URL: https://github.com/SSSD/sssd/pull/5566 Author: peptekmail Title: #5566: Fix exponent padding when deriving rsapubkey to ssh Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5566/head:pr5566 git checkout pr5566
From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001 From: peptekmail <peptekm...@gmail.com> Date: Sat, 3 Apr 2021 02:14:52 +0200 Subject: [PATCH 1/6] TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen. --- src/tests/cmocka/test_pam_srv.c | 2 +- src/tests/intg/test_ssh_pubkey.py | 61 ++++++++++++++++--- src/tests/test_CA/Makefile.am | 21 +++++-- src/tests/test_CA/README | 3 +- src/tests/test_CA/SSSD_test_cert_0005.config | 1 + src/tests/test_CA/SSSD_test_cert_0007.config | 6 +- src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52 ++++++++-------- src/util/cert/libcrypto/cert.c | 9 ++- 8 files changed, 110 insertions(+), 45 deletions(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index d41f5e78a5..3720cf17bb 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state) mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", TEST_MODULE_NAME, "C554C9F82C2A9D58B70921C143304153A8A42F17", - "SSSD test cert 0007 /oddchar", NULL, + "SSSD test cert 0007", NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0007); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 24b5c258c6..949f082124 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -22,16 +22,16 @@ import signal import subprocess import time -import ldap -import ldap.modlist -import pytest import string import random +import pytest -import config import ds_openldap -import ent import ldap_ent +import ldap +import ldap.modlist +import config + from util import unindent, get_call_output LDAP_BASE_DN = "dc=example,dc=com" @@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None): SCHEMA_RFC2307_BIS = "rfc2307bis" -def format_basic_conf(ldap_conn, schema): +def format_basic_conf(ldap_conn, schema, config): """Format a basic SSSD configuration""" schema_conf = "ldap_schema = " + schema + "\n" schema_conf += "ldap_group_object_class = groupOfNames\n" @@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema): [ssh] debug_level=10 + ca_db = {config.PAM_CERT_DB_PATH} + + [pam] + pam_cert_auth = True [domain/LDAP] {schema_conf} @@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema): ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false debug_level=10 + ldap_user_certificate = userCertificate;binary """).format(**locals()) @@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn): ent_list.add_user("user2", 1002, 2001) create_ldap_fixture(request, ldap_conn, ent_list) - conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf) create_sssd_fixture(request) return None @@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key): assert len(sshpubkey) == 0 +def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): + """ + Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match. + """ + for u in [1,7]: + pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u) + with open(pubsshkey_path, 'r') as f: + pubsshkey = f.read() + sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) + print(sshpubkey) + print(pubsshkey) + assert sshpubkey == pubsshkey + @pytest.fixture() def sighup_client(request): test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR, @@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn): ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list) create_ldap_fixture(request, ldap_conn, ent_list) - conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf) create_sssd_fixture(request) return None +@pytest.fixture +def add_user_with_ssh_cert(request, ldap_conn): + # Add a certificate to ldap, to manually test a cert from a smartcard, export it and insert below. + config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] + + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user7", 1007, 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + + for u in [1,7]: + der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_x509_000%s.der" % u) + with open(der_path, 'rb') as f: + val = f.read() + + dn = "uid=user%s,ou=Users," % u + LDAP_BASE_DN + ldap_conn.modify_s(dn, [(ldap.MOD_ADD, 'usercertificate;binary', val)]) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + return None + + def test_ssh_sighup(add_user_with_many_keys, sighup_client): """ A regression test for https://github.com/SSSD/sssd/issues/4754 diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am index f0bced6021..add5103393 100644 --- a/src/tests/test_CA/Makefile.am +++ b/src/tests/test_CA/Makefile.am @@ -28,7 +28,8 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) -extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id softhsm2_pss_one + +extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id softhsm2_pss_one SSSD_test_cert_x509_0001.der SSSD_test_cert_x509_0007.der if HAVE_FAKETIME extra += SSSD_test_CA_expired_crl.pem endif @@ -53,8 +54,7 @@ SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSS $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \ fi -# SSSD_test_cert_0007 should produce a rsassapss signed cert with nondefault settings seen by some 3rd party CA:s -.INTERMEDIATE: SSSD_test_cert_req_0007.pem +# SSSD_test_cert_0007 should produce a rsassapss signed cert with nondefault settings as seen by some 3rd party CA:s SSSD_test_cert_req_0007.pem: $(srcdir)/SSSD_test_cert_key_0007.pem $(srcdir)/SSSD_test_cert_0007.config if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0007.config) -eq 0 ]; then \ $(OPENSSL) req -new -key $< -config $(srcdir)/SSSD_test_cert_0007.config -sigopt rsa_padding_mode\:pss -sha256 -sigopt rsa_pss_saltlen\:20 -out $@ ; \ @@ -76,7 +76,7 @@ SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@ SSSD_test_cert_x509_0007.pem: SSSD_test_cert_req_0007.pem $(openssl_ca_config) SSSD_test_CA.pem - $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -sigopt rsa_padding_mode\:pss -sigopt rsa_pss_saltlen\:20 -out $@ + $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -sigopt rsa_padding_mode\:pss -sigopt rsa_pss_saltlen\:20 -days 200 -extensions usr_cert -out $@ SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ @@ -118,6 +118,15 @@ softhsm2_one.conf: @echo "objectstore.backend = file" >> $@ @echo "slots.removable = true" >> $@ +#Export cert from softhsm2 via p11tool, should produce the same as openssl +SSSD_test_cert_x509_0001.der: softhsm2_one.conf + $(eval ID_VAR = $(shell GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --info|cut -d' ' -f2|grep ^pkcs11)) + @echo ID_VAR=$(ID_VAR) GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) '$(ID_VAR)' --export --outder --outfile $@ + +SSSD_test_cert_x509_0007.der: softhsm2_pss_one.conf + $(eval ID_VAR = $(shell GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --info|cut -d' ' -f2|grep ^pkcs11)) + @echo ID_VAR=$(ID_VAR) GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) '$(ID_VAR)' --export --outder --outfile $@ + softhsm2_two: softhsm2_two.conf mkdir $@ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free @@ -171,8 +180,8 @@ softhsm2_2certs_same_id.conf: softhsm2_pss_one: softhsm2_pss_one.conf mkdir $@ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free - GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0007.pem --login --label 'SSSD test cert 0007 /oddchar' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' - GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0007.pem --login --label 'SSSD test cert 0007 /oddchar' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0007.pem --login --label 'SSSD test cert 0007' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0007.pem --login --label 'SSSD test cert 0007' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' softhsm2_pss_one.conf: @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_pss_one" > $@ diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README index 3b6522f338..25c8a7e2a2 100644 --- a/src/tests/test_CA/README +++ b/src/tests/test_CA/README @@ -9,7 +9,7 @@ pattern SSSD_test_cert_*.config. Additionally a matching key file SSSD_test_cert_key_%.pem should be added e.g. with openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048 - openssl genpkey -algorithm RSA -out SSSD_test_cert_key_0007.pem -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:0x25 + openssl genpkey -algorithm RSA -out SSSD_test_cert_key_0007.pem -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:32993 It would be possible to generate the keys automatically as well but pre-created keys will safe some resources on the hosts running the tests, @@ -25,6 +25,7 @@ SSSD_TEST_CERT_SSH_KEY_*. Cert 0007 will be created with nondefault exponent setting and later on signed with rsassapss as seen by some 3rd party CA:s. +The exponent is chosen to trigger padding errors. Other targets for other types of tests can be added to the Makefile and should be documented here. diff --git a/src/tests/test_CA/SSSD_test_cert_0005.config b/src/tests/test_CA/SSSD_test_cert_0005.config index affc35f7cc..4923331c62 100644 --- a/src/tests/test_CA/SSSD_test_cert_0005.config +++ b/src/tests/test_CA/SSSD_test_cert_0005.config @@ -19,3 +19,4 @@ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd// authorityInfoAccess = OCSP;URI:http://ocsp.my.server.test/ + diff --git a/src/tests/test_CA/SSSD_test_cert_0007.config b/src/tests/test_CA/SSSD_test_cert_0007.config index 2b5e66e126..74a29cc1f7 100644 --- a/src/tests/test_CA/SSSD_test_cert_0007.config +++ b/src/tests/test_CA/SSSD_test_cert_0007.config @@ -14,10 +14,12 @@ CN = SSSD test cert 0007 /oddchar [ req_exts ] basicConstraints = CA:FALSE -nsCertType = client, email -nsComment = "SSSD test Certificate" subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd// +crlDistributionPoints=@crl_section +[crl_section] +URI.1 = http://localhost/intCA.crl + diff --git a/src/tests/test_CA/SSSD_test_cert_key_0007.pem b/src/tests/test_CA/SSSD_test_cert_key_0007.pem index 2fb04e8ee7..655ea4c93d 100644 --- a/src/tests/test_CA/SSSD_test_cert_key_0007.pem +++ b/src/tests/test_CA/SSSD_test_cert_key_0007.