diff --git a/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch b/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch new file mode 100644 index 0000000..d49546b --- /dev/null +++ b/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch @@ -0,0 +1,551 @@ +From 0e53e397599da4b5d86121f6ee3de50c0389783e Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 14 Feb 2019 18:35:40 +0100 +Subject: [PATCH] TESTS: simple CA to generate certificates for test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To avoid issue with certificate lifetimes a simple OpenSSL based CA is +used to generate certificates for tests. + +To make management easy all related data is kept in +src/tests/test_CA. Since some header files will be generated the +generation of the needed files is added to BUILT_SOURCES as other +generated code. + +Related to https://pagure.io/SSSD/sssd/issue/3436 + +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 19f5dd0b8dc4eff3373a0ac9ea17c2440628fd4c) +--- + Makefile.am | 15 ++- + configure.ac | 4 +- + contrib/sssd.spec.in | 8 ++ + src/external/test_ca.m4 | 42 +++++++++ + src/tests/test_CA/Makefile.am | 93 +++++++++++++++++++ + src/tests/test_CA/README | 26 ++++++ + src/tests/test_CA/SSSD_test_CA.config | 47 ++++++++++ + src/tests/test_CA/SSSD_test_CA_key.pem | 52 +++++++++++ + src/tests/test_CA/SSSD_test_cert_0001.config | 20 ++++ + src/tests/test_CA/SSSD_test_cert_0002.config | 19 ++++ + src/tests/test_CA/SSSD_test_cert_key_0001.pem | 28 ++++++ + src/tests/test_CA/SSSD_test_cert_key_0002.pem | 28 ++++++ + 12 files changed, 380 insertions(+), 2 deletions(-) + create mode 100644 src/external/test_ca.m4 + create mode 100644 src/tests/test_CA/Makefile.am + create mode 100644 src/tests/test_CA/README + create mode 100644 src/tests/test_CA/SSSD_test_CA.config + create mode 100644 src/tests/test_CA/SSSD_test_CA_key.pem + create mode 100644 src/tests/test_CA/SSSD_test_cert_0001.config + create mode 100644 src/tests/test_CA/SSSD_test_cert_0002.config + create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0001.pem + create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0002.pem + +diff --git a/Makefile.am b/Makefile.am +index d52fe0670..d9477cb64 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -21,7 +21,7 @@ if HAVE_MANPAGES + SUBDIRS += src/man + endif + +-SUBDIRS += . src/tests/cwrap src/tests/intg ++SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA + + # Some old versions of automake don't define builddir + builddir ?= . +@@ -2411,6 +2411,7 @@ pam_srv_tests_SOURCES = \ + $(NULL) + pam_srv_tests_CFLAGS = \ + -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ ++ -I$(abs_builddir)/src \ + $(AM_CFLAGS) \ + $(NULL) + pam_srv_tests_LDFLAGS = \ +@@ -3286,6 +3287,7 @@ test_cert_utils_SOURCES = \ + $(NULL) + test_cert_utils_CFLAGS = \ + $(AM_CFLAGS) \ ++ -I$(abs_builddir)/src \ + $(CRYPTO_CFLAGS) \ + $(NULL) + test_cert_utils_LDADD = \ +@@ -4975,6 +4977,17 @@ endif + + CLEANFILES += *.X */*.X */*/*.X + ++test_CA: test_CA.stamp ++ ++test_CA.stamp: $(srcdir)/src/tests/test_CA/* ++ $(MAKE) -C src/tests/test_CA ca_all ++ touch $@ ++ ++if BUILD_TEST_CA ++BUILT_SOURCES += test_CA ++endif ++CLEANFILES += test_CA.stamp ++ + tests: all $(check_PROGRAMS) + (cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1; + +diff --git a/configure.ac b/configure.ac +index 69deb811e..725c28f52 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -208,6 +208,7 @@ m4_include([src/external/libresolv.m4]) + m4_include([src/external/intgcheck.m4]) + m4_include([src/external/systemtap.m4]) + m4_include([src/external/service.m4]) ++m4_include([src/external/test_ca.m4]) + + if test x$with_secrets = xyes; then + m4_include([src/external/libhttp_parser.m4]) +@@ -483,6 +484,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) + AM_CHECK_CMOCKA + AM_CHECK_UID_WRAPPER + AM_CHECK_NSS_WRAPPER ++AM_CHECK_TEST_CA + + # Check if the user wants SSSD to be compiled with systemtap probes + AM_CHECK_SYSTEMTAP +@@ -506,7 +508,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config + contrib/sssd-pcsc.rules + src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd + po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile +- src/tests/intg/Makefile ++ src/tests/intg/Makefile src/tests/test_CA/Makefile + src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy + src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy + src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index f69f192fe..25314596b 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -209,6 +209,14 @@ BuildRequires: selinux-policy-targeted + BuildRequires: libcmocka-devel >= 1.0.0 + BuildRequires: uid_wrapper + BuildRequires: nss_wrapper ++ ++# Test CA requires openssl independent if SSSD is build with NSS or openssl, ++# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil. ++# Currently only cmocka based tests use the test CA. If it is used elsewhere ++# you might want to move the following requires out of the if-block. ++BuildRequires: openssl ++BuildRequires: openssh ++BuildRequires: nss-tools + %endif + BuildRequires: libnl3-devel + %if (0%{?use_systemd} == 1) +diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4 +new file mode 100644 +index 000000000..eb624acf3 +--- /dev/null ++++ b/src/external/test_ca.m4 +@@ -0,0 +1,42 @@ ++dnl Check for tools needed to run the test CA ++AC_DEFUN([AM_CHECK_TEST_CA], ++[ ++ AC_PATH_PROG([OPENSSL], [openssl]) ++ if test ! -x "$OPENSSL"; then ++ AC_MSG_NOTICE([Could not find openssl]) ++ fi ++ ++ AC_PATH_PROG([SSH_KEYGEN], [ssh-keygen]) ++ if test ! -x "$SSH_KEYGEN"; then ++ AC_MSG_NOTICE([Could not find ssh-keygen]) ++ else ++ AC_MSG_CHECKING([for -m option of ssh-keygen]) ++ if AC_RUN_LOG([$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null]); then ++ AC_MSG_RESULT([yes]) ++ else ++ SSH_KEYGEN="" ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++ ++ if test x$cryptolib = xnss; then ++ AC_PATH_PROG([CERTUTIL], [certutil]) ++ if test ! -x "$CERTUTIL"; then ++ AC_MSG_NOTICE([Could not find certutil]) ++ fi ++ ++ AC_PATH_PROG([PK12UTIL], [pk12util]) ++ if test ! -x "$PK12UTIL"; then ++ AC_MSG_NOTICE([Could not find pk12util]) ++ fi ++ ++ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"]) ++ else ++ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN"]) ++ fi ++ ++ AM_COND_IF([BUILD_TEST_CA], ++ [AC_DEFINE_UNQUOTED(HAVE_TEST_CA, 1, ++ [Build with certificates from test CA])], ++ [AC_MSG_WARN([Test CA cannot be build, skiping some tests])]) ++]) +diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am +new file mode 100644 +index 000000000..a23a3feef +--- /dev/null ++++ b/src/tests/test_CA/Makefile.am +@@ -0,0 +1,93 @@ ++dist_noinst_DATA = \ ++ SSSD_test_CA.config \ ++ SSSD_test_CA_key.pem \ ++ SSSD_test_cert_0001.config \ ++ SSSD_test_cert_0002.config \ ++ SSSD_test_cert_key_0001.pem \ ++ SSSD_test_cert_key_0002.pem \ ++ $(NULL) ++ ++openssl_ca_config = $(srcdir)/SSSD_test_CA.config ++openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem ++pwdfile = pwdfile ++ ++configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config)) ++ids := $(subst SSSD_test_cert_,,$(basename $(configs))) ++certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids))) ++certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids))) ++pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) ++pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) ++pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) ++ ++if HAVE_NSS ++nssdb = p11_nssdb p11_nssdb_2certs ++endif ++ ++# If openssl is run in parallel there might be conflicts with the serial ++.NOTPARALLEL: ++ ++ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(nssdb) ++ ++$(pwdfile): ++ @echo "12345678" > $@ ++ ++SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial ++ $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@ ++ ++ ++SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config ++ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@ ++ ++SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem ++ $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@ ++ ++SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) ++ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ ++ ++SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem ++ $(OPENSSL) x509 -in $< -pubkey -noout > $@ ++ ++SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem ++ $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@ ++ ++SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem ++ @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@ ++ ++SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub ++ @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@ ++ ++# This nss db is used in ++# - src/tests/cmocka/test_cert_utils.c (validation only) ++# - src/tests/cmocka/test_pam_srv.c ++p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile) ++ mkdir $@ ++ $(CERTUTIL) -d sql:./$@ -N --empty-password ++ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem ++ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) ++ ++# This nss db is used in ++# - src/tests/cmocka/test_pam_srv.c ++p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile) ++ mkdir $@ ++ $(CERTUTIL) -d sql:./$@ -N --empty-password ++ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem ++ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) ++ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) ++ ++CLEANFILES = \ ++ index.txt index.txt.attr \ ++ index.txt.attr.old index.txt.old \ ++ serial serial.old \ ++ SSSD_test_CA.pem $(pwdfile) \ ++ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \ ++ $(NULL) ++ ++clean-local: ++ rm -rf newcerts ++ rm -rf p11_nssdb ++ rm -rf p11_nssdb_2certs ++ ++serial: clean ++ touch index.txt ++ mkdir newcerts ++ echo -n 01 > serial +diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README +new file mode 100644 +index 000000000..342fd5890 +--- /dev/null ++++ b/src/tests/test_CA/README +@@ -0,0 +1,26 @@ ++Simple CA for SSSD tests ++ ++To avoid issues with certificate lifetimes during tests certificates can be ++generated with a simple OpenSSL based CA. ++ ++To create a new certificate add a suitable and valid OpenSSL config file with a ++[req] section for a certificate signing request (CSR) which must use the name ++pattern SSSD_test_cert_*.config. Additionally a matching key file ++SSSD_test_cert_key_%.pem should be added e.g. with ++ ++ openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048 ++ ++It would be possible to generate the keys automatically as well but ++pre-created keys will safe some resources on the hosts running the tests, ++allow more flexibility with algorithms and key lengths and make the tests ++more reproducible. ++ ++The Makefile will pick up the config and the keys and generate a X.509 ++certificate. For usage in C-code it will generate a header file ++SSSD_test_cert_x509_*.h where the base64 encoded binary certificate is made ++available in a macro called SSSD_TEST_CERT_*. To run test with derived ssh-keys ++the ssh key is available in SSSD_test_cert_pubsshkey_*.h as ++SSSD_TEST_CERT_SSH_KEY_*. ++ ++Other targets for other types of tests can be added to the Makefile and should ++be documented here. +diff --git a/src/tests/test_CA/SSSD_test_CA.config b/src/tests/test_CA/SSSD_test_CA.config +new file mode 100644 +index 000000000..90ae2233c +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_CA.config +@@ -0,0 +1,47 @@ ++[ ca ] ++default_ca = CA_default ++ ++[ CA_default ] ++dir = . ++database = $dir/index.txt ++new_certs_dir = $dir/newcerts ++ ++certificate = $dir/SSSD_test_CA.pem ++serial = $dir/serial ++private_key = $dir/SSSD_test_CA_key.pem ++RANDFILE = $dir/rand ++ ++default_days = 365 ++default_crl_days = 30 ++default_md = sha256 ++ ++policy = policy_any ++email_in_dn = no ++ ++name_opt = ca_default ++cert_opt = ca_default ++copy_extensions = copy ++ ++[ usr_cert ] ++authorityKeyIdentifier = keyid, issuer ++ ++[ v3_ca ] ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always,issuer:always ++basicConstraints = CA:true ++keyUsage = critical, digitalSignature, cRLSign, keyCertSign ++ ++[ policy_any ] ++organizationName = supplied ++organizationalUnitName = supplied ++commonName = supplied ++emailAddress = optional ++ ++[ req ] ++distinguished_name = req_distinguished_name ++prompt = no ++ ++[ req_distinguished_name ] ++O = SSSD ++OU = SSSD test ++CN = SSSD test CA +diff --git a/src/tests/test_CA/SSSD_test_CA_key.pem b/src/tests/test_CA/SSSD_test_CA_key.pem +new file mode 100644 +index 000000000..4838d0379 +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_CA_key.pem +@@ -0,0 +1,52 @@ ++-----BEGIN PRIVATE KEY----- ++MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkKj9R0/ato8Qq ++8iww/4BZc14oTk4e94pGssERG2b8wkcnq9gjn7rDaW0j7sqcEnEtR4nbn4dtjZz5 ++pObXDRPebsZKf+jPac+PiIKwGMdEQFcrt/hZGlpxDrJKUt144ZmMH69CkBC1MREx ++8GHl3oQ9hnLCE82j4D6i+iVRAFhD6dsmL8YWvzMtjklAiyF6yboD1Vjkxwv06wcZ ++xgJptyFOcIM4RfRu212SQUmOZvfxIl9zmu6h4Vaz4Vm/e9qmRHJZ5cOJPC6wyhLn ++iPyEiuRg7DAI226GO04Kl/Frus5fFrih/hq/GyqYVLHQHBdOZ0MgY/zcwD+eEVOX ++KDFYKAbOwN9rDZC6UW3fPLHMnc0f/6q75s4Qvs3MyP0jtJaqjEe+DpW14u9kivUm ++f6L/nFHgDMoYHavsUOXKHZu0NRAKAxj+IvAnHRlInPQktIzZQ2abYWix//bb7aDx ++WhtOFN/rUXA1mqPahRxSgEst4QnSMxU0hPVET0TQO0A/XwozpkrM80NXOoq8m4kH ++83vknwVurg3VaupctX5fsSZvSYunK4bJ/8+Om7c3pyrxqbV0Y/nwGzjMYIU/iQSM ++XkDzs5MQfdWTmzQMsFUY7huQo0VA4s2mY96LmbABVCFnZTFSf+li3dNMadPpuTO+ ++w5jhoR1tcYiWtIDPBuwIFMCwdN1N6QIDAQABAoICAC7SgKYBMokVp2cMxYbUl/lD ++VJo+34c5U1YIztf84JiUIdgBStycpc3+L5iFI2z9193r5V19kmQoAIO2lGyjUWV/ ++JBAbyaHu29pfsDoFC7d04K6nFT7ryo2S74GTGcH5wfHgeq3VNKiKRjYSV3S9wjOC ++CMDNIZE0roXxgYDq6jIdpoxil2sJl64Mmfm104wII7Uvrgtc0ZZUOOPQH6SkISCg ++tDzzFiM9vykJXtfrR4xjemUV8UylGo7Vev5xo0AlobXTEdpy0D4VaeW71d45Rn6h ++WYYnybmgJ/bCkZeDAWDAH+mWZNS89XPHRaooaZv8Uuktu7FtfmCou5e0dtPZevPF ++qSCExRRnEvBHxqR71e7NDZt8mHR5H9S+4Io6OMFEfTwFC13TNBEiNspg9XovAjfX ++4u6wSYPKKLH88R5LAuLoBiD6dO+3SiimbaTeD/a+URCfIWUNycExS/3SnWCS2oxW ++h8uS18DwbCbW0b5N8VYldfZ8QK3+GH2B4vV7ZGOFtUW43HUUPlxqL9lpakbAgPba ++enrO2+YqzAIM5NWCvL1+fnaPVGc9deDi63sgq75VkJwBMoiBqIpwSUMUwOmL3RiC ++NdixXJR/HgjP85UrZHQRlcCfSFMduNNjof0WgamXu2TLA4K2clbdiz1DwAgCBpLP ++INKo4fiZZkjiEs3VS9iBAoIBAQD2DjnFAZ0USGpmRqecHhFOL9nZX/we/DCUrkRv ++noiEP9lIz/ITmAzCvvUuyFQcDp3LBplB+T74nvfyMJ6AzbV1Kuw7CluIje5i3wKs ++zYSc49EKxG3PvNlkpbrQkY2/FrBuwakZro/ByzrcCf783cey36IXc5s0EdXiqyB8 ++Gn2yQQvyYShAmE1HjBjcURSC8bCn1OKQNR04gbnIIUbe5kn8IIM2SD8cUPIuvBTf ++PAzAMT//6bKwi2v6Y9QK0qOIYEFLTEzonKeLlnErXxytb0wbwCbDWQLprYdSQR/3 ++ctVykylPYuTXdCW5qLL5TGuxHKzJodOI0RF8A07CYj7dcQf5AoIBAQDtYuuKp+AT ++ro7Oe4J1bUx/8YlAPDU4UgWbIQjAPUvdiRLZxVRecomNjDMvnz2G/lE8P3CPD0fD ++DZSPhUqUnqanTYLAoVyQh8Zo8NjKJ1wlE9F5CZECeGz1RGZcQBUwK7tZr3EGNw/K ++IShV8/6RVs+I3jjTll2oAoquJ4el0V7sitI6O3Bsh1AoVgZYmJV3qMdODcDJQjNj ++SVetxExhsd2SJztjp5U0uTMf6fXH41CVKo3seRPvaxAhIDpG1He1XEKeeeq3l6Uu ++vzpKmXvNmmzjCZLLY6APvLYv1o65UTn3N/MLIXjgEs07e2JNzhLhAuz5h6sPH0aM ++bx+vOhugy1FxAoIBAQCvFcxRvSYzCpx7jocx9ctGoZIYtc5HlhhTk/Wqn1pxEKXi ++w+Vzv9xEr3D0CySeml/52gYwBdWjQCsasTH4YWhfqV1TXbloX+ZjgGD86XkV0p4r ++VT72dWET10Ipq4j7kn+VMETNu4Mb2StW693/vSiexbcnjOHBmXdixXZmGMucjeCc ++ZjooTLeg07XU//TigGy94CQfjUvvq4+xMsylS6UVvWTguWP/GDJcwwTvHGHOWL07 ++suWt7me1UlfOI7iuECAmHnMTinVGRJTe0d0sJGg5zu9GTg5ejVYfV6wRfisYTlM0 ++5CAGl+VISRyhfJmc+9SP3ZESaAJTBl+CvjoRhJ6xAoIBAQC3Blq2mAJzClX+q0mF ++ghTGXJLG3OTnnI3H8mtN1LTGhKXtE3CeNU8KvHrGj88fYrt9aSg+lLhukezlzw4W ++kk/JlEBohsDYimaWiIONMVWhHKuX16FfNzxCyk7ld18euckEN/k7on5hCLmRs8Kl ++ijoOu88yi6+AFx2XctDqLwgx9kJqNWPTuWw6/UB9VH+BN7ca3g2y3oDCX0zjpAKE ++HF/KDMeEaTPn55acV4VxbTi3GY09MokFQhW4hKGJ9MyrHwwaJcOrc5ce+L9Xvwiu ++GA816S6t9Az3tTb+oT1/cjnv+so/3bnVgYmM/+9mL6lspRXSuiBQU3vQUOkr7/BX ++RAtxAoIBAQC2AQjrhdjyIhuzDGpL7A/IUfV9Fr37ytRY1r7pOwIVthGK3SmLbV2t ++byT4LeS1XMkpuwfiM/w4uAbRz3QhMGfgv9wUjNCpR9fBd4VZqU9HPk6TasQhxxLU ++q4O+XpvylEqPPzHkvpJUiVEfh7bXSoqbvTP7fUnJ/YzqMyq+NNkJzKccz8+I2BfN ++/WXp6HmKAKhvF2mkFbo+2IXzJoCzHRorBvj/HzMc349cvHtYErJvHZQ2wgfY5CFC ++y2/x/t1pQ6BhrJiNyC1s8jYtboY7mc1yAp6cvtWraOYYk6LCTLbRLPLNqEOKPUFH ++xHflFSh7K6rCRfJGMKKFYtdA09/CAqh+ ++-----END PRIVATE KEY----- +diff --git a/src/tests/test_CA/SSSD_test_cert_0001.config b/src/tests/test_CA/SSSD_test_cert_0001.config +new file mode 100644 +index 000000000..b6c52a148 +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_cert_0001.config +@@ -0,0 +1,20 @@ ++# This certificate is used in ++# - src/tests/cmocka/test_cert_utils.c ++# - src/tests/cmocka/test_pam_srv.c ++[ req ] ++distinguished_name = req_distinguished_name ++prompt = no ++ ++[ req_distinguished_name ] ++O = SSSD ++OU = SSSD test ++CN = SSSD test cert 0001 ++ ++[ req_exts ] ++basicConstraints = CA:FALSE ++nsCertType = client, email ++nsComment = "SSSD test Certificate" ++subjectKeyIdentifier = hash ++keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment ++extendedKeyUsage = clientAuth, emailProtection ++subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// +diff --git a/src/tests/test_CA/SSSD_test_cert_0002.config b/src/tests/test_CA/SSSD_test_cert_0002.config +new file mode 100644 +index 000000000..8722ffa7e +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_cert_0002.config +@@ -0,0 +1,19 @@ ++# This certificate is used in ++# - src/tests/cmocka/test_pam_srv.c ++[ req ] ++distinguished_name = req_distinguished_name ++prompt = no ++ ++[ req_distinguished_name ] ++O = SSSD ++OU = SSSD test ++CN = SSSD test cert 0002 ++ ++[ req_exts ] ++basicConstraints = CA:FALSE ++nsCertType = client ++nsComment = "SSSD test Certificate" ++subjectKeyIdentifier = hash ++keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment ++extendedKeyUsage = clientAuth ++subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// +diff --git a/src/tests/test_CA/SSSD_test_cert_key_0001.pem b/src/tests/test_CA/SSSD_test_cert_key_0001.pem +new file mode 100644 +index 000000000..365c9897a +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_cert_key_0001.pem +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX8xglLP+D54dG ++V/lndmQ7YRg1GDuaZilzh/jfAva3psSYDnn1f9wmygNx0HUjlpG72pBOaYthdp1D ++ZGayTlpSUY/3y7+pvokFlY0v9Xhg3yhUyRK95uS/LuY4L8uaoZxMXPW2iP3kzv2v ++BQQlMuBCjL+ji/tX2Zl8CHUldY7QPtSLZcklXmRvu5jHPK5W/eh8E66UNeb/dueq ++ZAzLBZb5g8Blv9dMjf/eSlM/R//au40ZBBa3CRpddaf/gOa9sNGVd6RmzwejZ47k ++hPwkx6t23ZQ7bZkk0NI3H8+/sKkM6aWZaywmLvnyClIgjgZh5zKJgv0ZFAaQ/nST ++a6ke3OetAgMBAAECggEAIHaO3qfREYcwssZu27rUfoiuFu05qJBLEu8R3pSXeiw7 ++yZADjYBXHA2qTuXDdkIgTlkg8Gi1Z0VphsQFHDDjKxTPy7R5b48REiHVQ6xnGEjz ++yysfAiU/pe3q9e9ZcDlzQZeH6JTXdhoX0MO0R9NKGzcFaBSXCDHR/O9YjPULLwq8 ++K9wZpHV6DPajoPGmZgw1qQr7Lc35nVi9AeNyTGnSrUf4hdjKiA2WA0aC3fkeKQxp ++8z6FJWKot84dGbhYK0fyM0uIMb4wS8gvTmvhjE5pltEstOY3bFebxJ5DtBJPqE5K ++FL6k2tfcctuhiwDsRWar39H5SvXzxHbyaz0nwpI9AQKBgQD2Z+vpncVGZgnV0rwK ++0dcdEMSCOj7i91OVS8IGAvwfpI6n8Hs6upO1PtqvWtnwt8lOMwF3omA5/25ZF1+K ++Y6iPxnqcg4nApG1DVDXMrV1cWUa6Sc95afJE224sZA+yKiyTZsWdxfV5y5rc5V3L ++ZOzXjHOW40W/ZuuNwKR5D9fyUQKBgQDgW5h+9NwyPg+01I9qQgsnlHPA9ndKamcH ++QgnAhdM75wadPnVZTNsOa46pfg0Uy/yqYSo2NZz5CmN6W3baVanyUMMmhDWHmCuV ++6nHmzwlJDiJz7S0ieEUi62NConZbU3YE6zjmKkMU0K8pZEisvX/Hb3K8Py4Jxyhy ++JdX5FRmMnQKBgQCzK2GpX6VgyTWBm1hMbcUDR3v8TaoIk1rdhlaw1F7MC3YHu59/ ++Vses1OVi+KbcmGbyS7hXa2SZB5kPgyVflZOt596kDCmQQH+Ko6LzD2SBkBETyDPq ++zxTw6LW15ZRcMrpy/BnZ3WXfiCM1WDrZeKuXGHO8VcoToRzK2DdAKDsX4QKBgQCv ++NHhrNHa8uaB0W8Y/eaHSX+jhWNehgmRA075f3WIvFmQg6cSkXxN2OGJpVCmNAxum ++Rki7mrSh+w3iYIj5Sgp0U8OCUZ6n7BqlcTdPwoCCz4nyM9aaY4fCFEYopEx/VzcD ++8lk1zO0j1S/kyA7E7xtZOFxGS6R9OE0KjyeA44xXNQKBgFRbzhYNerXwepfYi0bR ++plJ8Jg4q4DI+m5QlKGjQLsX4e0sdyOgD8mV3iYofzrull5KZeRQy5qbO9EypFXQ5 +++16FbR7VTYgKcwHNtC+8EcsSVwgk57ox4jDY6A/X1DBKUT+m/XyJYE79ZCsFVvl+ ++O8zzsFaOeoxTVyVxjHmuhZ6U ++-----END PRIVATE KEY----- +diff --git a/src/tests/test_CA/SSSD_test_cert_key_0002.pem b/src/tests/test_CA/SSSD_test_cert_key_0002.pem +new file mode 100644 +index 000000000..d80349f50 +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_cert_key_0002.pem +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvhgVEGejE4Gcr ++b2lXw2scPpvXa2BaJ2DtFNgofEKhPlBoS7E913YXIG+kSE2i7YezAzHyd0hVEBqR ++QVlhGg5LCeOrQTRASSNUCgWzEXnRbPrvQbeZc7T6k1QIAmTNlpIc7mrO5bjOkR6Y ++DVNTDmW90aCo4IyarJAru1xQTjS+TDtJNvIgqI1BtnpH67JXt/2UsQYAD4lQQmAf ++gEj3a2bD+EuJVVFt4rar+QE3EUZi265cK3IfV6OkzDP/ZuN9sxr5adk0QE/2jC+b ++1sB0VxLxWhGszuOtdhkO/bxcfjWj/EWGa0nezukDeob3k+b4f6Z5kfW9GJCdCOOQ ++Rr1Mv6oZAgMBAAECggEAUICdZbCka7eoWemNXS1JsPieLV0YIgExmUsYIOls/dtA ++sbUVo5FwngbIbYaj5PggZuAuRlCjIjBynvBj9/8lUxFEFEWhm2JwC5lVJ936Cy16 ++ocV4Wa8R8GMmBU5jwU8v0Ikg/6eo7UTtzTs/XjaaP0cn8oyasE45CXWzTzmvQx+d ++FwfcTkhc6KALf+CHTk7mE8QT3vMgVQMRiisF998fnJDkW9U4pPygcg1BAq8wjix8 ++YwVAlk/Vq6MxmOViqTNEmnBd5dfZ/f9SYGkR7AvZgENEDNtkd7fE37YXdTSYfBWd ++lhHm4UkTUSsHl+Xx5w5r/e9xcK/z/49WUJnK2mVcAQKBgQDUv+szGloLyy0OT9SK ++qqqiL7AtUtfCRPH9Gk/UYBGLzktuioac9m1tDo5RsiInFjSmBe4wTGrkhrAJP1Vh ++DOpXGqMe0cV/QqOL/XnsJi6ySHzGhiR+F+iBQLk13ya1TIiGIG65mxVU7ZceBWzH ++AoAjkwV9c/lUGX3yhJ8zUPPYQQKBgQDTNL/WNNHx5PD8XV9voupVFh5nLA9CqCYR ++/07O8pMKve/DjswT40mz/Bwd8xKPFIjTtPMuRd1mORnkF/Q/1WuO5dZG6UUTQT5V ++KdtI8VwhQlTz7/DjXm4O+mkwY9vfhTQylUsqh2rX6WkIedj1b6rT5Jg6fHMn34N2 ++/9UGEp6b2QKBgQCIJ4MIo3a5UYA2RpTJYcvuHALuHrSCWclcp/gq/Ih+JrpTtkfM ++MFF7l/MxCYWd6jIrhmQXePB37FLAuE2V3MQklqGKWcnBVg6Ayum6Xf1Ij+d6zeKQ ++6BAemCNv/K4zHRXKcPsrwbp3Lc6moeYpvsnu+mprDUulrOLT0FhqaQaFgQKBgQDG ++dqfZUlMBub8VdWwri+wkvh8dldJVMYpsmPrmDh1MF8TIf1OXUJm+TiXhorqKxqH4 ++Re3JSo9L8lY49qVmolZqteCPS73D5Sf8gNN1DJAlFJ6dhpdWIDLNUlMrzHoc5J9y ++9MToFs24S7WN6GmN4Dum1wSQ2Mag7jArzyTOiwqNqQKBgFh12/YF4tiePqG1aOaB +++L5GgA/ux+6SNj5TkqeiKqPaptg1tnM/T/ChiWmwZzee1ZeMEBbDWtbEMf15In7/ ++OM5OSMU+SIgWposXDTDKM9ZMQZW6h9IQy/IxwvF8BrroS0vF9vOXKOz4Aw+5Kugq ++JxM2HRDRdC23CGRuGjv+hO4d ++-----END PRIVATE KEY----- +-- +2.17.0 + diff --git a/0054-TESTS-replace-hardcoded-certificates.patch b/0054-TESTS-replace-hardcoded-certificates.patch new file mode 100644 index 0000000..3923899 --- /dev/null +++ b/0054-TESTS-replace-hardcoded-certificates.patch @@ -0,0 +1,365 @@ +From a6514e1829c018c7b68b168e6206ec51bd8a7e08 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 14 Feb 2019 18:35:49 +0100 +Subject: [PATCH] TESTS: replace hardcoded certificates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since the hardcoded certificates have a limited lifetime they are +replaces by certificates from the test CA. + +Related to https://pagure.io/SSSD/sssd/issue/3436 + +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 0dc7f90667df6420bc9e93ae2c8bacd6ea148f0f) +--- + src/tests/cmocka/test_cert_utils.c | 41 ++++-------- + src/tests/cmocka/test_pam_srv.c | 104 +++++++++++------------------ + 2 files changed, 50 insertions(+), 95 deletions(-) + +diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c +index f50030e49..dd58b73a7 100644 +--- a/src/tests/cmocka/test_cert_utils.c ++++ b/src/tests/cmocka/test_cert_utils.c +@@ -34,6 +34,13 @@ + #include "util/crypto/nss/nss_util.h" + #include "util/crypto/sss_crypto.h" + ++#ifdef HAVE_TEST_CA ++#include "tests/test_CA/SSSD_test_cert_pubsshkey_0001.h" ++#include "tests/test_CA/SSSD_test_cert_x509_0001.h" ++#else ++#define SSSD_TEST_CERT_0001 "" ++#define SSSD_TEST_CERT_SSH_KEY_0001 "" ++#endif + + /* TODO: create a certificate for this test */ + const uint8_t test_cert_der[] = { +@@ -325,32 +332,6 @@ void test_sss_cert_derb64_to_ldap_filter(void **state) + talloc_free(filter); + } + +-#define SSH_TEST_CERT \ +-"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ +-"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \ +-"NDEzNDlaFw0xODA1MjQxNDEzNDlaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \ +-"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \ +-"ADCCAQoCggEBALfEAE0IUlOAgDTdZQGcYA03IPooixNnkUQruh0eU3uw+KYGQoS1" \ +-"YCdCHJzRc+IfuqdNntgtGDIpWADRwB4h963pBImpMSU5L1T4uiHNCpvl9eMt4ynk" \ +-"xduOa+JmJUvqvwe7Gj9iDql4lWmJcXvq74/yOc3MBSPQCdg/pHZU65+NjSZmZzlN" \ +-"eNV3tQKrhMe6tM00pai2igXilfUpzOU2v+AX69oOesrqTUl9i2eCUirGanR9l95d" \ +-"yVCcmIDJd2P2NLIkhbHGRitfTC/tQZ4G+Edg9STw8Y+4ljp2rTHs59dWRBe2Gn8Z" \ +-"Zt8zZ5WuNxARVF1THI9X6ydX/uoaz8R7pfkCAwEAAaOCASYwggEiMB8GA1UdIwQY" \ +-"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \ +-"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \ +-"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \ +-"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \ +-"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \ +-"IEF1dGhvcml0eTAdBgNVHQ4EFgQUMydoshxYXhDXOMo/EETvrZaQuBwwDQYJKoZI" \ +-"hvcNAQELBQADggEBADIrTFNvEdZGna7jD1xpiLGGUwCi11GQT+Txg5B7dydUn5U5" \ +-"32zSBBZV6bsy0E+PiiAgehJObv9hBaOWnhp7ltNyQod1OLdI1t988ow2wxHvUEEi" \ +-"MhRF0h2RJwdYIUIIF7XC01mKBOFj/84vvMOgLToZnGqVzArkzpr1aCaHI7EoTkpb" \ +-"V16v+drZkXc47JuHg5CRjTHV/kFPm63gQ8Fstmw/dQZBzbCiVzmcG0Xm9r4jMOOf" \ +-"YjVueMt/jk1LP4KoSCBY6kLMcpL5rQm53hO82rPAgV695rjdPlIUm09dvkCl28ZD" \ +-"109Ju18eAaaVFewK82NDg9rsNraBKxMCBSgg0es=" +- +-#define SSH_PUB_KEY "AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xABNCFJTgIA03WUBnGANNyD6KIsTZ5FEK7odHlN7sPimBkKEtWAnQhyc0XPiH7qnTZ7YLRgyKVgA0cAeIfet6QSJqTElOS9U+LohzQqb5fXjLeMp5MXbjmviZiVL6r8Huxo/Yg6peJVpiXF76u+P8jnNzAUj0AnYP6R2VOufjY0mZmc5TXjVd7UCq4THurTNNKWotooF4pX1KczlNr/gF+vaDnrK6k1JfYtnglIqxmp0fZfeXclQnJiAyXdj9jSyJIWxxkYrX0wv7UGeBvhHYPUk8PGPuJY6dq0x7OfXVkQXthp/GWbfM2eVrjcQEVRdUxyPV+snV/7qGs/Ee6X5" +- + void test_cert_to_ssh_key(void **state) + { + int ret; +@@ -366,13 +347,13 @@ void test_cert_to_ssh_key(void **state) + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + +- der = sss_base64_decode(ts, SSH_TEST_CERT, &der_size); ++ der = sss_base64_decode(ts, SSSD_TEST_CERT_0001, &der_size); + assert_non_null(der); + +- exp_key = sss_base64_decode(ts, SSH_PUB_KEY, &exp_key_size); ++ exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size); + assert_non_null(exp_key); + +- ret = cert_to_ssh_key(ts, "sql:" ABS_SRC_DIR "/src/tests/cmocka/p11_nssdb", ++ ret = cert_to_ssh_key(ts, "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", + der, der_size, &cert_verify_opts, &key, &key_size); + assert_int_equal(ret, EOK); + assert_int_equal(key_size, exp_key_size); +@@ -407,8 +388,10 @@ int main(int argc, const char *argv[]) + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_ldap_filter, + setup, teardown), ++#ifdef HAVE_TEST_CA + cmocka_unit_test_setup_teardown(test_cert_to_ssh_key, + setup, teardown), ++#endif + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ +diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c +index c510c2d3b..e68e81f97 100644 +--- a/src/tests/cmocka/test_pam_srv.c ++++ b/src/tests/cmocka/test_pam_srv.c +@@ -38,6 +38,14 @@ + #include "util/crypto/nss/nss_util.h" + #endif + ++#ifdef HAVE_TEST_CA ++#include "tests/test_CA/SSSD_test_cert_x509_0001.h" ++#include "tests/test_CA/SSSD_test_cert_x509_0002.h" ++#else ++#define SSSD_TEST_CERT_0001 "" ++#define SSSD_TEST_CERT_0002 "" ++#endif ++ + #define TESTS_PATH "tp_" BASE_FILE_STEM + #define TEST_CONF_DB "test_pam_conf.ldb" + #define TEST_DOM_NAME "pam_test" +@@ -52,55 +60,11 @@ + + #define TEST_TOKEN_NAME "SSSD Test Token" + #define TEST_MODULE_NAME "NSS-Internal" +-#define TEST_KEY_ID "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7" +-#define TEST_PROMPT "Server-Cert\nCN=ipa-devel.ipa.devel,O=IPA.DEVEL" +-#define TEST_TOKEN_CERT \ +-"MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ +-"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \ +-"NDE0MTVaFw0xODA1MjQxNDE0MTVaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \ +-"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \ +-"ADCCAQoCggEBALHvOzZy/3llvoAYxrtOpux0gDVvSuSRpTGOW/bjpgdTowvXoOb5" \ +-"G9Cy/9S6be7ZJ9D95lc/J9W8tX+ShKN8Q4b74l4WjmILQJ4dUsJ/BXfvoMPR8tw/" \ +-"G47dGbLZanMXdWGBSTuXhoiogZWib2DhSwrX2DbEH5L3OWooeAVU5ZWOw55/HD7O" \ +-"Q/7Of7H3tf4bvxNTFkxh39KQMG28wjPZSv+SZWNHMB+rj2yZgyeHBMkoPOPesAEi" \ +-"7KKHxw1MHSv2xBI1AiV+aMdKfYUMy0Rq3PrRU4274i3eaBX4Q9GnDi36K/7bHjbt" \ +-"LW0YTIW/L5/cH/BO88BREjxS3bEXAQqlKOcCAwEAAaOCASYwggEiMB8GA1UdIwQY" \ +-"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \ +-"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \ +-"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \ +-"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \ +-"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \ +-"IEF1dGhvcml0eTAdBgNVHQ4EFgQUIJuWIts3m3uEYqJ9pUL0y7utTiEwDQYJKoZI" \ +-"hvcNAQELBQADggEBAB0GyqGxtZ99fsXA1+fHfAwKOwznT7Hh8hN9efEMBJICVud+" \ +-"ivUBOH6JpSTWgNLuBhrpebV/b/DSjhn+ayuvoPWng3hjwMbSEIe0euzCEdwVcokt" \ +-"bwNMMSeTxSg6wbJnEyZqQEIr2h/TR9dRNxE+RbQXyamW0fUxSVT16iueL0hMwszT" \ +-"jCfI/UZv3tDMHbh6D4811A0HO8daW7ufMGb/M+kDxYigJiL2gllMZ+6xba1RRgzF" \ +-"8Z+9gqZhCa7FEKJOPNR9RVtJs0qUUutMZrp1zpyx0GTmXQBA7LbgPxy8L68uymEQ" \ +-"XyQBwOYRORlnfGyu+Yc9c3E0Wx8Tlznz0lqPR9g=" +- +-#define TEST2_KEY_ID "C8D60E009EB195D01A7083EE1D5419251AA87C2C" +-#define TEST2_PROMPT "ipaCert\nCN=IPA RA,O=IPA.DEVEL" +-#define TEST_TOKEN_2ND_CERT \ +-"MIIDazCCAlOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ +-"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \ +-"NDEzMDFaFw0xODA1MTMxNDEzMDFaMCUxEjAQBgNVBAoMCUlQQS5ERVZFTDEPMA0G" \ +-"A1UEAwwGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3abE" \ +-"8LmIc6QN16VVxsMlN/rrCOoZKyyJolSzpP4+K66t+KZUiW/1j1MZogjyYyD39U1F" \ +-"zpa2H+pID74XYrdiqP7sp+uE9/k2XOv/nN3FobXDt+fSINLDriCmxNhUZqpgo2uq" \ +-"Mmka+yx2iJZwkntEoJTcd3aynoa2Sa2ZZbkMBy5p6/pUQKwnD6scOwe6mUDppIBK" \ +-"+ZZRm+u/NDdIRFI5wfKLRR1r/ONaJA9nz1TxSEsgLsjG/1m+Zbb6lGG4pePIFkQ9" \ +-"Iotpi64obBh93oIxzQR29lBG/FMjQVHlPIbx+xuGx11Vtp5pAomgFz0HRrj0leI7" \ +-"bROE+jnC/VGPLQD2aQIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFPci/0Km5D/L5z7Y" \ +-"qwEc7E1/GwgcMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lw" \ +-"YS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD" \ +-"VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBg" \ +-"4Sppx2C3eXPJ4Pd9XElkQPOaBReXf1vV0uk/GlK+rG+aAqAkA2Lryx5PK/iAuzAU" \ +-"M6JUpELuQYgqugoCgBXMgsMlpAO/0C3CFq4ZH3KgIsRlRngKPrt6RG0UPMRD1CE2" \ +-"tSVkwUWvyK83lDiu2BbWDXyMyz5eZOlp7uHusf5BKvob8jEndHj1YzaNTmVSsDM5" \ +-"kiIwf8qgFhsO1HCq08PtAnbVHhqkcvnmIJN98eNWNfTKodDmFVbN8gB0wK+WB5ii" \ +-"WVOw7+3/zF1QgqnYX3t+kPLRryip/wvTZkzXWwMNj/W6UHgjNF/4gWGoBgCHu+u3" \ +-"EvjMmbVSrEkesibpGQS5" ++#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17" ++#define TEST_PROMPT "SSSD test cert 0001 - SSSD\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD" + ++#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9" ++#define TEST2_PROMPT "SSSD test cert 0002 - SSSD\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD" + + static char CACHED_AUTH_TIMEOUT_STR[] = "4"; + static const int CACHED_AUTH_TIMEOUT = 4; +@@ -187,7 +151,7 @@ static errno_t setup_nss_db(void) + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; + } +- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR); ++ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR); + if (ret < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; +@@ -208,7 +172,7 @@ static errno_t setup_nss_db(void) + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; + } +- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR); ++ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR); + if (ret < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; +@@ -451,6 +415,7 @@ static int pam_test_setup(void **state) + return 0; + } + ++#ifdef HAVE_TEST_CA + #ifdef HAVE_NSS + static int pam_test_setup_no_verification(void **state) + { +@@ -476,6 +441,7 @@ static int pam_test_setup_no_verification(void **state) + return 0; + } + #endif /* HAVE_NSS */ ++#endif /* HAVE_TEST_CA */ + + static int pam_cached_test_setup(void **state) + { +@@ -1915,6 +1881,7 @@ static int test_lookup_by_cert_cb(void *pvt) + + return EOK; + } ++ + static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt) + { + int ret; +@@ -1927,7 +1894,7 @@ static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt) + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + +- der = sss_base64_decode(pam_test_ctx, TEST_TOKEN_2ND_CERT, &der_size); ++ der = sss_base64_decode(pam_test_ctx, SSSD_TEST_CERT_0002, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); +@@ -2033,7 +2000,7 @@ void test_pam_preauth_cert_match(void **state) + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); ++ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2057,7 +2024,7 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state) + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, + "gdm-smartcard", test_lookup_by_cert_cb, +- TEST_TOKEN_CERT, false); ++ SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2080,7 +2047,7 @@ void test_pam_preauth_cert_match_wrong_user(void **state) + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_wrong_user_cb, +- TEST_TOKEN_CERT, false); ++ SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2111,7 +2078,7 @@ void test_pam_preauth_cert_no_logon_name(void **state) + * request will be done with the username found by the certificate + * lookup. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); ++ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + mock_account_recv_simple(); + mock_parse_inp("pamuser", NULL, EOK); + +@@ -2140,7 +2107,7 @@ void test_pam_preauth_cert_no_logon_name_with_hint(void **state) + * during pre-auth and there is no need for an extra mocked response as in + * test_pam_preauth_cert_no_logon_name. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); ++ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2162,7 +2129,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state) + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false); ++ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, ++ false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2185,7 +2153,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state) + pam_test_ctx->rctx->domains->user_name_hint = true; + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false); ++ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, ++ false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2258,8 +2227,8 @@ void test_pam_cert_auth(void **state) + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + "NSS-Internal", +- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL, +- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true); ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2292,8 +2261,8 @@ void test_pam_cert_auth_no_logon_name(void **state) + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", + "NSS-Internal", +- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL, +- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true); ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true); + + mock_account_recv_simple(); + mock_parse_inp("pamuser", NULL, EOK); +@@ -2354,8 +2323,9 @@ void test_pam_cert_auth_double_cert(void **state) + + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + "NSS-Internal", +- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL, +- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, true); ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, ++ true); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2380,7 +2350,7 @@ void test_pam_cert_preauth_2certs_one_mapping(void **state) + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); ++ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2403,7 +2373,7 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state) + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb_2nd_cert_same_user, +- TEST_TOKEN_CERT, false); ++ SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2812,6 +2782,7 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_pam_cached_auth_failed_combined_pw_with_cached_2fa, + pam_cached_test_setup, + pam_test_teardown), ++#ifdef HAVE_TEST_CA + /* p11_child is not built without NSS */ + #ifdef HAVE_NSS + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert, +@@ -2856,6 +2827,7 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id, + pam_test_setup, pam_test_teardown), + #endif /* HAVE_NSS */ ++#endif /* HAVE_TEST_CA */ + + cmocka_unit_test_setup_teardown(test_filter_response, + pam_test_setup, pam_test_teardown), +-- +2.17.0 + diff --git a/sssd.spec b/sssd.spec index dbd4c90..fd9814d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -34,7 +34,7 @@ Name: sssd Version: 1.16.1 -Release: 4%{?dist} +Release: 5%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -94,6 +94,8 @@ Patch0049: 0049-FILES-Reduce-code-duplication.patch Patch0050: 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch Patch0051: 0051-FILES-Skip-files-that-are-not-created-yet.patch Patch0052: 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch +Patch0053: 0053-TESTS-simple-CA-to-generate-certificates-for-test.patch +Patch0054: 0054-TESTS-replace-hardcoded-certificates.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1295,6 +1297,10 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon May 14 2018 Fabiano Fidêncio - 1.16.1-5 +- Related: upstream#3436 - Certificates used in unit tests have limited + lifetime + * Sat May 05 2018 Fabiano Fidêncio - 1.16.1-4 - Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa