be possible to generate the keys automatically as well but
|
||
|
|
+pre-created keys will safe some resources on the hosts running the tests,
|
||
|
|
+allow more flexibility with algorithms and key lengths and make the tests
|
||
|
|
+more reproducible.
|
||
|
|
+
|
||
|
|
+The Makefile will pick up the config and the keys and generate a X.509
|
||
|
|
+certificate. For usage in C-code it will generate a header file
|
||
|
|
+SSSD_test_cert_x509_*.h where the base64 encoded binary certificate is made
|
||
|
|
+available in a macro called SSSD_TEST_CERT_*. To run test with derived ssh-keys
|
||
|
|
+the ssh key is available in SSSD_test_cert_pubsshkey_*.h as
|
||
|
|
+SSSD_TEST_CERT_SSH_KEY_*.
|
||
|
|
+
|
||
|
|
+Other targets for other types of tests can be added to the Makefile and should
|
||
|
|
+be documented here.
|
||
|
|
diff --git a/src/tests/test_CA/SSSD_test_CA.config b/src/tests/test_CA/SSSD_test_CA.config
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..90ae2233c
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/SSSD_test_CA.config
|
||
|
|
@@ -0,0 +1,47 @@
|
||
|
|
+[ ca ]
|
||
|
|
+default_ca = CA_default
|
||
|
|
+
|
||
|
|
+[ CA_default ]
|
||
|
|
+dir = .
|
||
|
|
+database = $dir/index.txt
|
||
|
|
+new_certs_dir = $dir/newcerts
|
||
|
|
+
|
||
|
|
+certificate = $dir/SSSD_test_CA.pem
|
||
|
|
+serial = $dir/serial
|
||
|
|
+private_key = $dir/SSSD_test_CA_key.pem
|
||
|
|
+RANDFILE = $dir/rand
|
||
|
|
+
|
||
|
|
+default_days = 365
|
||
|
|
+default_crl_days = 30
|
||
|
|
+default_md = sha256
|
||
|
|
+
|
||
|
|
+policy = policy_any
|
||
|
|
+email_in_dn = no
|
||
|
|
+
|
||
|
|
+name_opt = ca_default
|
||
|
|
+cert_opt = ca_default
|
||
|
|
+copy_extensions = copy
|
||
|
|
+
|
||
|
|
+[ usr_cert ]
|
||
|
|
+authorityKeyIdentifier = keyid, issuer
|
||
|
|
+
|
||
|
|
+[ v3_ca ]
|
||
|
|
+subjectKeyIdentifier = hash
|
||
|
|
+authorityKeyIdentifier = keyid:always,issuer:always
|
||
|
|
+basicConstraints = CA:true
|
||
|
|
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||
|
|
+
|
||
|
|
+[ policy_any ]
|
||
|
|
+organizationName = supplied
|
||
|
|
+organizationalUnitName = supplied
|
||
|
|
+commonName = supplied
