The branch, master has been updated
via 81058c60136 third_party/heimdal: Import
lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498)
via 90b240be086 tests/krb5: Add a test for PK-INIT with a revoked
certificate
via 2ab15cf1172 tests/krb5: Allow passing a pre-created certificate
into _pkinit_req()
via b73a01eefd2 tests/krb5: Have the caller of create_certificate()
fetch the CA certificate and private key
via 01196cc741d tests/krb5: Factor out a method to fetch the CA
certificate and private key
via ce9786748b7 tests/krb5: Factor out a method to create a certificate
via db64b2762c4 s4:kdc: Add auth_data_reqd flag to SDBFlags
via 7340351097a third_party/heimdal_build: Make Heimdal version strings
const
via a25f549e9a0 third_party/heimdal: Import
lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)
via 5bfccbb7643 tests/krb5: Test Windows 2000 variant of PK-INIT
via af97579f161 tests/krb5: Add ASN.1 definitions for Windows 2000
PK-INIT
via ecc62bc1207 tests/krb5: Add tests for PK-INIT Freshness Extension
(RFC 8070)
via f7393da2c07 tests/krb5: Remove unused methods
via 97ead77767c tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer
via 3ea1c559213 tests/krb5: Add PK-INIT testing framework
via 699d211084f tests/krb5: Allow KerberosCredentials to have
associated RSA private key
via 7584e7a3a13 tests/krb5: Add helper methods for PK-INIT testing
via 7f9547fda79 tests/krb5: Refactor encryption type selection
via ef9ffbacb9c tests/krb5: Add PK-INIT ASN1 definitions and include
licence
via 477fbd7bb4c tests/krb5: Add PKINIT pre-authentication types
via 8a0bde46a25 tests/krb5: Add PKINIT typed data errors
via d818ed644a5 tests/krb5: Add PKINIT error codes
via 7d2c267ae1a s4:kdc: Fix wrong debug message
via 97cde6f97b4 tests/krb5: Remove unused variables
from 7d2c68f2e25 s3:nmbd: Fix code spelling
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 81058c60136fba9af2dd7de8f15baef5e7e97bde
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jul 5 16:21:07 2023 +1200
third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit
e0597fe1d01b109e64d9c2a5bcada664ac199498)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Jul 19 02:41:25 UTC 2023 on atb-devel-224
commit 90b240be08629ab6cad7651c59df1d9f533797c0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 14:31:03 2023 +1200
tests/krb5: Add a test for PK-INIT with a revoked certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2ab15cf11721eaec95950b634b4782d7cae0d311
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jul 5 16:12:42 2023 +1200
tests/krb5: Allow passing a pre-created certificate into _pkinit_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b73a01eefd2a526936f11e08a5a32dd2f1106359
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jul 5 12:55:41 2023 +1200
tests/krb5: Have the caller of create_certificate() fetch the CA
certificate and private key
These are useful to keep around for other purposes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 01196cc741ddf611794ba6eb1b5f3a0bcff2f0da
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jul 5 12:53:45 2023 +1200
tests/krb5: Factor out a method to fetch the CA certificate and private key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ce9786748b7b594ca0864158ba49ca4def1b593c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jul 5 12:43:52 2023 +1200
tests/krb5: Factor out a method to create a certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit db64b2762c49ce4f155e6a98b2ea868578503d58
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jun 26 13:07:44 2023 +1200
s4:kdc: Add auth_data_reqd flag to SDBFlags
This is to adapt to Heimdal:
commit 3c4548025c0a239ff580e7974939185eadf1856b
Author: Nicolas Williams <n...@twosigma.com>
Date: Sun Jun 4 22:54:03 2023 -0500
hdb: Add auth-data-reqd flag
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7340351097a95f8e52d48365d4619c32080ebd30
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Jun 22 16:46:09 2023 +1200
third_party/heimdal_build: Make Heimdal version strings const
This is to adapt to Heimdal:
commit 997916e3f67d70bb52674829615c50455918fbb3
Author: Taylor R Campbell <campbell+heim...@mumble.net>
Date: Sun May 28 20:34:34 2023 +0000
krb5: Make heimdal_version and heimdal_long_version const.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a25f549e9a03010996300b04271a7909b6fbf756
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jul 4 15:16:27 2023 +1200
third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit
33d117b8a9c11714ef709e63a005d87e34b9bfde)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5bfccbb76433f4fa035040f5305f0258f6fbcb51
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jul 4 15:28:04 2023 +1200
tests/krb5: Test Windows 2000 variant of PK-INIT
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit af97579f161bf814e91f19cd495019524cc6a329
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jul 4 15:40:31 2023 +1200
tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ecc62bc120792ef8157b6f700b42dabdbb9518e5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 16:34:11 2023 +1200
tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070)
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f7393da2c0724839ec8a0510daa114eb8d75a707
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 16:43:37 2023 +1200
tests/krb5: Remove unused methods
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 97ead77767c7a30e61c9916d478203041cde89d7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 14:46:23 2023 +1200
tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer
When PK-INIT is performed, check that the buffer is as expected and
contains the correct NT hash.
The PK-INIT tests now pass against Windows Server 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14985
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3ea1c559213d02cff7fae5cdf2694178cc88a817
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 14:43:10 2023 +1200
tests/krb5: Add PK-INIT testing framework
To run these tests standalone, you will need the certificate and private
key of the Certificate Authority. These can be specified together in the
same file with the environment variable CA_CERT, or the private key may
be specified in its own file with CA_PRIVATE_KEY.
If either of these files are encrypted, you can specify the password in
the environment variable CA_PASS.
These tests create a new certificate for the user account, signed with
the private key of the Certificate Authority. We negotiate the reply key
with either of the public-key and Diffie-Hellman PK-INIT variants, and
use the reply key to decrypt the enc-part in the response. We also check
that the KDC’s signatures are valid.
Most of the failures with the Heimdal KDC are due to the wrong nonce
being returned in the reply compared to Windows, which issue is simple
enough to correct.
An example command line for manual testing against Windows:
SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf
SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator
ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator
USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com
SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com
PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1
COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1
GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1
CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36
CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3
python/samba/tests/krb5/pkinit_tests.py
To set up windows for this I first installed an Certificate Authority with
an Enterprise CA.
Then I exported the private key and certificate of the CA:
1. go into the Certification Authority snap-in for the relevant computer,
2. right-clicking the CA
3. clicking ‘All Tasks’ → ‘Back up CA...’
4. and exporting the private key and CA certificate.
(I downloaded the resulting file via smbclient).
After setting up an Enterprise CA, I also needed to edit the domain
controller GPO to enable auto-enrollment, otherwise Windows would
refuse to accept as legitimate any certificates provided by the client.
That can be done by first enabling the policy:
‘Computer Configuration/Policies/Windows Settings/Security Settings/Public
Key Policies/Certificate Services Client — Auto-Enrollment’,
and then ticking both ‘Renew expired certificates…’ and ‘Update
certificates…’)
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 699d211084fcbad61b3a53b42ccc721e1fbc9695
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 14:49:03 2023 +1200
tests/krb5: Allow KerberosCredentials to have associated RSA private key
This is needed for PK-INIT testing.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7584e7a3a131795b7bb57c59c53754e9b4ab1855
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 14:49:43 2023 +1200
tests/krb5: Add helper methods for PK-INIT testing
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7f9547fda793af65346708bbe14f8a4995d50a5a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Jul 3 14:41:55 2023 +1200
tests/krb5: Refactor encryption type selection
Add and use some methods to calculate the highest supported AES and RC4
encryption types, respectively.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ef9ffbacb9cdcbcb7da124f617c2f98257d59615
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 21 12:16:53 2023 +1200
tests/krb5: Add PK-INIT ASN1 definitions and include licence
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 477fbd7bb4c31f33b6624e6060920fda591f9a56
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 21 11:16:32 2023 +1200
tests/krb5: Add PKINIT pre-authentication types
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8a0bde46a254add13b38f41ef056926d07aba5f5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 21 11:13:46 2023 +1200
tests/krb5: Add PKINIT typed data errors
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d818ed644a59635ce238cd617a16b929ad693753
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 21 11:11:12 2023 +1200
tests/krb5: Add PKINIT error codes
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7d2c267ae1ade3600ea5f37a256c904f60e9e6ac
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Jun 22 16:21:17 2023 +1200
s4:kdc: Fix wrong debug message
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 97cde6f97b4d39476c6ad83fff285e11c483681e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 21 16:42:29 2023 +1200
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/kdc_tgs_tests.py | 13 -
python/samba/tests/krb5/pkinit_tests.py | 1233 +++++++++++++
python/samba/tests/krb5/raw_testcase.py | 1069 +++++++++++-
python/samba/tests/krb5/rfc4120.asn1 | 1067 +++++++++++-
python/samba/tests/krb5/rfc4120_constants.py | 29 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 1927 +++++++++++++++++++--
selftest/knownfail_heimdal_kdc | 12 +
selftest/knownfail_mit_kdc_1_20 | 53 +
selftest/target/Samba.pm | 3 +
selftest/target/Samba4.pm | 1 +
source4/kdc/pac-glue.c | 2 +-
source4/kdc/sdb.h | 2 +-
source4/kdc/sdb_to_hdb.c | 2 +-
source4/selftest/tests.py | 23 +
third_party/heimdal/appl/gssmask/gssmask.c | 12 +-
third_party/heimdal/cf/make-proto.pl | 4 +-
third_party/heimdal/configure.ac | 9 +-
third_party/heimdal/include/NTMakefile | 4 +-
third_party/heimdal/kadmin/check.c | 19 +-
third_party/heimdal/kadmin/kadmin.1 | 62 +-
third_party/heimdal/kadmin/util.c | 1 +
third_party/heimdal/kcm/config.c | 15 +-
third_party/heimdal/kdc/config.c | 18 +-
third_party/heimdal/kdc/default_config.c | 17 +
third_party/heimdal/kdc/httpkadmind.c | 1 +
third_party/heimdal/kdc/kdc_locl.h | 2 +
third_party/heimdal/kdc/kerberos5.c | 197 ++-
third_party/heimdal/kdc/misc.c | 4 +
third_party/heimdal/kdc/pkinit.c | 180 ++
third_party/heimdal/kuser/kinit.c | 80 +-
third_party/heimdal/lib/asn1/Makefile.am | 2 +-
third_party/heimdal/lib/asn1/check-gen.c | 18 +-
third_party/heimdal/lib/asn1/krb5.asn1 | 1 +
third_party/heimdal/lib/asn1/pkinit.asn1 | 1 +
third_party/heimdal/lib/base/common_plugin.h | 1 +
third_party/heimdal/lib/base/dict.c | 4 +-
third_party/heimdal/lib/base/heimbase.c | 16 +-
third_party/heimdal/lib/base/heimbase.h | 2 +-
third_party/heimdal/lib/base/heimbasepriv.h | 5 +-
third_party/heimdal/lib/base/plugin.c | 16 +-
third_party/heimdal/lib/com_err/Makefile.am | 4 +-
third_party/heimdal/lib/com_err/com_err.c | 2 +-
third_party/heimdal/lib/com_err/com_err.h | 2 +-
third_party/heimdal/lib/com_err/com_right.h | 2 +-
third_party/heimdal/lib/com_err/compile_et.c | 2 +-
third_party/heimdal/lib/com_err/error.c | 2 +-
third_party/heimdal/lib/hdb/hdb-mitdb.c | 4 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 1 +
third_party/heimdal/lib/hx509/Makefile.am | 2 +-
third_party/heimdal/lib/hx509/hxtool.c | 7 +-
third_party/heimdal/lib/ipc/client.c | 4 +-
third_party/heimdal/lib/kadm5/admin.h | 1 +
third_party/heimdal/lib/kadm5/ent_setup.c | 4 +
third_party/heimdal/lib/kadm5/get_s.c | 1 +
third_party/heimdal/lib/krb5/addr_families.c | 34 +-
third_party/heimdal/lib/krb5/aname_to_localname.c | 6 +-
third_party/heimdal/lib/krb5/changepw.c | 10 +-
third_party/heimdal/lib/krb5/constants.c | 18 +-
third_party/heimdal/lib/krb5/context.c | 2 +-
third_party/heimdal/lib/krb5/crypto.c | 4 +-
third_party/heimdal/lib/krb5/db_plugin.c | 4 +-
third_party/heimdal/lib/krb5/get_host_realm.c | 6 +-
third_party/heimdal/lib/krb5/get_in_tkt.c | 4 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 14 +-
third_party/heimdal/lib/krb5/krb5.conf.5 | 15 +-
third_party/heimdal/lib/krb5/krb5.h | 22 +-
third_party/heimdal/lib/krb5/krb5_err.et | 3 +
third_party/heimdal/lib/krb5/krbhst.c | 4 +-
third_party/heimdal/lib/krb5/kuserok.c | 20 +-
third_party/heimdal/lib/krb5/mk_error.c | 4 +-
third_party/heimdal/lib/krb5/pac.c | 8 +-
third_party/heimdal/lib/krb5/pcache.c | 4 +-
third_party/heimdal/lib/krb5/pkinit.c | 1 +
third_party/heimdal/lib/krb5/plugin.c | 4 +-
third_party/heimdal/lib/krb5/salt-aes-sha1.c | 2 +-
third_party/heimdal/lib/krb5/salt-aes-sha2.c | 2 +-
third_party/heimdal/lib/krb5/send_to_kdc.c | 12 +-
third_party/heimdal/lib/roken/parse_bytes-test.c | 6 +-
third_party/heimdal/lib/roken/parse_bytes.c | 18 +-
third_party/heimdal/lib/roken/parse_bytes.h | 6 +-
third_party/heimdal/lib/sl/Makefile.am | 4 +-
third_party/heimdal/lib/vers/make-print-version.c | 2 +-
third_party/heimdal/tests/kdc/check-kdc.in | 38 +-
third_party/heimdal_build/roken.h | 4 +-
84 files changed, 5951 insertions(+), 495 deletions(-)
create mode 100755 python/samba/tests/krb5/pkinit_tests.py
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py
b/python/samba/tests/krb5/kdc_tgs_tests.py
index 1254ea2e0cb..27c7ee38cc6 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -890,9 +890,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def _run_upn_dns_info_ex_test(self, client_creds):
service_creds = self.get_service_creds()
- samdb = self.get_samdb()
- dn = client_creds.get_dn()
-
account_name = client_creds.get_username()
upn_name = client_creds.get_upn()
if upn_name is None:
@@ -2148,7 +2145,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def test_as_requester_sid(self):
creds = self._get_creds()
- samdb = self.get_samdb()
sid = creds.get_sid()
self.get_tgt(creds, pac_request=None,
@@ -2159,7 +2155,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def test_tgs_requester_sid(self):
creds = self._get_creds()
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2173,7 +2168,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def test_tgs_requester_sid_renew(self):
creds = self._get_creds()
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2192,7 +2186,6 @@ class KdcTgsTests(KdcTgsBaseTests):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2209,7 +2202,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def test_tgs_requester_sid_missing_renew(self):
creds = self._get_creds()
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2225,7 +2217,6 @@ class KdcTgsTests(KdcTgsBaseTests):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2240,7 +2231,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def test_tgs_requester_sid_validate(self):
creds = self._get_creds()
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2259,7 +2249,6 @@ class KdcTgsTests(KdcTgsBaseTests):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2276,7 +2265,6 @@ class KdcTgsTests(KdcTgsBaseTests):
def test_tgs_requester_sid_missing_validate(self):
creds = self._get_creds()
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
@@ -2292,7 +2280,6 @@ class KdcTgsTests(KdcTgsBaseTests):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
- samdb = self.get_samdb()
sid = creds.get_sid()
tgt = self.get_tgt(creds, pac_request=None,
diff --git a/python/samba/tests/krb5/pkinit_tests.py
b/python/samba/tests/krb5/pkinit_tests.py
new file mode 100755
index 00000000000..15166499adc
--- /dev/null
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -0,0 +1,1233 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) Catalyst.Net Ltd 2023
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
+from datetime import datetime, timedelta
+
+from pyasn1.type import univ
+
+from cryptography import x509
+from cryptography.hazmat.primitives.serialization import pkcs12
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import dh, padding
+from cryptography.x509.oid import NameOID
+
+import samba.tests
+from samba.tests.krb5 import kcrypto
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+from samba.tests.krb5.raw_testcase import PkInit
+from samba.tests.krb5.rfc4120_constants import (
+ DES_EDE3_CBC,
+ KDC_ERR_CLIENT_NOT_TRUSTED,
+ KDC_ERR_ETYPE_NOSUPP,
+ KDC_ERR_MODIFIED,
+ KDC_ERR_PREAUTH_EXPIRED,
+ KDC_ERR_PREAUTH_FAILED,
+ KDC_ERR_PREAUTH_REQUIRED,
+ KU_PA_ENC_TIMESTAMP,
+ NT_PRINCIPAL,
+ PADATA_AS_FRESHNESS,
+ PADATA_ENC_TIMESTAMP,
+ PADATA_PK_AS_REP_19,
+ PADATA_PK_AS_REQ,
+)
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class PkInitTests(KDCBaseTest):
+ @classmethod
+ def setUpClass(cls):
+ super().setUpClass()
+
+ def setUp(self):
+ super().setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ def _get_creds(self, account_type=KDCBaseTest.AccountType.USER):
+ """Return credentials with an account having a UPN for performing
+ PK-INIT."""
+ samdb = self.get_samdb()
+ realm = samdb.domain_dns_name().upper()
+
+ return self.get_cached_creds(
+ account_type=account_type,
+ opts={'upn': f'{{account}}.{realm}@{realm}'})
+
+ def test_pkinit(self):
+ """Test public-key PK-INIT."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds)
+
+ def test_pkinit_dh(self):
+ """Test Diffie-Hellman PK-INIT."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN)
+
+ def test_pkinit_win2k(self):
+ """Test public-key Windows 2000 PK-INIT."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds, win2k_variant=True)
+
+ def test_pkinit_no_des3(self):
+ """Test public-key PK-INIT without specifying the DES3 encryption
+ type. It should fail."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ etypes=(kcrypto.Enctype.AES256, kcrypto.Enctype.RC4),
+ expect_error=KDC_ERR_ETYPE_NOSUPP)
+
+ def test_pkinit_no_des3_dh(self):
+ """Test Diffie-Hellman PK-INIT without specifying the DES3 encryption
+ type. This time, it should succeed."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ etypes=(kcrypto.Enctype.AES256, kcrypto.Enctype.RC4))
+
+ def test_pkinit_aes128(self):
+ """Test public-key PK-INIT, specifying the AES128 encryption type
+ first."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ etypes=(
+ kcrypto.Enctype.AES128,
+ kcrypto.Enctype.AES256,
+ DES_EDE3_CBC,
+ ))
+
+ def test_pkinit_rc4(self):
+ """Test public-key PK-INIT, specifying the RC4 encryption type first.
+ """
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ etypes=(
+ kcrypto.Enctype.RC4,
+ kcrypto.Enctype.AES256,
+ DES_EDE3_CBC,
+ ))
+
+ def test_pkinit_zero_nonce(self):
+ """Test public-key PK-INIT with a nonce of zero. The nonce in the
+ request body should take precedence."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds, pk_nonce=0)
+
+ def test_pkinit_zero_nonce_dh(self):
+ """Test Diffie-Hellman PK-INIT with a nonce of zero. The nonce in the
+ request body should take precedence.
+ """
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ pk_nonce=0)
+
+ def test_pkinit_computer(self):
+ """Test public-key PK-INIT with a computer account."""
+ client_creds = self._get_creds(self.AccountType.COMPUTER)
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds)
+
+ def test_pkinit_computer_dh(self):
+ """Test Diffie-Hellman PK-INIT with a computer account."""
+ client_creds = self._get_creds(self.AccountType.COMPUTER)
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN)
+
+ def test_pkinit_computer_win2k(self):
+ """Test public-key Windows 2000 PK-INIT with a computer account."""
+ client_creds = self._get_creds(self.AccountType.COMPUTER)
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds, win2k_variant=True)
+
+ def test_pkinit_service(self):
+ """Test public-key PK-INIT with a service account."""
+ client_creds = self._get_creds(self.AccountType.MANAGED_SERVICE)
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds)
+
+ def test_pkinit_service_dh(self):
+ """Test Diffie-Hellman PK-INIT with a service account."""
+ client_creds = self._get_creds(self.AccountType.MANAGED_SERVICE)
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN)
+
+ def test_pkinit_service_win2k(self):
+ """Test public-key Windows 2000 PK-INIT with a service account."""
+ client_creds = self._get_creds(self.AccountType.MANAGED_SERVICE)
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds, win2k_variant=True)
+
+ def test_pkinit_no_supported_cms_types(self):
+ """Test public-key PK-INIT, excluding the supportedCmsTypes field. This
+ causes Windows to reply with differently-encoded ASN.1."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ supported_cms_types=False)
+
+ def test_pkinit_no_supported_cms_types_dh(self):
+ """Test Diffie-Hellman PK-INIT, excluding the supportedCmsTypes field.
+ """
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ supported_cms_types=False)
+
+ def test_pkinit_empty_supported_cms_types(self):
+ """Test public-key PK-INIT with an empty supportedCmsTypes field."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ supported_cms_types=[])
+
+ def test_pkinit_empty_supported_cms_types_dh(self):
+ """Test Diffie-Hellman PK-INIT with an empty supportedCmsTypes field.
+ """
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ supported_cms_types=[])
+
+ def test_pkinit_sha256_signature(self):
+ """Test public-key PK-INIT with a SHA256 signature."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(
+ client_creds, target_creds,
+ signature_algorithm=krb5_asn1.id_pkcs1_sha256WithRSAEncryption)
+
+ def test_pkinit_sha256_signature_dh(self):
+ """Test Diffie-Hellman PK-INIT with a SHA256 signature."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(
+ client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ signature_algorithm=krb5_asn1.id_pkcs1_sha256WithRSAEncryption)
+
+ def test_pkinit_sha256_signature_win2k(self):
+ """Test public-key Windows 2000 PK-INIT with a SHA256 signature."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(
+ client_creds, target_creds,
+ signature_algorithm=krb5_asn1.id_pkcs1_sha256WithRSAEncryption,
+ win2k_variant=True)
+
+ def test_pkinit_sha256_certificate_signature(self):
+ """Test public-key PK-INIT with a SHA256 certificate signature."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(
+ client_creds, target_creds,
+ certificate_signature=hashes.SHA256)
+
+ def test_pkinit_sha256_certificate_signature_dh(self):
+ """Test Diffie-Hellman PK-INIT with a SHA256 certificate signature."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(
+ client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ certificate_signature=hashes.SHA256)
+
+ def test_pkinit_sha256_certificate_signature_win2k(self):
+ """Test public-key Windows 2000 PK-INIT with a SHA256 certificate
+ signature."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ self._pkinit_req(
+ client_creds, target_creds,
+ certificate_signature=hashes.SHA256,
+ win2k_variant=True)
+
+ def test_pkinit_freshness(self):
+ """Test public-key PK-INIT with the PKINIT Freshness Extension."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ # Perform the AS-REQ to get the freshness token.
+ kdc_exchange_dict = self._as_req(client_creds, target_creds,
+ freshness=b'',
+ expect_error=KDC_ERR_PREAUTH_REQUIRED,
+ expect_edata=True)
+ freshness_token = kdc_exchange_dict.get('freshness_token')
+ self.assertIsNotNone(freshness_token)
+
+ # Include the freshness token in the PK-INIT request.
+ self._pkinit_req(client_creds, target_creds,
+ freshness_token=freshness_token)
+
+ def test_pkinit_freshness_dh(self):
+ """Test Diffie-Hellman PK-INIT with the PKINIT Freshness Extension."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ kdc_exchange_dict = self._as_req(client_creds, target_creds,
+ freshness=b'',
+ expect_error=KDC_ERR_PREAUTH_REQUIRED,
+ expect_edata=True)
+ freshness_token = kdc_exchange_dict.get('freshness_token')
+ self.assertIsNotNone(freshness_token)
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ freshness_token=freshness_token)
+
+ def test_pkinit_freshness_non_empty(self):
+ """Test sending a non-empty freshness token."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ kdc_exchange_dict = self._as_req(
+ client_creds, target_creds,
+ freshness=b'A genuine freshness token',
+ expect_error=KDC_ERR_PREAUTH_REQUIRED,
+ expect_edata=True)
+ freshness_token = kdc_exchange_dict.get('freshness_token')
+ self.assertIsNotNone(freshness_token)
+
+ def test_pkinit_freshness_with_enc_ts(self):
+ """Test sending a freshness token and ENC-TS in the same request."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ kdc_exchange_dict = self._as_req(client_creds, target_creds,
+ freshness=b'',
+ send_enc_ts=True)
+
+ # There should be no freshness token in the reply.
+ freshness_token = kdc_exchange_dict.get('freshness_token')
+ self.assertIsNone(freshness_token)
+
+ def test_pkinit_freshness_current(self):
+ """Test public-key PK-INIT with an up-to-date freshness token."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ freshness_token = self.create_freshness_token()
+
+ self._pkinit_req(client_creds, target_creds,
+ freshness_token=freshness_token)
+
+ def test_pkinit_freshness_current_dh(self):
+ """Test Diffie-Hellman PK-INIT with an up-to-date freshness token."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ freshness_token = self.create_freshness_token()
+
+ self._pkinit_req(client_creds, target_creds,
+ using_pkinit=PkInit.DIFFIE_HELLMAN,
+ freshness_token=freshness_token)
+
+ def test_pkinit_freshness_old(self):
+ """Test public-key PK-INIT with an old freshness token."""
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+
+ # Present a freshness token from fifteen minutes in the past.
+ fifteen_minutes = timedelta(minutes=15).total_seconds()
+ freshness_token = self.create_freshness_token(offset=-fifteen_minutes)
+
+ # The request should be rejected.
+ self._pkinit_req(client_creds, target_creds,
+ freshness_token=freshness_token,
--
Samba Shared Repository