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrB/7JxPxoqqZm -cnHnic5BlRdp1DIVv00lmvPUtuN7KaIghuH1yQ/ZPpUl9wstyH7gHvp3i69sR9pB -ITU+B3808FfWdJqcvg/Iu9GC/auiNB9wQ3wXcRuIBxSvQC96qM0LPKE2Fc3KAB3J -gnJrZKB2HsrojOHjT3brb1D6qAvUExqTlURqI3dt3I/E32xUMUspzHSZYajm5pSw -VoqftHgj75ocxJH6ey91+dLNcL2jTlbs2oxDk35ouqX/SgsGHU2KS5mLNiRZ3nlK -odVpmYzJz+hTbtD5p+kfeofZL+DgMYzSlqDD0xL2kPo1OD0A4iTkybzOGh0FX2m/ -PU5FhH0hAgElAoIBAHOPx9RwV4T9rrPsdnnZpwm3w7Y1bfMEt5XzE3QM3uSD6hX6 -RaYSOyQVh17XWpSOY5CDolDGKmvB2KiMDze/4FQzsPivprzvH2v0hqSdj6TyySJX -HH6KsbzGg5kB2uQs3ZH4iJoqaHO647GrKrdD/beYQ+k8mKCBzORES3juFdR6gMWE -Sz3yo/q58MufOer4fL/SGK7LFg9mQu0cmJ+3mfNgOI2q8ZeAvzbJikBD1T6AfTLq -+uvWkbSyZU1UIukGWYkLNut0E+hAAKl34ziC4C2i8oVz3vzFncgZipz1dv7VN73+ -mXhGwK8khp/teLiaRRqkFXv9IIJdBymwzxw47pECgYEA4ZNiNUCWOaXBO/fL8P7L -hauXjsd+p/Risx8b3Fvs0qAx+HgKay8o8waKKyEsWhlSuggz15ViyDFbb2+gZAO0 -sk1XFmfaFBESDSXJ9tsbGf409HOUkScg9/QRs5zs/459rA+NzgEhWCq1K9OPE2tv -nTGQrcVX9lxaGQy99ONy0msCgYEAwhlQi1L9LF9Fk0OOOhhcaQYm6j/VJ/pxp3n7 -4NyEt21254tg/q2oK622BAV5mJPhSf+xVcwHoSGzWPRBnE1fNXIhWtEg6JTolB/K -RpcEbrEF81fIXDN28yw4yaXh1Qu//udIVgZx+cilv3T3yNYnz4GN5P9Vw1i5EuVv -boo4SaMCgYEAyTBsWQJAy6GsWBRb8p4PdzgtOieMo6KdN/kmr8eb3nMzfL4XIVOT -OZ4Mh1TwNK7NPiL9zh1zx06dqJP9wPxi5DckKL19UCrmlhrI4xZyHhoTjeqLbLQy -KUF3kluHRMsx0M+aJm+19LB4ElTnZFjnAdJCxH+TpGA0ro7S7yu5b48CgYEAslxz -hvJQbfauov/OzZnYYIIxmPxjAiRocGJBZth59KnHNaKsKEyMsoPzXaQqjDTc3DcR -qMlTHnH+wHG/wA+/Rd5/g+LES1hnBKeXR8kK/e7HMqOxMiF0OWboEz58fpUs+BLM -2W2017F1ttovzU8rgGk2SA06DXQfsH/OLjnS2+ECgYEA2ztONW9kGDkQPYTFuqsS -H/ZAs6dqXNB9lbqWUKAHN3oKkKae1XkQflTwEN/fQ8KluYZ1fhyVksChatGgA8EF -mnyqY/jJpF+Oe9CwQdD2c2hPYpITTmYp1CowwkukXp/fI5iTTzbku+AUKs1g6pvF -iELLr7k9ZGLxsqH+r/pcH1s= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaL8sA3b2WVm46 +WKHA8y0FOi9pw7qIbLWJPbHM2kaZa3CwM+RRvNTOTYJ4yFd2Z+H9XJ2pbEKwZk/q +AEy7o9g8e5xkHOLMQxzLpVpK8RBF+23/cW4BXlXg4aZ4Mnk/A5ig4c5hPIChDP/s +FtSgno4MMAtQjSku7iq4+oiqiwKwQJ6lNtQ6TKoouXTGwYE3uumRvfx5HEx0fQo5 +aAvFa+uCRI0wrjTh6lGgL1yeCw5KZzUovie8bowHbeQfsmhuTPIo5pEfGDFHm1Np +ZLEHZVzuWTte0410J94Ov5faLzC+4wxWZIvb/DefGtJL1mSTo9p3A+9mI1fuHYPx +0BRUPsM1AgMAgOECggEAFEqiCWzQlIKuLPgqVJSL3VJHH1KsKOvZCob3jCyV80am +YiCi5qs4iWSqUnQ7pgqtIalWCu/qq7X4v5T+Q/mdJOjP36zWDSXYDwGsIlHVesQg +NrTxrsE8XQzV6u5ZMB73jklO6BZ42uZcC5BC3yw2wkPyT+AMmtvAyFqjQQDf9YUH +glNK74WfacEzGFTGwYqHwsHUhLare1hRcpaE57Wwl17IS7zYebcO16qhuJEWu0XK +yZTi+LOhs1pJV4yhYXILq70sQIt9MmjGNvblehgdSdBpg0CLjLOB4DS1Z1OpvNUD +uPPM/tObQoctCd3jQO1YLR0MnPycuz6/YJObKaDqKQKBgQDMP8Mn9+HASTL+t6v1 ++jYDpJkwruhGCQ5e/bzLA7E5TCAJTjOQMCJhQQL9DYO143OtHKXH54wTkfQ0nnZn +DkDzGlBKewi4L6sLnNU+R0HOIY48nW4eEEe+fE4AcK7Vv+dlwfABvgxQpi0CmJUe +viC0ZBR2gInnuZpiFvNygI6fJwKBgQDBQNO8ftTLkarCWPkh2oFSuTIVmSaQtuzh +MA5CmqtPDH38/eVJmIRLaWGQecjbBN+ec0vTSGuvIDvWDNV1X5hBb/TDn8mYU9vt +nBxCAcwwqcQ4CtJrrPXHS6sxWSGz3vC9DuLdc1K9imCV1LUW1P9Gjp8AtEr/++oz +v+CQXS2EQwKBgDVZ7O0GWEQ+St3LxhOetUIPJ3ajNUrdv/AvYGOla9Cg/l3RmrW0 +gX8agIdHxb451EEowyK0MOUi1479Y5LKg7FxvbZcFcjF/WDFv6pboIpXPeHCQAV2 +hcc80E2NUFQbhCk+pVSWntH43No7LRK+5WK514Ti71wloidLHzIDTbPdAoGAQafV +588gj06xxu9inT4pTEYKhWjbIfr3rEL0juFkO1/1Q7OQFYEBLQKzgjLrNYd4pFC2 +pP4VRItXx5Gh3hgHBriNnyEmXkuepFC6ulC/emhHM8qZjK/i/eQVZ8cDdUU1TdkK +Eu80aXi5h9/lSP8X0rBbX04k8tHFhfJE4gylYTMCgYAYU9xPpX3hJ8U2ZpD4vSnk +/3XrjEdkACrmmt9kacnc3IC5CKB6OfNN6PkEHC3s7DzHTr5LYqSvh1PV7dqJ+4g9 +7rUXdnHh0YIAvD8gz6H+QRglxB1OnOJ9AWwUonzt1ySAAuZMqLTdmq9pXz8Gg7IY +CrF5rU6DMEElaGiHpcwlQA== -----END PRIVATE KEY----- diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c index acca07dd04..6fbdd78a57 100644 --- a/src/util/cert/libcrypto/cert.c +++ b/src/util/cert/libcrypto/cert.c @@ -322,6 +322,8 @@ static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key, + modulus_len + exponent_len + 1; /* see comment about missing 00 below */ + if (exponent[0] & 0x80) + size++; buf = talloc_size(mem_ctx, size); if (buf == NULL) { @@ -334,7 +336,12 @@ static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key, SAFEALIGN_SET_UINT32(buf, htobe32(SSH_RSA_HEADER_LEN), &c); safealign_memcpy(&buf[c], SSH_RSA_HEADER, SSH_RSA_HEADER_LEN, &c); - SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len), &c); + if (exponent[0] & 0x80){ + SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len+1), &c); + SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c); + } else { + SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len), &c); + } safealign_memcpy(&buf[c], exponent, exponent_len, &c); /* Adding missing 00 which AFAIK is added to make sure From 889682c0b0e2c96cd0ac2706a36444a3ec4ab9ee Mon Sep 17 00:00:00 2001 From: peptekmail <peptekm...@gmail.com> Date: Sat, 3 Apr 2021 02:37:08 +0200 Subject: [PATCH 2/6] python syntax --- src/tests/intg/test_ssh_pubkey.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 949f082124..9392836a0c 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -243,10 +243,11 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key): def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): """ - Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match. + Test that we can retrieve an SSH public key derived from a cert in ldap. + Compare with the sshpubkey derived via openssl, they should match. """ - for u in [1,7]: - pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u) + for u in [1, 7]: + pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_pubsshkey_000%s.pub" % u) with open(pubsshkey_path, 'r') as f: pubsshkey = f.read() sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) @@ -254,6 +255,7 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): print(pubsshkey) assert sshpubkey == pubsshkey + @pytest.fixture() def sighup_client(request): test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR, @@ -289,7 +291,8 @@ def add_user_with_many_keys(request, ldap_conn): @pytest.fixture def add_user_with_ssh_cert(request, ldap_conn): - # Add a certificate to ldap, to manually test a cert from a smartcard, export it and insert below. + # Add a certificate to ldap, to manually test a cert from a smartcard. + # Export it and insert below. config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) @@ -297,8 +300,8 @@ def add_user_with_ssh_cert(request, ldap_conn): ent_list.add_user("user7", 1007, 2001) create_ldap_fixture(request, ldap_conn, ent_list) - for u in [1,7]: - der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_x509_000%s.der" % u) + for u in [1, 7]: + der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_x509_000%s.der" % u) with open(der_path, 'rb') as f: val = f.read() From b8e451d5a476d230fa47240b0949de433027bf75 Mon Sep 17 00:00:00 2001 From: peptekmail <peptekm...@gmail.com> Date: Sat, 3 Apr 2021 02:47:31 +0200 Subject: [PATCH 3/6] python syntax --- src/tests/intg/test_ssh_pubkey.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 9392836a0c..545cdc031c 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -247,7 +247,8 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): Compare with the sshpubkey derived via openssl, they should match. """ for u in [1, 7]: - pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_pubsshkey_000%s.pub" % u) + pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \ + "SSSD_test_cert_pubsshkey_000%s.pub" % u) with open(pubsshkey_path, 'r') as f: pubsshkey = f.read() sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) @@ -301,7 +302,8 @@ def add_user_with_ssh_cert(request, ldap_conn): create_ldap_fixture(request, ldap_conn, ent_list) for u in [1, 7]: - der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_x509_000%s.der" % u) + der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \ + "SSSD_test_cert_x509_000%s.der" % u) with open(der_path, 'rb') as f: val = f.read() From 17b851ab2708eabfa08f0651f7fea2ba83e67efc Mon Sep 17 00:00:00 2001 From: peptekmail <peptekm...