|
||
|
|
+emailAddress = optional
|
||
|
|
+
|
||
|
|
+[ req ]
|
||
|
|
+distinguished_name = req_distinguished_name
|
||
|
|
+prompt = no
|
||
|
|
+
|
||
|
|
+[ req_distinguished_name ]
|
||
|
|
+O = SSSD
|
||
|
|
+OU = SSSD test
|
||
|
|
+CN = SSSD test CA
|
||
|
|
diff --git a/src/tests/test_CA/SSSD_test_CA_key.pem b/src/tests/test_CA/SSSD_test_CA_key.pem
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..4838d0379
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/SSSD_test_CA_key.pem
|
||
|
|
@@ -0,0 +1,52 @@
|
||
|
|
+-----BEGIN PRIVATE KEY-----
|
||
|
|
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkKj9R0/ato8Qq
|
||
|
|
+8iww/4BZc14oTk4e94pGssERG2b8wkcnq9gjn7rDaW0j7sqcEnEtR4nbn4dtjZz5
|
||
|
|
+pObXDRPebsZKf+jPac+PiIKwGMdEQFcrt/hZGlpxDrJKUt144ZmMH69CkBC1MREx
|
||
|
|
+8GHl3oQ9hnLCE82j4D6i+iVRAFhD6dsmL8YWvzMtjklAiyF6yboD1Vjkxwv06wcZ
|
||
|
|
+xgJptyFOcIM4RfRu212SQUmOZvfxIl9zmu6h4Vaz4Vm/e9qmRHJZ5cOJPC6wyhLn
|
||
|
|
+iPyEiuRg7DAI226GO04Kl/Frus5fFrih/hq/GyqYVLHQHBdOZ0MgY/zcwD+eEVOX
|
||
|
|
+KDFYKAbOwN9rDZC6UW3fPLHMnc0f/6q75s4Qvs3MyP0jtJaqjEe+DpW14u9kivUm
|
||
|
|
+f6L/nFHgDMoYHavsUOXKHZu0NRAKAxj+IvAnHRlInPQktIzZQ2abYWix//bb7aDx
|
||
|
|
+WhtOFN/rUXA1mqPahRxSgEst4QnSMxU0hPVET0TQO0A/XwozpkrM80NXOoq8m4kH
|
||
|
|
+83vknwVurg3VaupctX5fsSZvSYunK4bJ/8+Om7c3pyrxqbV0Y/nwGzjMYIU/iQSM
|
||
|
|
+XkDzs5MQfdWTmzQMsFUY7huQo0VA4s2mY96LmbABVCFnZTFSf+li3dNMadPpuTO+
|
||
|
|
+w5jhoR1tcYiWtIDPBuwIFMCwdN1N6QIDAQABAoICAC7SgKYBMokVp2cMxYbUl/lD
|
||
|
|
+VJo+34c5U1YIztf84JiUIdgBStycpc3+L5iFI2z9193r5V19kmQoAIO2lGyjUWV/
|
||
|
|
+JBAbyaHu29pfsDoFC7d04K6nFT7ryo2S74GTGcH5wfHgeq3VNKiKRjYSV3S9wjOC
|
||
|
|
+CMDNIZE0roXxgYDq6jIdpoxil2sJl64Mmfm104wII7Uvrgtc0ZZUOOPQH6SkISCg
|
||
|
|
+tDzzFiM9vykJXtfrR4xjemUV8UylGo7Vev5xo0AlobXTEdpy0D4VaeW71d45Rn6h
|
||
|
|
+WYYnybmgJ/bCkZeDAWDAH+mWZNS89XPHRaooaZv8Uuktu7FtfmCou5e0dtPZevPF
|
||
|
|
+qSCExRRnEvBHxqR71e7NDZt8mHR5H9S+4Io6OMFEfTwFC13TNBEiNspg9XovAjfX
|
||
|
|
+4u6wSYPKKLH88R5LAuLoBiD6dO+3SiimbaTeD/a+URCfIWUNycExS/3SnWCS2oxW
|
||
|
|
+h8uS18DwbCbW0b5N8VYldfZ8QK3+GH2B4vV7ZGOFtUW43HUUPlxqL9lpakbAgPba
|
||
|
|
+enrO2+YqzAIM5NWCvL1+fnaPVGc9deDi63sgq75VkJwBMoiBqIpwSUMUwOmL3RiC
|
||
|
|
+NdixXJR/HgjP85UrZHQRlcCfSFMduNNjof0WgamXu2TLA4K2clbdiz1DwAgCBpLP
|
||
|
|
+INKo4fiZZkjiEs3VS9iBAoIBAQD2DjnFAZ0USGpmRqecHhFOL9nZX/we/DCUrkRv
|
||
|
|
+noiEP9lIz/ITmAzCvvUuyFQcDp3LBplB+T74nvfyMJ6AzbV1Kuw7CluIje5i3wKs
|
||
|
|
+zYSc49EKxG3PvNlkpbrQkY2/FrBuwakZro/ByzrcCf783cey36IXc5s0EdXiqyB8
|
||
|
|
+Gn2yQQvyYShAmE1HjBjcURSC8bCn1OKQNR04gbnIIUbe5kn8IIM2SD8cUPIuvBTf
|
||
|
|
+PAzAMT//6bKwi2v6Y9QK0qOIYEFLTEzonKeLlnErXxytb0wbwCbDWQLprYdSQR/3
|
||
|
|
+ctVykylPYuTXdCW5qLL5TGuxHKzJodOI0RF8A07CYj7dcQf5AoIBAQDtYuuKp+AT
|
||
|
|
+ro7Oe4J1bUx/8YlAPDU4UgWbIQjAPUvdiRLZxVRecomNjDMvnz2G/lE8P3CPD0fD
|
||
|
|
+DZSPhUqUnqanTYLAoVyQh8Zo8NjKJ1wlE9F5CZECeGz1RGZcQBUwK7tZr3EGNw/K
|
||
|
|
+IShV8/6RVs+I3jjTll2oAoquJ4el0V7sitI6O3Bsh1AoVgZYmJV3qMdODcDJQjNj
|
||
|
|
+SVetxExhsd2SJztjp5U0uTMf6fXH41CVKo3seRPvaxAhIDpG1He1XEKeeeq3l6Uu
|
||
|
|
+vzpKmXvNmmzjCZLLY6APvLYv1o65UTn3N/MLIXjgEs07e2JNzhLhAuz5h6sPH0aM
|
||
|
|
+bx+vOhugy1FxAoIBAQCvFcxRvSYzCpx7jocx9ctGoZIYtc5HlhhTk/Wqn1pxEKXi
|
||
|
|
+w+Vzv9xEr3D0CySeml/52gYwBdWjQCsasTH4YWhfqV1TXbloX+ZjgGD86XkV0p4r
|
||
|
|
+VT72dWET10Ipq4j7kn+VMETNu4Mb2StW693/vSiexbcnjOHBmXdixXZmGMucjeCc
|
||
|
|
+ZjooTLeg07XU//TigGy94CQfjUvvq4+xMsylS6UVvWTguWP/GDJcwwTvHGHOWL07
|
||
|
|
+suWt7me1UlfOI7iuECAmHnMTinVGRJTe0d0sJGg5zu9GTg5ejVYfV6wRfisYTlM0
|
||
|
|
+5CAGl+VISRyhfJmc+9SP3ZESaAJTBl+CvjoRhJ6xAoIBAQC3Blq2mAJzClX+q0mF
|
||
|
|
+ghTGXJLG3OTnnI3H8mtN1LTGhKXtE3CeNU8KvHrGj88fYrt9aSg+lLhukezlzw4W
|
||
|
|
+kk/JlEBohsDYimaWiIONMVWhHKuX16FfNzxCyk7ld18euckEN/k7on5hCLmRs8Kl
|
||
|
|
+ijoOu88yi6+AFx2XctDqLwgx9kJqNWPTuWw6/UB9VH+BN7ca3g2y3oDCX0zjpAKE
|
||
|
|
+HF/KDMeEaTPn55acV4VxbTi3GY09MokFQhW4hKGJ9MyrHwwaJcOrc5ce+L9Xvwiu
|
||
|
|
+GA816S6t9Az3tTb+oT1/cjnv+so/3bnVgYmM/+9mL6lspRXSuiBQU3vQUOkr7/BX
|
||
|
|
+RAtxAoIBAQC2AQjrhdjyIhuzDGpL7A/IUfV9Fr37ytRY1r7pOwIVthGK3SmLbV2t
|
||
|
|
+byT4LeS1XMkpuwfiM/w4uAbRz3QhMGfgv9wUjNCpR9fBd4VZqU9HPk6TasQhxxLU
|
||
|
|
+q4O+XpvylEqPPzHkvpJUiVEfh7bXSoqbvTP7fUnJ/YzqMyq+NNkJzKccz8+I2BfN
|
||
|
|
+/WXp6HmKAKhvF2mkFbo+2IXzJoCzHRorBvj/HzMc349cvHtYErJvHZQ2wgfY5CFC
|
||
|
|
+y2/x/t1pQ6BhrJiNyC1s8jYtboY7mc1yAp6cvtWraOYYk6LCTLbRLPLNqEOKPUFH
|
||
|
|
+xHflFSh7K6rCRfJGMKKFYtdA09/CAqh+
|
||
|
|
+-----END PRIVATE KEY-----
|
||
|
|
diff --git a/src/tests/test_CA/SSSD_test_cert_0001.config b/src/tests/test_CA/SSSD_test_cert_0001.config
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..b6c52a148
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/SSSD_test_cert_0001.config
|
||
|
|
@@ -0,0 +1,20 @@
|
||
|
|
+# This certificate is used in
|
||
|
|
+# - src/tests/cmocka/test_cert_utils.c
|
||
|
|
+# - src/tests/cmocka/test_pam_srv.c
|
||
|
|
+[ req ]
|
||
|
|
+distinguished_name = req_distinguished_name
|
||
|
|
+prompt = no
|
||
|
|
+
|
||
|
|
+[ req_distinguished_name ]
|
||
|
|
+O = SSSD
|
||
|
|
+OU = SSSD test
|
||
|
|
+CN = SSSD test cert 0001
|
||
|
|
+
|
||
|
|
+[ req_exts ]
|
||
|
|
+basicConstraints = CA:FALSE
|
||
|
|
+nsCertType = client, email
|
||
|
|
+nsComment = "SSSD test Certificate"
|
||
|
|
+subjectKeyIdentifier = hash
|
||
|
|
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||
|
|
+extendedKeyUsage = clientAuth, emailProtection
|
||
|
|
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
|
||
|
|
diff --git a/src/tests/test_CA/SSSD_test_cert_0002.config b/src/tests/test_CA/SSSD_test_cert_0002.config
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..8722ffa7e
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/SSSD_test_cert_0002.config
|
||
|
|
@@ -0,0 +1,19 @@
|
||
|
|
+# This certificate is used in
|
||
|
|
+# - src/tests/cmocka/test_pam_srv.c
|
||
|
|
+[ req ]
|
||
|
|
+distinguished_name = req_distinguished_name
|
||
|
|
+prompt = no
|
||
|
|
+
|
||
|
|
+[ req_distinguished_name ]
|
||
|
|
+O = SSSD
|
||
|
|
+OU = SSSD test
|
||
|
|
+CN = SSSD test cert 0002
|
||
|
|
+
|
||
|
|
+[ req_exts ]
|
||
|
|
+basicConstraints = CA:FALSE
|
||
|
|
+nsCertType = client
|
||
|
|
+nsComment = "SSSD test Certificate"
|
||
|
|
+subjectKeyIdentifier = hash
|
||
|
|
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||
|
|
+extendedKeyUsage = clientAuth
|
||
|
|
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
|
||
|
|
diff --git a/src/tests/test_CA/SSSD_test_cert_key_0001.pem b/src/tests/test_CA/SSSD_test_cert_key_0001.pem
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..365c9897a
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/SSSD_test_cert_key_0001.pem
|
||
|
|
@@ -0,0 +1,28 @@
|
||
|
|
+-----BEGIN PRIVATE KEY-----
|
||
|
|
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX8xglLP+D54dG
|
||
|
|
+V/lndmQ7YRg1GDuaZilzh/jfAva3psSYDnn1f9wmygNx0HUjlpG72pBOaYthdp1D
|
||
|
|
+ZGayTlpSUY/3y7+pvokFlY0v9Xhg3yhUyRK95uS/LuY4L8uaoZxMXPW2iP3kzv2v
|
||
|
|
+BQQlMuBCjL+ji/tX2Zl8CHUldY7QPtSLZcklXmRvu5jHPK5W/eh8E66UNeb/dueq
|
||
|
|
+ZAzLBZb5g8Blv9dMjf/eSlM/R//au40ZBBa3CRpddaf/gOa9sNGVd6RmzwejZ47k
|
||
|
|
+hPwkx6t23ZQ7bZkk0NI3H8+/sKkM6aWZaywmLvnyClIgjgZh5zKJgv0ZFAaQ/nST
|
||
|
|
+a6ke3OetAgMBAAECggEAIHaO3qfREYcwssZu27rUfoiuFu05qJBLEu8R3pSXeiw7
|
||
|
|
+yZADjYBXHA2qTuXDdkIgTlkg8Gi1Z0VphsQFHDDjKxTPy7R5b48REiHVQ6xnGEjz
|
||
|
|
+yysfAiU/pe3q9e9ZcDlzQZeH6JTXdhoX0MO0R9NKGzcFaBSXCDHR/O9YjPULLwq8
|
||
|
|
+K9wZpHV6DPajoPGmZgw1qQr7Lc35nVi9AeNyTGnSrUf4hdjKiA2WA0aC3fkeKQxp
|
||
|
|
+8z6FJWKot84dGbhYK0fyM0uIMb4wS8gvTmvhjE5pltEstOY3bFebxJ5DtBJPqE5K
|
||
|
|
+FL6k2tfcctuhiwDsRWar39H5SvXzxHbyaz0nwpI9AQKBgQD2Z+vpncVGZgnV0rwK
|
||
|
|
+0dcdEMSCOj7i91OVS8IGAvwfpI6n8Hs6upO1PtqvWtnwt8lOMwF3omA5/25ZF1+K
|
||
|
|
+Y6iPxnqcg4nApG1DVDXMrV1cWUa6Sc95afJE224sZA+yKiyTZsWdxfV5y5rc5V3L
|
||
|
|
+ZOzXjHOW40W/ZuuNwKR5D9fyUQKBgQDgW5h+9NwyPg+01I9qQgsnlHPA9ndKamcH
|
||
|
|
+QgnAhdM75wadPnVZTNsOa46pfg0Uy/yqYSo2NZz5CmN6W3baVanyUMMmhDWHmCuV
|
||
|
|
+6nHmzwlJDiJz7S0ieEUi62NConZbU3YE6zjmKkMU0K8pZEisvX/Hb3K8Py4Jxyhy
|
||
|
|
+JdX5FRmMnQKBgQCzK2GpX6VgyTWBm1hMbcUDR3v8TaoIk1rdhlaw1F7MC3YHu59/
|
||
|
|
+Vses1OVi+KbcmGbyS7hXa2SZB5kPgyVflZOt596kDCmQQH+Ko6LzD2SBkBETyDPq
|
||
|
|
+zxTw6LW15ZRcMrpy/BnZ3WXfiCM1WDrZeKuXGHO8VcoToRzK2DdAKDsX4QKBgQCv
|
||
|
|
+NHhrNHa8uaB0W8Y/eaHSX+jhWNehgmRA075f3WIvFmQg6cSkXxN2OGJpVCmNAxum
|
||
|
|
+Rki7mrSh+w3iYIj5Sgp0U8OCUZ6n7BqlcTdPwoCCz4nyM9aaY4fCFEYopEx/VzcD
|
||
|
|
+8lk1zO0j1S/kyA7E7xtZOFxGS6R9OE0KjyeA44xXNQKBgFRbzhYNerXwepfYi0bR
|
||
|
|
+plJ8Jg4q4DI+m5QlKGjQLsX4e0sdyOgD8mV3iYofzrull5KZeRQy5qbO9EypFXQ5
|
||
|
|
++16FbR7VTYgKcwHNtC+8EcsSVwgk57ox4jDY6A/X1DBKUT+m/XyJYE79ZCsFVvl+
|
||
|
|
+O8zzsFaOeoxTVyVxjHmuhZ6U
|
||
|
|
+-----END PRIVATE KEY-----
|
||
|
|
diff --git a/src/tests/test_CA/SSSD_test_cert_key_0002.pem b/src/tests/test_CA/SSSD_test_cert_key_0002.pem
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..d80349f50
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/src/tests/test_CA/SSSD_test_cert_key_0002.pem
|
||
|
|
@@ -0,0 +1,28 @@
|
||
|
|
+-----BEGIN PRIVATE KEY-----
|
||
|
|
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvhgVEGejE4Gcr
|
||
|
|
+b2lXw2scPpvXa2BaJ2DtFNgofEKhPlBoS7E913YXIG+kSE2i7YezAzHyd0hVEBqR
|
||
|
|
+QVlhGg5LCeOrQTRASSNUCgWzEXnRbPrvQbeZc7T6k1QIAmTNlpIc7mrO5bjOkR6Y
|
||
|
|
+DVNTDmW90aCo4IyarJAru1xQTjS+TDtJNvIgqI1BtnpH67JXt/2UsQYAD4lQQmAf
|
||
|
|
+gEj3a2bD+EuJVVFt4rar+QE3EUZi265cK3IfV6OkzDP/ZuN9sxr5adk0QE/2jC+b
|
||
|
|
+1sB0VxLxWhGszuOtdhkO/bxcfjWj/EWGa0nezukDeob3k+b4f6Z5kfW9GJCdCOOQ
|
||
|
|
+Rr1Mv6oZAgMBAAECggEAUICdZbCka7eoWemNXS1JsPieLV0YIgExmUsYIOls/dtA
|
||
|
|
+sbUVo5FwngbIbYaj5PggZuAuRlCjIjBynvBj9/8lUxFEFEWhm2JwC5lVJ936Cy16
|
||
|
|
+ocV4Wa8R8GMmBU5jwU8v0Ikg/6eo7UTtzTs/XjaaP0cn8oyasE45CXWzTzmvQx+d
|
||
|
|
+FwfcTkhc6KALf+CHTk7mE8QT3vMgVQMRiisF998fnJDkW9U4pPygcg1BAq8wjix8
|
||
|
|
+YwVAlk/Vq6MxmOViqTNEmnBd5dfZ/f9SYGkR7AvZgENEDNtkd7fE37YXdTSYfBWd
|
||
|
|
+lhHm4UkTUSsHl+Xx5w5r/e9xcK/z/49WUJnK2mVcAQKBgQDUv+szGloLyy0OT9SK
|
||
|
|
+qqqiL7AtUtfCRPH9Gk/UYBGLzktuioac9m1tDo5RsiInFjSmBe4wTGrkhrAJP1Vh
|
||
|
|
+DOpXGqMe0cV/QqOL/XnsJi6ySHzGhiR+F+iBQLk13ya1TIiGIG65mxVU7ZceBWzH
|
||
|
|
+AoAjkwV9c/lUGX3yhJ8zUPPYQQKBgQDTNL/WNNHx5PD8XV9voupVFh5nLA9CqCYR
|
||
|
|
+/07O8pMKve/DjswT40mz/Bwd8xKPFIjTtPMuRd1mORnkF/Q/1WuO5dZG6UUTQT5V
|
||
|
|
+KdtI8VwhQlTz7/DjXm4O+mkwY9vfhTQylUsqh2rX6WkIedj1b6rT5Jg6fHMn34N2
|
||
|
|
+/9UGEp6b2QKBgQCIJ4MIo3a5UYA2RpTJYcvuHALuHrSCWclcp/gq/Ih+JrpTtkfM
|
||
|
|
+MFF7l/MxCYWd6jIrhmQXePB37FLAuE2V3MQklqGKWcnBVg6Ayum6Xf1Ij+d6zeKQ
|
||
|
|
+6BAemCNv/K4zHRXKcPsrwbp3Lc6moeYpvsnu+mprDUulrOLT0FhqaQaFgQKBgQDG
|
||
|
|
+dqfZUlMBub8VdWwri+wkvh8dldJVMYpsmPrmDh1MF8TIf1OXUJm+TiXhorqKxqH4
|
||
|
|
+Re3JSo9L8lY49qVmolZqteCPS73D5Sf8gNN1DJAlFJ6dhpdWIDLNUlMrzHoc5J9y
|
||
|
|
+9MToFs24S7WN6GmN4Dum1wSQ2Mag7jArzyTOiwqNqQKBgFh12/YF4tiePqG1aOaB
|
||
|
|
++L5GgA/ux+6SNj5TkqeiKqPaptg1tnM/T/ChiWmwZzee1ZeMEBbDWtbEMf15In7/
|
||
|
|
+OM5OSMU+SIgWposXDTDKM9ZMQZW6h9IQy/IxwvF8BrroS0vF9vOXKOz4Aw+5Kugq
|
||
|
|
+JxM2HRDRdC23CGRuGjv+hO4d
|
||
|
|
+-----END PRIVATE KEY-----
|
||
|
|
--
|
||
|
|
2.17.0
|
||
|
|
|