The branch, master has been updated
via 8a6004b7b3f tests/krb5: Construct signed_attrs correctly
via ed9e1c38790 tests/krb5: Add TD_CMS_DIGEST_ALGORITHMS constant
via 9818a8d02d6 wscript: Fix help text spelling
via 705ef45ffbe python:tests: Correct test class name
from 0de67cf0748 vfs_fruit: psd->dacl can be NULL, use orig_num_aces
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8a6004b7b3fa9b8540ed0f285697ddda4e015b32
Author: Jennifer Sutton <[email protected]>
Date: Tue Nov 18 16:42:03 2025 +1300
tests/krb5: Construct signed_attrs correctly
signed_attrs is supposed to be a list of key‐value pairs, but we forgot the
values. Because the field was not constructed correctly, the pyasn1 encoder
simply stripped it out.
Also properly separate the signature algorithm and digest algorithms.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Wed Nov 19 00:32:31 UTC 2025 on atb-devel-224
commit ed9e1c38790631302a2277209346f2ae24091b9d
Author: Jennifer Sutton <[email protected]>
Date: Tue Nov 18 16:36:31 2025 +1300
tests/krb5: Add TD_CMS_DIGEST_ALGORITHMS constant
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 9818a8d02d60599df3a65ccee5f4809bd7e5b2b6
Author: Jennifer Sutton <[email protected]>
Date: Tue Nov 18 16:33:31 2025 +1300
wscript: Fix help text spelling
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 705ef45ffbe1ff205b92aa571a2dcf0dbcf095d3
Author: Jennifer Sutton <[email protected]>
Date: Wed Nov 12 14:25:33 2025 +1300
python:tests: Correct test class name
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/key_trust_tests.py | 45 +++++++++++++++-----
.../tests/krb5/pkinit_certificate_mapping_tests.py | 48 ++++++++++++++++-----
python/samba/tests/krb5/pkinit_tests.py | 49 +++++++++++++++++-----
python/samba/tests/krb5/raw_testcase.py | 10 ++++-
python/samba/tests/krb5/rfc4120.asn1 | 9 ++++
python/samba/tests/krb5/rfc4120_constants.py | 2 +
.../samba/tests/krb5/rfc4120_pyasn1_generated.py | 7 ++++
python/samba/tests/samba_tool/user_auth_silo.py | 2 +-
wscript | 4 +-
9 files changed, 139 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/key_trust_tests.py
b/python/samba/tests/krb5/key_trust_tests.py
index 07c62485dea..5ef5d5353dc 100755
--- a/python/samba/tests/krb5/key_trust_tests.py
+++ b/python/samba/tests/krb5/key_trust_tests.py
@@ -300,6 +300,9 @@ class KeyTrustTests(KDCBaseTest):
signature_algorithm = krb5_asn1.sha1WithRSAEncryption
signature_algorithm_id =
self.AlgorithmIdentifier_create(signature_algorithm)
+ digest_algorithm = krb5_asn1.id_sha1
+ digest_algorithm_id = self.AlgorithmIdentifier_create(digest_algorithm)
+
private_key = creds.get_private_key()
preauth_key = private_key
@@ -348,11 +351,11 @@ class KeyTrustTests(KDCBaseTest):
auth_pack = self.der_encode(auth_pack_obj, asn1Spec=asn1_spec())
signature_hash = self.hash_from_algorithm(signature_algorithm)
+ digest_hash = self.hash_from_algorithm(digest_algorithm)
- pad = padding.PKCS1v15()
- signed = private_key.sign(
- auth_pack, padding=pad, algorithm=signature_hash()
- )
+ digest = hashes.Hash(digest_hash(), default_backend())
+ digest.update(auth_pack)
+ digest = digest.finalize()
encap_content_info_obj = self.EncapsulatedContentInfo_create(
krb5_asn1.id_pkinit_authData, auth_pack
@@ -365,16 +368,36 @@ class KeyTrustTests(KDCBaseTest):
subject_key_id=subject_key_id.value.digest
)
+ auth_data_attr = self.Attribute_create(
+ krb5_asn1.id_pkinit_authData, [auth_pack]
+ )
+
+ message_digest = self.der_encode(digest,
asn1Spec=krb5_asn1.MessageDigest())
+
+ message_digest_attr = self.Attribute_create(
+ krb5_asn1.id_messageDigest, [message_digest]
+ )
+
+ signed_attrs = [
+ # Note: these attributes are optional.
+ auth_data_attr,
+ message_digest_attr,
+ ]
+ encoded_signed_attrs = self.der_encode(
+ signed_attrs, asn1Spec=krb5_asn1.CMSAttributes()
+ )
+
+ pad = padding.PKCS1v15()
+ signed = private_key.sign(
+ encoded_signed_attrs, padding=pad, algorithm=signature_hash()
+ )
+
signer_info = self.SignerInfo_create(
signer_identifier,
- signature_algorithm_id,
+ digest_algorithm_id,
signature_algorithm_id,
signed,
- signed_attrs=[
- # Note: these attributes are optional.
- krb5_asn1.id_pkinit_authData,
- krb5_asn1.id_messageDigest,
- ],
+ signed_attrs=signed_attrs,
)
encoded_cert = certificate.public_bytes(serialization.Encoding.DER)
@@ -383,7 +406,7 @@ class KeyTrustTests(KDCBaseTest):
)
signed_auth_pack = self.SignedData_create(
- [signature_algorithm_id],
+ [digest_algorithm_id],
encap_content_info_obj,
signer_infos=[signer_info],
certificates=[decoded_cert],
diff --git a/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
b/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
index e6486cc54d2..7802a0cf4ac 100755
--- a/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
+++ b/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
@@ -770,6 +770,7 @@ class PkInitCertificateMappingTests(KDCBaseTest):
pk_nonce=None,
supported_cms_types=None,
signature_algorithm=None,
+ digest_algorithm=None,
certificate_signature=None,
freshness_token=None,
win2k_variant=False,
@@ -785,6 +786,11 @@ class PkInitCertificateMappingTests(KDCBaseTest):
signature_algorithm_id =
self.AlgorithmIdentifier_create(signature_algorithm)
+ if digest_algorithm is None:
+ digest_algorithm = krb5_asn1.id_sha1
+
+ digest_algorithm_id = self.AlgorithmIdentifier_create(digest_algorithm)
+
if certificate is None:
ca_cert, ca_private_key = self.get_ca_cert_and_private_key()
@@ -916,11 +922,11 @@ class PkInitCertificateMappingTests(KDCBaseTest):
auth_pack = self.der_encode(auth_pack_obj, asn1Spec=asn1_spec())
signature_hash = self.hash_from_algorithm(signature_algorithm)
+ digest_hash = self.hash_from_algorithm(digest_algorithm)
- pad = padding.PKCS1v15()
- signed = private_key.sign(
- auth_pack, padding=pad, algorithm=signature_hash()
- )
+ digest = hashes.Hash(digest_hash(), default_backend())
+ digest.update(auth_pack)
+ digest = digest.finalize()
encap_content_info_obj = self.EncapsulatedContentInfo_create(
krb5_asn1.id_pkinit_authData, auth_pack
@@ -933,16 +939,36 @@ class PkInitCertificateMappingTests(KDCBaseTest):
subject_key_id=subject_key_id.value.digest
)
+ auth_data_attr = self.Attribute_create(
+ krb5_asn1.id_pkinit_authData, [auth_pack]
+ )
+
+ message_digest = self.der_encode(digest,
asn1Spec=krb5_asn1.MessageDigest())
+
+ message_digest_attr = self.Attribute_create(
+ krb5_asn1.id_messageDigest, [message_digest]
+ )
+
+ signed_attrs = [
+ # Note: these attributes are optional.
+ auth_data_attr,
+ message_digest_attr,
+ ]
+ encoded_signed_attrs = self.der_encode(
+ signed_attrs, asn1Spec=krb5_asn1.CMSAttributes()
+ )
+
+ pad = padding.PKCS1v15()
+ signed = private_key.sign(
+ encoded_signed_attrs, padding=pad, algorithm=signature_hash()
+ )
+
signer_info = self.SignerInfo_create(
signer_identifier,
- signature_algorithm_id,
+ digest_algorithm_id,
signature_algorithm_id,
signed,
- signed_attrs=[
- # Note: these attributes are optional.
- krb5_asn1.id_pkinit_authData,
- krb5_asn1.id_messageDigest,
- ],
+ signed_attrs=signed_attrs,
)
encoded_cert = certificate.public_bytes(serialization.Encoding.DER)
@@ -951,7 +977,7 @@ class PkInitCertificateMappingTests(KDCBaseTest):
)
signed_auth_pack = self.SignedData_create(
- [signature_algorithm_id],
+ [digest_algorithm_id],
encap_content_info_obj,
signer_infos=[signer_info],
certificates=[decoded_cert],
diff --git a/python/samba/tests/krb5/pkinit_tests.py
b/python/samba/tests/krb5/pkinit_tests.py
index 4928f1ce46e..74f1c489620 100755
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -1693,6 +1693,7 @@ class PkInitTests(KDCBaseTest):
pk_nonce=None,
supported_cms_types=None,
signature_algorithm=None,
+ digest_algorithm=None,
certificate_signature=None,
freshness_token=None,
win2k_variant=False,
@@ -1709,6 +1710,11 @@ class PkInitTests(KDCBaseTest):
signature_algorithm_id = self.AlgorithmIdentifier_create(
signature_algorithm)
+ if digest_algorithm is None:
+ digest_algorithm = krb5_asn1.id_sha1
+
+ digest_algorithm_id = self.AlgorithmIdentifier_create(digest_algorithm)
+
if certificate is None:
ca_cert, ca_private_key = self.get_ca_cert_and_private_key()
@@ -1837,11 +1843,11 @@ class PkInitTests(KDCBaseTest):
auth_pack = self.der_encode(auth_pack_obj, asn1Spec=asn1_spec())
signature_hash = self.hash_from_algorithm(signature_algorithm)
+ digest_hash = self.hash_from_algorithm(digest_algorithm)
- pad = padding.PKCS1v15()
- signed = private_key.sign(auth_pack,
- padding=pad,
- algorithm=signature_hash())
+ digest = hashes.Hash(digest_hash(), default_backend())
+ digest.update(auth_pack)
+ digest = digest.finalize()
encap_content_info_obj = self.EncapsulatedContentInfo_create(
krb5_asn1.id_pkinit_authData, auth_pack)
@@ -1851,23 +1857,44 @@ class PkInitTests(KDCBaseTest):
signer_identifier = self.SignerIdentifier_create(
subject_key_id=subject_key_id.value.digest)
+ auth_data_attr = self.Attribute_create(
+ krb5_asn1.id_pkinit_authData, [auth_pack]
+ )
+
+ message_digest = self.der_encode(digest,
asn1Spec=krb5_asn1.MessageDigest())
+
+ message_digest_attr = self.Attribute_create(
+ krb5_asn1.id_messageDigest, [message_digest]
+ )
+
+ signed_attrs = [
+ # Note: these attributes are optional.
+ auth_data_attr,
+ message_digest_attr,
+ ]
+ encoded_signed_attrs = self.der_encode(
+ signed_attrs, asn1Spec=krb5_asn1.CMSAttributes()
+ )
+
+ pad = padding.PKCS1v15()
+ signed = private_key.sign(encoded_signed_attrs,
+ padding=pad,
+ algorithm=signature_hash())
+
signer_info = self.SignerInfo_create(
signer_identifier,
- signature_algorithm_id,
+ digest_algorithm_id,
signature_algorithm_id,
signed,
- signed_attrs=[
- # Note: these attributes are optional.
- krb5_asn1.id_pkinit_authData,
- krb5_asn1.id_messageDigest,
- ])
+ signed_attrs=signed_attrs,
+ )
encoded_cert = certificate.public_bytes(serialization.Encoding.DER)
decoded_cert = self.der_decode(
encoded_cert, asn1Spec=krb5_asn1.CertificateChoices())
signed_auth_pack = self.SignedData_create(
- [signature_algorithm_id],
+ [digest_algorithm_id],
encap_content_info_obj,
signer_infos=[signer_info],
certificates=[decoded_cert],
diff --git a/python/samba/tests/krb5/raw_testcase.py
b/python/samba/tests/krb5/raw_testcase.py
index c87ea37b372..07bf4490104 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -129,6 +129,7 @@ from samba.tests.krb5.rfc4120_constants import (
PADATA_PW_SALT,
PADATA_REQ_ENC_PA_REP,
PADATA_SUPPORTED_ETYPES,
+ TD_CMS_DIGEST_ALGORITHMS,
)
import samba.tests.krb5.kcrypto as kcrypto
@@ -2520,6 +2521,14 @@ class RawKerberosTest(TestCase):
return self.der_encode(pk_as_req_obj, asn1Spec=asn1_spec())
+ def Attribute_create(self,
+ attr_type,
+ attr_values):
+ return {
+ 'type': attr_type,
+ 'values': attr_values,
+ }
+
def SignerInfo_create(self,
signer_id,
digest_algorithm,
@@ -5378,7 +5387,6 @@ class RawKerberosTest(TestCase):
require_strict.add(PADATA_ENCRYPTED_CHALLENGE)
got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
- TD_CMS_DIGEST_ALGORITHMS = 111
self.assertSequenceElementsEqual(expected_patypes, got_patypes,
require_strict=require_strict,
unchecked={PADATA_PW_SALT,TD_CMS_DIGEST_ALGORITHMS})
diff --git a/python/samba/tests/krb5/rfc4120.asn1
b/python/samba/tests/krb5/rfc4120.asn1
index 79449d877ad..51684b50ba8 100644
--- a/python/samba/tests/krb5/rfc4120.asn1
+++ b/python/samba/tests/krb5/rfc4120.asn1
@@ -1505,6 +1505,15 @@ ReplyKeyPack-Win2k ::= SEQUENCE {
...
}
+-- (from RFC 8636)
+
+TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF
+ AlgorithmIdentifier
+ -- Contains the list of CMS algorithm [RFC5652]
+ -- identifiers indicating the digest algorithms
+ -- acceptable to the KDC for signing CMS data in
+ -- decreasing order of preference.
+
--
id-pkinit-ms-san OBJECT IDENTIFIER ::= {
diff --git a/python/samba/tests/krb5/rfc4120_constants.py
b/python/samba/tests/krb5/rfc4120_constants.py
index c42a38ffa59..2e2de74b21b 100644
--- a/python/samba/tests/krb5/rfc4120_constants.py
+++ b/python/samba/tests/krb5/rfc4120_constants.py
@@ -248,3 +248,5 @@ FX_FAST_ARMOR_AP_REQUEST = 1
TD_TRUSTED_CERTIFIERS = 104
TD_INVALID_CERTIFICATES = 105
TD_DH_PARAMETERS = 109
+
+TD_CMS_DIGEST_ALGORITHMS = 111
diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_generated.py
b/python/samba/tests/krb5/rfc4120_pyasn1_generated.py
index 6949737bc15..7eaefe946ac 100644
--- a/python/samba/tests/krb5/rfc4120_pyasn1_generated.py
+++ b/python/samba/tests/krb5/rfc4120_pyasn1_generated.py
@@ -2456,6 +2456,13 @@ class SubjectAltName(GeneralNames):
pass
+class TD_CMS_DIGEST_ALGORITHMS_DATA(univ.SequenceOf):
+ pass
+
+
+TD_CMS_DIGEST_ALGORITHMS_DATA.componentType = AlgorithmIdentifier()
+
+
class TD_DH_PARAMETERS(univ.SequenceOf):
pass
diff --git a/python/samba/tests/samba_tool/user_auth_silo.py
b/python/samba/tests/samba_tool/user_auth_silo.py
index 2f682115924..965371cff41 100644
--- a/python/samba/tests/samba_tool/user_auth_silo.py
+++ b/python/samba/tests/samba_tool/user_auth_silo.py
@@ -25,7 +25,7 @@ from samba.domain.models import AuthenticationSilo, User
from .silo_base import SiloTest
-class AuthPolicyCmdTestCase(SiloTest):
+class AuthSiloCmdTestCase(SiloTest):
def setUp(self):
super().setUp()
diff --git a/wscript b/wscript
index f27863737fa..5159572860f 100644
--- a/wscript
+++ b/wscript
@@ -124,11 +124,11 @@ def options(opt):
action="store_false", dest='enable_relro')
opt.add_option('--with-kernel-keyring',
- help=('Enable kernely keyring support for credential storage
' +
+ help=('Enable kernel keyring support for credential storage
' +
'(default if keyutils libraries are available)'),
action='store_true', dest='enable_keyring')
opt.add_option('--without-kernel-keyring',
- help=('Disable kernely keyring support for credential
storage'),
+ help=('Disable kernel keyring support for credential
storage'),
action='store_false', dest='enable_keyring')
opt.samba_add_onoff_option('ldap')
--
Samba Shared Repository