@gmail.com> Date: Sat, 3 Apr 2021 11:07:05 +0200 Subject: [PATCH 4/6] python syntax --- src/tests/intg/test_ssh_pubkey.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 545cdc031c..3ee3367bfd 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -247,8 +247,8 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): Compare with the sshpubkey derived via openssl, they should match. """ for u in [1, 7]: - pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \ - "SSSD_test_cert_pubsshkey_000%s.pub" % u) + pubsshkey_path = os.path.dirname(config.PAM_CERT_DB_PATH) + pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u) with open(pubsshkey_path, 'r') as f: pubsshkey = f.read() sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) @@ -302,8 +302,8 @@ def add_user_with_ssh_cert(request, ldap_conn): create_ldap_fixture(request, ldap_conn, ent_list) for u in [1, 7]: - der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \ - "SSSD_test_cert_x509_000%s.der" % u) + der_path = os.path.dirname(config.PAM_CERT_DB_PATH) + der_path += "/SSSD_test_cert_x509_000%s.der" % u) with open(der_path, 'rb') as f: val = f.read() From f85699b4154fb20ecd38d1ed80bf48859d8a436f Mon Sep 17 00:00:00 2001 From: peptekmail <peptekm...@gmail.com> Date: Sat, 3 Apr 2021 16:44:46 +0200 Subject: [PATCH 5/6] python syntax --- src/tests/intg/test_ssh_pubkey.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 3ee3367bfd..d58c1a5f05 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -248,7 +248,7 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): """ for u in [1, 7]: pubsshkey_path = os.path.dirname(config.PAM_CERT_DB_PATH) - pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u) + pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u with open(pubsshkey_path, 'r') as f: pubsshkey = f.read() sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) @@ -303,7 +303,7 @@ def add_user_with_ssh_cert(request, ldap_conn): for u in [1, 7]: der_path = os.path.dirname(config.PAM_CERT_DB_PATH) - der_path += "/SSSD_test_cert_x509_000%s.der" % u) + der_path += "/SSSD_test_cert_x509_000%s.der" % u with open(der_path, 'rb') as f: val = f.read() From 8966543089374ebc000c4b4a7a20f704f36874d3 Mon Sep 17 00:00:00 2001 From: peptekmail <peptekm...@gmail.com> Date: Sat, 3 Apr 2021 21:46:15 +0200 Subject: [PATCH 6/6] Make distclean cleanup added files --- src/tests/test_CA/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am index add5103393..b319c56163 100644 --- a/src/tests/test_CA/Makefile.am +++ b/src/tests/test_CA/Makefile.am @@ -55,6 +55,7 @@ SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSS fi # SSSD_test_cert_0007 should produce a rsassapss signed cert with nondefault settings as seen by some 3rd party CA:s +.INTERMEDIATE: SSSD_test_cert_req_0007.pem SSSD_test_cert_req_0007.pem: $(srcdir)/SSSD_test_cert_key_0007.pem $(srcdir)/SSSD_test_cert_0007.config if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0007.config) -eq 0 ]; then \ $(OPENSSL) req -new -key $< -config $(srcdir)/SSSD_test_cert_0007.config -sigopt rsa_padding_mode\:pss -sha256 -sigopt rsa_pss_saltlen\:20 -out $@ ; \ @@ -195,6 +196,7 @@ CLEANFILES = \ SSSD_test_CA.pem $(pwdfile) SSSD_test_CA_expired_crl.pem \ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \ softhsm2_*.conf \ + SSSD_test_*.der \ $(NULL) clean-local:
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure