rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add soft-pkcs11 and use it for testing

Browse Source
This commit is contained in:
Robbie Harwood 2019-07-30 08:56:06 -04:00
parent 52c0e4ab88
commit f4c04f8cde
4 changed files with 2755 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2071
Add-soft-pkcs11-source-code.patch Normal file
View File

File diff suppressed because it is too large Load Diff

206
Fix-Coverity-defects-in-soft-pkcs11-test-code.patch Normal file
View File

@ -0,0 +1,206 @@
From 9fccdd784a639ffc9d4eae723a39e35cb7434fec Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 20 Jul 2019 00:51:52 -0400
Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code
Nothing in the code removes objects from soft_token.object.obs, so
simplify add_st_object() not to search for an empty slot. Avoid using
random() by using a counter for session handles and just the array
slot number for object handles. Add a helper get_rcfilename() to
facilitate checking the result of asprintf(). Properly initialize ap
in sprintf_fill(). Close the file handle in read_conf_file().
(cherry picked from commit b4831515b2f3b6fd7d7fd4bff4558c10c710891d)
---
src/tests/softpkcs11/main.c | 102 +++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 49 deletions(-)
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 5255323d3..2d1448ca2 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -78,6 +78,7 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
(BL) = i2d_##T((S), &p); \
if ((BL) <= 0) { \
free((B)); \
+ (B) = NULL; \
(R) = EINVAL; \
} \
} \
@@ -149,6 +150,7 @@ static struct soft_token {
} state[10];
#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
FILE *logfile;
+ CK_SESSION_HANDLE next_session_handle;
} soft_token;
static void
@@ -179,6 +181,7 @@ snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
+ va_start(ap, fmt);
len = vsnprintf(str, size, fmt, ap);
va_end(ap);
if (len < 0 || len > size)
@@ -344,7 +347,13 @@ static struct st_object *
add_st_object(void)
{
struct st_object *o, **objs;
- int i;
+
+ objs = realloc(soft_token.object.objs,
+ (soft_token.object.num_objs + 1) *
+ sizeof(soft_token.object.objs[0]));
+ if (objs == NULL)
+ return NULL;
+ soft_token.object.objs = objs;
o = malloc(sizeof(*o));
if (o == NULL)
@@ -352,26 +361,9 @@ add_st_object(void)
memset(o, 0, sizeof(*o));
o->attrs = NULL;
o->num_attributes = 0;
+ o->object_handle = soft_token.object.num_objs;
- for (i = 0; i < soft_token.object.num_objs; i++) {
- if (soft_token.object.objs == NULL) {
- soft_token.object.objs[i] = o;
- break;
- }
- }
- if (i == soft_token.object.num_objs) {
- objs = realloc(soft_token.object.objs,
- (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
- if (objs == NULL) {
- free(o);
- return NULL;
- }
- soft_token.object.objs = objs;
- soft_token.object.objs[soft_token.object.num_objs++] = o;
- }
- soft_token.object.objs[i]->object_handle =
- (random() & (~OBJECT_ID_MASK)) | i;
-
+ soft_token.object.objs[soft_token.object.num_objs++] = o;
return o;
}
@@ -797,6 +789,8 @@ read_conf_file(const char *fn)
add_certificate(label, cert, key, id, anchor);
}
+
+ fclose(f);
}
static CK_RV
@@ -806,19 +800,47 @@ func_not_supported(void)
return CKR_FUNCTION_NOT_SUPPORTED;
}
+static char *
+get_rcfilename()
+{
+ struct passwd *pw;
+ const char *home = NULL;
+ char *fn;
+
+ if (getuid() == geteuid()) {
+ fn = getenv("SOFTPKCS11RC");
+ if (fn != NULL)
+ return strdup(fn);
+
+ home = getenv("HOME");
+ }
+
+ if (home == NULL) {
+ pw = getpwuid(getuid());
+ if (pw != NULL)
+ home = pw->pw_dir;
+ }
+
+ if (home == NULL)
+ return strdup("/etc/soft-token.rc");
+
+ if (asprintf(&fn, "%s/.soft-token.rc", home) < 0)
+ return NULL;
+ return fn;
+}
+
CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
size_t i;
+ char *fn;
st_logf("Initialize\n");
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
- srandom(getpid() ^ time(NULL));
-
for (i = 0; i < MAX_NUM_SESSION; i++) {
soft_token.state[i].session_handle = CK_INVALID_HANDLE;
soft_token.state[i].find.attributes = NULL;
@@ -850,31 +872,13 @@ C_Initialize(CK_VOID_PTR a)
st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
}
- {
- char *fn = NULL, *home = NULL;
-
- if (getuid() == geteuid()) {
- fn = getenv("SOFTPKCS11RC");
- if (fn)
- fn = strdup(fn);
- home = getenv("HOME");
- }
- if (fn == NULL && home == NULL) {
- struct passwd *pw = getpwuid(getuid());
- if(pw != NULL)
- home = pw->pw_dir;
- }
- if (fn == NULL) {
- if (home)
- asprintf(&fn, "%s/.soft-token.rc", home);
- else
- fn = strdup("/etc/soft-token.rc");
- }
-
- read_conf_file(fn);
- free(fn);
- }
+ soft_token.next_session_handle = 0;
+ fn = get_rcfilename();
+ if (fn == NULL)
+ return CKR_DEVICE_MEMORY;
+ read_conf_file(fn);
+ free(fn);
return CKR_OK;
}
@@ -1082,8 +1086,7 @@ C_OpenSession(CK_SLOT_ID slotID,
soft_token.open_sessions++;
- soft_token.state[i].session_handle =
- (CK_SESSION_HANDLE)(random() & 0xfffff);
+ soft_token.state[i].session_handle = soft_token.next_session_handle++;
*phSession = soft_token.state[i].session_handle;
return CKR_OK;
@@ -1152,7 +1155,8 @@ C_Login(CK_SESSION_HANDLE hSession,
VERIFY_SESSION_HANDLE(hSession, NULL);
if (pPin != NULL_PTR) {
- asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+ if (asprintf(&pin, "%.*s", (int)ulPinLen, pPin) < 0)
+ return CKR_DEVICE_MEMORY;
st_logf("type: %d password: %s\n", (int)userType, pin);
}

471
Use-imported-soft-pkcs11-for-tests.patch Normal file
View File

@ -0,0 +1,471 @@
From 403e72295c80d3ec3343d50bf8f7b1e6525e1ea8 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 20 Jun 2019 13:41:57 -0400
Subject: [PATCH] Use imported soft-pkcs11 for tests
Update the soft-pkcs11 code for OpenSSL 1.1, fix some warnings,
integrate it into the build system, and use it for the PKINIT tests.
(cherry picked from commit e5ef7b69765353ea62ad8712a229ed4e90a8fe17)
---
src/configure.in | 1 +
src/tests/Makefile.in | 2 +-
src/tests/softpkcs11/Makefile.in | 21 ++++
src/tests/softpkcs11/deps | 6 ++
src/tests/softpkcs11/main.c | 124 +++++++++++++++++-------
src/tests/softpkcs11/softpkcs11.exports | 39 ++++++++
src/tests/t_pkinit.py | 18 +---
7 files changed, 162 insertions(+), 49 deletions(-)
create mode 100644 src/tests/softpkcs11/Makefile.in
create mode 100644 src/tests/softpkcs11/deps
create mode 100644 src/tests/softpkcs11/softpkcs11.exports
diff --git a/src/configure.in b/src/configure.in
index a19a0ea97..d0d8c4ed7 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1086,6 +1086,7 @@ int i = 1;
fi
if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
K5_GEN_MAKEFILE(plugins/preauth/pkinit)
+ K5_GEN_MAKEFILE(tests/softpkcs11)
PKINIT=yes
AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])])
elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index d2a37c616..8fa44fb59 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,7 +1,7 @@
mydir=tests
BUILDTOP=$(REL)..
SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
- gss-threads misc threads
+ gss-threads misc threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
LC_ALL=C $(VALGRIND)
diff --git a/src/tests/softpkcs11/Makefile.in b/src/tests/softpkcs11/Makefile.in
new file mode 100644
index 000000000..e89678154
--- /dev/null
+++ b/src/tests/softpkcs11/Makefile.in
@@ -0,0 +1,21 @@
+mydir=tests$(S)softpkcs11
+BUILDTOP=$(REL)..$(S)..
+
+LOCALINCLUDES = -I$(top_srcdir)/plugins/preauth/pkinit
+
+LIBBASE=softpkcs11
+LIBMAJOR=0
+LIBMINOR=0
+
+SHLIB_EXPLIBS=$(SUPPORT_LIB) -lcrypto
+SHLIB_EXPDEPS=$(SUPPORT_DEPLIB)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/tests/softpkcs11/deps b/src/tests/softpkcs11/deps
new file mode 100644
index 000000000..1e82d9572
--- /dev/null
+++ b/src/tests/softpkcs11/deps
@@ -0,0 +1,6 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/plugins/preauth/pkinit/pkcs11.h main.c
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 2acec5169..5255323d3 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (c) 2004-2006, Stockholms universitet
* (Stockholm University, Stockholm Sweden)
@@ -31,7 +32,57 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
-#include "locl.h"
+#include "k5-platform.h"
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+#include <ctype.h>
+#include <pwd.h>
+
+#include <pkcs11.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
+#define RSA_get0_key compat_rsa_get0_key
+static void
+compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+ const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = rsa->n;
+ if (e != NULL)
+ *e = rsa->e;
+ if (d != NULL)
+ *d = rsa->d;
+}
+#endif
+
+#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \
+ { \
+ unsigned char *p; \
+ (BL) = i2d_##T((S), NULL); \
+ if ((BL) <= 0) { \
+ (R) = EINVAL; \
+ } else { \
+ (B) = malloc((BL)); \
+ if ((B) == NULL) { \
+ (R) = ENOMEM; \
+ } else { \
+ p = (B); \
+ (R) = 0; \
+ (BL) = i2d_##T((S), &p); \
+ if ((BL) <= 0) { \
+ free((B)); \
+ (R) = EINVAL; \
+ } \
+ } \
+ } \
+ }
/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */
@@ -124,7 +175,7 @@ st_logf(const char *fmt, ...)
}
static void
-snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
+snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
@@ -141,19 +192,19 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
#endif
#define VERIFY_SESSION_HANDLE(s, state) \
-{ \
- CK_RV ret; \
- ret = verify_session_handle(s, state); \
- if (ret != CKR_OK) { \
- /* return CKR_OK */; \
- } \
-}
+ { \
+ CK_RV vshret; \
+ vshret = verify_session_handle(s, state); \
+ if (vshret != CKR_OK) { \
+ /* return CKR_OK */; \
+ } \
+ }
static CK_RV
verify_session_handle(CK_SESSION_HANDLE hSession,
struct session_state **state)
{
- int i;
+ size_t i;
for (i = 0; i < MAX_NUM_SESSION; i++){
if (soft_token.state[i].session_handle == hSession)
@@ -361,16 +412,20 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
CK_ULONG modulus_bits = 0;
CK_BYTE *exponent = NULL;
size_t exponent_len = 0;
+ RSA *rsa;
+ const BIGNUM *n, *e;
- modulus_bits = BN_num_bits(key->pkey.rsa->n);
+ rsa = EVP_PKEY_get0_RSA(key);
+ RSA_get0_key(rsa, &n, &e, NULL);
+ modulus_bits = BN_num_bits(n);
- modulus_len = BN_num_bytes(key->pkey.rsa->n);
+ modulus_len = BN_num_bytes(n);
modulus = malloc(modulus_len);
- BN_bn2bin(key->pkey.rsa->n, modulus);
+ BN_bn2bin(n, modulus);
- exponent_len = BN_num_bytes(key->pkey.rsa->e);
+ exponent_len = BN_num_bytes(e);
exponent = malloc(exponent_len);
- BN_bn2bin(key->pkey.rsa->e, exponent);
+ BN_bn2bin(e, exponent);
add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
add_object_attribute(o, 0, CKA_MODULUS_BITS,
@@ -378,7 +433,7 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
exponent, exponent_len);
- RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(rsa, RSA_PKCS1_OpenSSL());
free(modulus);
free(exponent);
@@ -474,7 +529,7 @@ add_certificate(char *label,
o->u.cert = cert;
public_key = X509_get_pubkey(o->u.cert);
- switch (EVP_PKEY_type(public_key->type)) {
+ switch (EVP_PKEY_base_id(public_key)) {
case EVP_PKEY_RSA:
key_type = CKK_RSA;
break;
@@ -604,8 +659,8 @@ add_certificate(char *label,
/* XXX verify keytype */
if (key_type == CKK_RSA)
- RSA_set_method(o->u.private_key.key->pkey.rsa,
- RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -755,8 +810,9 @@ CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
+ size_t i;
+
st_logf("Initialize\n");
- int i;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
@@ -825,7 +881,7 @@ C_Initialize(CK_VOID_PTR a)
CK_RV
C_Finalize(CK_VOID_PTR args)
{
- int i;
+ size_t i;
st_logf("Finalize\n");
@@ -1008,7 +1064,7 @@ C_OpenSession(CK_SLOT_ID slotID,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession)
{
- int i;
+ size_t i;
st_logf("OpenSession: slot: %d\n", (int)slotID);
@@ -1050,7 +1106,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession)
CK_RV
C_CloseAllSessions(CK_SLOT_ID slotID)
{
- int i;
+ size_t i;
st_logf("CloseAllSessions\n");
@@ -1127,7 +1183,8 @@ C_Login(CK_SESSION_HANDLE hSession,
}
/* XXX check keytype */
- RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -1226,7 +1283,6 @@ C_FindObjectsInit(CK_SESSION_HANDLE hSession,
}
if (ulCount) {
CK_ULONG i;
- size_t len;
print_attributes(pTemplate, ulCount);
@@ -1415,7 +1471,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1445,7 +1501,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1566,7 +1622,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1596,7 +1652,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulEncryptedDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulEncryptedDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1725,7 +1781,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1754,7 +1810,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen + padding_len) {
+ if ((CK_ULONG)buffer_len < ulDataLen + padding_len) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1872,7 +1928,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1900,7 +1956,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1926,7 +1982,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
if (len > buffer_len)
abort();
- if (len != ulSignatureLen) {
+ if ((CK_ULONG)len != ulSignatureLen) {
ret = CKR_GENERAL_ERROR;
goto out;
}
diff --git a/src/tests/softpkcs11/softpkcs11.exports b/src/tests/softpkcs11/softpkcs11.exports
new file mode 100644
index 000000000..aa7284511
--- /dev/null
+++ b/src/tests/softpkcs11/softpkcs11.exports
@@ -0,0 +1,39 @@
+C_CloseAllSessions
+C_CloseSession
+C_Decrypt
+C_DecryptFinal
+C_DecryptInit
+C_DecryptUpdate
+C_DigestInit
+C_Encrypt
+C_EncryptFinal
+C_EncryptInit
+C_EncryptUpdate
+C_Finalize
+C_FindObjects
+C_FindObjectsFinal
+C_FindObjectsInit
+C_GenerateRandom
+C_GetAttributeValue
+C_GetFunctionList
+C_GetInfo
+C_GetMechanismInfo
+C_GetMechanismList
+C_GetObjectSize
+C_GetSessionInfo
+C_GetSlotInfo
+C_GetSlotList
+C_GetTokenInfo
+C_Initialize
+C_InitToken
+C_Login
+C_Logout
+C_OpenSession
+C_Sign
+C_SignFinal
+C_SignInit
+C_SignUpdate
+C_Verify
+C_VerifyFinal
+C_VerifyInit
+C_VerifyUpdate
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 93f0f2632..69daf4987 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -4,14 +4,7 @@ from k5test import *
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
skip_rest('PKINIT tests', 'PKINIT module not built')
-# Check if soft-pkcs11.so is available.
-try:
- import ctypes
- lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so')
- del lib
- have_soft_pkcs11 = True
-except:
- have_soft_pkcs11 = False
+soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
# Construct a krb5.conf fragment configuring pkinit.
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
@@ -69,9 +62,9 @@ p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
p12_generic_identity = 'PKCS12:%s' % generic_p12
p12_enc_identity = 'PKCS12:%s' % user_enc_p12
-p11_identity = 'PKCS11:soft-pkcs11.so'
-p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
- 'slotid=1:token=SoftToken (token)')
+p11_identity = 'PKCS11:' + soft_pkcs11
+p11_token_identity = ('PKCS11:module_name=' + soft_pkcs11 +
+ ':slotid=1:token=SoftToken (token)')
# Start a realm with the test kdb module for the following UPN SAN tests.
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
@@ -398,9 +391,6 @@ realm.klist(realm.user_princ)
realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'],
expected_code=1, expected_msg='Preauthentication failed while')
-if not have_soft_pkcs11:
- skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
-
softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
realm.env['SOFTPKCS11RC'] = softpkcs11rc

8
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 37%{?dist}
Release: 38%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -113,6 +113,9 @@ Patch150: Remove-3des-support.patch
Patch151: Remove-now-unused-checksum-functions.patch
Patch152: Don-t-error-on-invalid-enctypes-in-keytab.patch
Patch153: Filter-enctypes-in-gss_set_allowable_enctypes.patch
Patch154: Add-soft-pkcs11-source-code.patch
Patch155: Use-imported-soft-pkcs11-for-tests.patch
Patch156: Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -722,6 +725,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Jul 30 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-38
- Add soft-pkcs11 and use it for testing
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.17-37
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild