URL: https://github.com/SSSD/sssd/pull/5566
Author: peptekmail
Title: #5566: Fix exponent padding when deriving rsapubkey to ssh
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5566/head:pr5566
git checkout pr5566
From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001
From: peptekmail <peptekm...@gmail.com>
Date: Sat, 3 Apr 2021 02:14:52 +0200
Subject: [PATCH 1/6] TEST: FIX: When generating a ssh pubkey from a cert extra
padding is needed if a nonstandard eponent is chosen.
---
src/tests/cmocka/test_pam_srv.c | 2 +-
src/tests/intg/test_ssh_pubkey.py | 61 ++++++++++++++++---
src/tests/test_CA/Makefile.am | 21 +++++--
src/tests/test_CA/README | 3 +-
src/tests/test_CA/SSSD_test_cert_0005.config | 1 +
src/tests/test_CA/SSSD_test_cert_0007.config | 6 +-
src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52 ++++++++--------
src/util/cert/libcrypto/cert.c | 9 ++-
8 files changed, 110 insertions(+), 45 deletions(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index d41f5e78a5..3720cf17bb 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
TEST_MODULE_NAME,
"C554C9F82C2A9D58B70921C143304153A8A42F17",
- "SSSD test cert 0007 /oddchar", NULL,
+ "SSSD test cert 0007", NULL,
test_lookup_by_cert_cb, SSSD_TEST_CERT_0007);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 24b5c258c6..949f082124 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -22,16 +22,16 @@
import signal
import subprocess
import time
-import ldap
-import ldap.modlist
-import pytest
import string
import random
+import pytest
-import config
import ds_openldap
-import ent
import ldap_ent
+import ldap
+import ldap.modlist
+import config
+
from util import unindent, get_call_output
LDAP_BASE_DN = "dc=example,dc=com"
@@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None):
SCHEMA_RFC2307_BIS = "rfc2307bis"
-def format_basic_conf(ldap_conn, schema):
+def format_basic_conf(ldap_conn, schema, config):
"""Format a basic SSSD configuration"""
schema_conf = "ldap_schema = " + schema + "\n"
schema_conf += "ldap_group_object_class = groupOfNames\n"
@@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema):
[ssh]
debug_level=10
+ ca_db = {config.PAM_CERT_DB_PATH}
+
+ [pam]
+ pam_cert_auth = True
[domain/LDAP]
{schema_conf}
@@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
debug_level=10
+ ldap_user_certificate = userCertificate;binary
""").format(**locals())
@@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn):
ent_list.add_user("user2", 1002, 2001)
create_ldap_fixture(request, ldap_conn, ent_list)
- conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
return None
@@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
assert len(sshpubkey) == 0
+def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
+ """
+ Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match.
+ """
+ for u in [1,7]:
+ pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u)
+ with open(pubsshkey_path, 'r') as f:
+ pubsshkey = f.read()
+ sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
+ print(sshpubkey)
+ print(pubsshkey)
+ assert sshpubkey == pubsshkey
+
@pytest.fixture()
def sighup_client(request):
test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,
@@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn):
ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)
create_ldap_fixture(request, ldap_conn, ent_list)
- conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
return None
+@pytest.fixture
+def add_user_with_ssh_cert(request, ldap_conn):
+ # Add a certificate to ldap, to manually test a cert from a smartcard, export it and insert below.
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001)
+ ent_list.add_user("user7", 1007, 2001)
+ create_ldap_fixture(request, ldap_conn, ent_list)
+
+ for u in [1,7]:
+ der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_x509_000%s.der" % u)
+ with open(der_path, 'rb') as f:
+ val = f.read()
+
+ dn = "uid=user%s,ou=Users," % u + LDAP_BASE_DN
+ ldap_conn.modify_s(dn, [(ldap.MOD_ADD, 'usercertificate;binary', val)])
+
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+ return None
+
+
def test_ssh_sighup(add_user_with_many_keys, sighup_client):
"""
A regression test for https://github.com/SSSD/sssd/issues/4754
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index f0bced6021..add5103393 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -28,7 +28,8 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
-extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id softhsm2_pss_one
+
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id softhsm2_pss_one SSSD_test_cert_x509_0001.der SSSD_test_cert_x509_0007.der
if HAVE_FAKETIME
extra += SSSD_test_CA_expired_crl.pem
endif
@@ -53,8 +54,7 @@ SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSS
$(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
fi
-# SSSD_test_cert_0007 should produce a rsassapss signed cert with nondefault settings seen by some 3rd party CA:s
-.INTERMEDIATE: SSSD_test_cert_req_0007.pem
+# SSSD_test_cert_0007 should produce a rsassapss signed cert with nondefault settings as seen by some 3rd party CA:s
SSSD_test_cert_req_0007.pem: $(srcdir)/SSSD_test_cert_key_0007.pem $(srcdir)/SSSD_test_cert_0007.config
if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0007.config) -eq 0 ]; then \
$(OPENSSL) req -new -key $< -config $(srcdir)/SSSD_test_cert_0007.config -sigopt rsa_padding_mode\:pss -sha256 -sigopt rsa_pss_saltlen\:20 -out $@ ; \
@@ -76,7 +76,7 @@ SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test
$(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@
SSSD_test_cert_x509_0007.pem: SSSD_test_cert_req_0007.pem $(openssl_ca_config) SSSD_test_CA.pem
- $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -sigopt rsa_padding_mode\:pss -sigopt rsa_pss_saltlen\:20 -out $@
+ $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -sigopt rsa_padding_mode\:pss -sigopt rsa_pss_saltlen\:20 -days 200 -extensions usr_cert -out $@
SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
$(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
@@ -118,6 +118,15 @@ softhsm2_one.conf:
@echo "objectstore.backend = file" >> $@
@echo "slots.removable = true" >> $@
+#Export cert from softhsm2 via p11tool, should produce the same as openssl
+SSSD_test_cert_x509_0001.der: softhsm2_one.conf
+ $(eval ID_VAR = $(shell GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --info|cut -d' ' -f2|grep ^pkcs11))
+ @echo ID_VAR=$(ID_VAR) GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) '$(ID_VAR)' --export --outder --outfile $@
+
+SSSD_test_cert_x509_0007.der: softhsm2_pss_one.conf
+ $(eval ID_VAR = $(shell GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --info|cut -d' ' -f2|grep ^pkcs11))
+ @echo ID_VAR=$(ID_VAR) GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) '$(ID_VAR)' --export --outder --outfile $@
+
softhsm2_two: softhsm2_two.conf
mkdir $@
SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
@@ -171,8 +180,8 @@ softhsm2_2certs_same_id.conf:
softhsm2_pss_one: softhsm2_pss_one.conf
mkdir $@
SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
- GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0007.pem --login --label 'SSSD test cert 0007 /oddchar' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17'
- GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0007.pem --login --label 'SSSD test cert 0007 /oddchar' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17'
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0007.pem --login --label 'SSSD test cert 0007' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17'
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0007.pem --login --label 'SSSD test cert 0007' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17'
softhsm2_pss_one.conf:
@echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_pss_one" > $@
diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README
index 3b6522f338..25c8a7e2a2 100644
--- a/src/tests/test_CA/README
+++ b/src/tests/test_CA/README
@@ -9,7 +9,7 @@ pattern SSSD_test_cert_*.config. Additionally a matching key file
SSSD_test_cert_key_%.pem should be added e.g. with
openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048
- openssl genpkey -algorithm RSA -out SSSD_test_cert_key_0007.pem -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:0x25
+ openssl genpkey -algorithm RSA -out SSSD_test_cert_key_0007.pem -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:32993
It would be possible to generate the keys automatically as well but
pre-created keys will safe some resources on the hosts running the tests,
@@ -25,6 +25,7 @@ SSSD_TEST_CERT_SSH_KEY_*.
Cert 0007 will be created with nondefault exponent setting and later on signed
with rsassapss as seen by some 3rd party CA:s.
+The exponent is chosen to trigger padding errors.
Other targets for other types of tests can be added to the Makefile and should
be documented here.
diff --git a/src/tests/test_CA/SSSD_test_cert_0005.config b/src/tests/test_CA/SSSD_test_cert_0005.config
index affc35f7cc..4923331c62 100644
--- a/src/tests/test_CA/SSSD_test_cert_0005.config
+++ b/src/tests/test_CA/SSSD_test_cert_0005.config
@@ -19,3 +19,4 @@ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd//
authorityInfoAccess = OCSP;URI:http://ocsp.my.server.test/
+
diff --git a/src/tests/test_CA/SSSD_test_cert_0007.config b/src/tests/test_CA/SSSD_test_cert_0007.config
index 2b5e66e126..74a29cc1f7 100644
--- a/src/tests/test_CA/SSSD_test_cert_0007.config
+++ b/src/tests/test_CA/SSSD_test_cert_0007.config
@@ -14,10 +14,12 @@ CN = SSSD test cert 0007 /oddchar
[ req_exts ]
basicConstraints = CA:FALSE
-nsCertType = client, email
-nsComment = "SSSD test Certificate"
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd//
+crlDistributionPoints=@crl_section
+[crl_section]
+URI.1 = http://localhost/intCA.crl
+
diff --git a/src/tests/test_CA/SSSD_test_cert_key_0007.pem b/src/tests/test_CA/SSSD_test_cert_key_0007.pem
index 2fb04e8ee7..655ea4c93d 100644
--- a/src/tests/test_CA/SSSD_test_cert_key_0007.pem
+++ b/src/tests/test_CA/SSSD_test_cert_key_0007.pem
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrB/7JxPxoqqZm
-cnHnic5BlRdp1DIVv00lmvPUtuN7KaIghuH1yQ/ZPpUl9wstyH7gHvp3i69sR9pB
-ITU+B3808FfWdJqcvg/Iu9GC/auiNB9wQ3wXcRuIBxSvQC96qM0LPKE2Fc3KAB3J
-gnJrZKB2HsrojOHjT3brb1D6qAvUExqTlURqI3dt3I/E32xUMUspzHSZYajm5pSw
-VoqftHgj75ocxJH6ey91+dLNcL2jTlbs2oxDk35ouqX/SgsGHU2KS5mLNiRZ3nlK
-odVpmYzJz+hTbtD5p+kfeofZL+DgMYzSlqDD0xL2kPo1OD0A4iTkybzOGh0FX2m/
-PU5FhH0hAgElAoIBAHOPx9RwV4T9rrPsdnnZpwm3w7Y1bfMEt5XzE3QM3uSD6hX6
-RaYSOyQVh17XWpSOY5CDolDGKmvB2KiMDze/4FQzsPivprzvH2v0hqSdj6TyySJX
-HH6KsbzGg5kB2uQs3ZH4iJoqaHO647GrKrdD/beYQ+k8mKCBzORES3juFdR6gMWE
-Sz3yo/q58MufOer4fL/SGK7LFg9mQu0cmJ+3mfNgOI2q8ZeAvzbJikBD1T6AfTLq
-+uvWkbSyZU1UIukGWYkLNut0E+hAAKl34ziC4C2i8oVz3vzFncgZipz1dv7VN73+
-mXhGwK8khp/teLiaRRqkFXv9IIJdBymwzxw47pECgYEA4ZNiNUCWOaXBO/fL8P7L
-hauXjsd+p/Risx8b3Fvs0qAx+HgKay8o8waKKyEsWhlSuggz15ViyDFbb2+gZAO0
-sk1XFmfaFBESDSXJ9tsbGf409HOUkScg9/QRs5zs/459rA+NzgEhWCq1K9OPE2tv
-nTGQrcVX9lxaGQy99ONy0msCgYEAwhlQi1L9LF9Fk0OOOhhcaQYm6j/VJ/pxp3n7
-4NyEt21254tg/q2oK622BAV5mJPhSf+xVcwHoSGzWPRBnE1fNXIhWtEg6JTolB/K
-RpcEbrEF81fIXDN28yw4yaXh1Qu//udIVgZx+cilv3T3yNYnz4GN5P9Vw1i5EuVv
-boo4SaMCgYEAyTBsWQJAy6GsWBRb8p4PdzgtOieMo6KdN/kmr8eb3nMzfL4XIVOT
-OZ4Mh1TwNK7NPiL9zh1zx06dqJP9wPxi5DckKL19UCrmlhrI4xZyHhoTjeqLbLQy
-KUF3kluHRMsx0M+aJm+19LB4ElTnZFjnAdJCxH+TpGA0ro7S7yu5b48CgYEAslxz
-hvJQbfauov/OzZnYYIIxmPxjAiRocGJBZth59KnHNaKsKEyMsoPzXaQqjDTc3DcR
-qMlTHnH+wHG/wA+/Rd5/g+LES1hnBKeXR8kK/e7HMqOxMiF0OWboEz58fpUs+BLM
-2W2017F1ttovzU8rgGk2SA06DXQfsH/OLjnS2+ECgYEA2ztONW9kGDkQPYTFuqsS
-H/ZAs6dqXNB9lbqWUKAHN3oKkKae1XkQflTwEN/fQ8KluYZ1fhyVksChatGgA8EF
-mnyqY/jJpF+Oe9CwQdD2c2hPYpITTmYp1CowwkukXp/fI5iTTzbku+AUKs1g6pvF
-iELLr7k9ZGLxsqH+r/pcH1s=
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaL8sA3b2WVm46
+WKHA8y0FOi9pw7qIbLWJPbHM2kaZa3CwM+RRvNTOTYJ4yFd2Z+H9XJ2pbEKwZk/q
+AEy7o9g8e5xkHOLMQxzLpVpK8RBF+23/cW4BXlXg4aZ4Mnk/A5ig4c5hPIChDP/s
+FtSgno4MMAtQjSku7iq4+oiqiwKwQJ6lNtQ6TKoouXTGwYE3uumRvfx5HEx0fQo5
+aAvFa+uCRI0wrjTh6lGgL1yeCw5KZzUovie8bowHbeQfsmhuTPIo5pEfGDFHm1Np
+ZLEHZVzuWTte0410J94Ov5faLzC+4wxWZIvb/DefGtJL1mSTo9p3A+9mI1fuHYPx
+0BRUPsM1AgMAgOECggEAFEqiCWzQlIKuLPgqVJSL3VJHH1KsKOvZCob3jCyV80am
+YiCi5qs4iWSqUnQ7pgqtIalWCu/qq7X4v5T+Q/mdJOjP36zWDSXYDwGsIlHVesQg
+NrTxrsE8XQzV6u5ZMB73jklO6BZ42uZcC5BC3yw2wkPyT+AMmtvAyFqjQQDf9YUH
+glNK74WfacEzGFTGwYqHwsHUhLare1hRcpaE57Wwl17IS7zYebcO16qhuJEWu0XK
+yZTi+LOhs1pJV4yhYXILq70sQIt9MmjGNvblehgdSdBpg0CLjLOB4DS1Z1OpvNUD
+uPPM/tObQoctCd3jQO1YLR0MnPycuz6/YJObKaDqKQKBgQDMP8Mn9+HASTL+t6v1
++jYDpJkwruhGCQ5e/bzLA7E5TCAJTjOQMCJhQQL9DYO143OtHKXH54wTkfQ0nnZn
+DkDzGlBKewi4L6sLnNU+R0HOIY48nW4eEEe+fE4AcK7Vv+dlwfABvgxQpi0CmJUe
+viC0ZBR2gInnuZpiFvNygI6fJwKBgQDBQNO8ftTLkarCWPkh2oFSuTIVmSaQtuzh
+MA5CmqtPDH38/eVJmIRLaWGQecjbBN+ec0vTSGuvIDvWDNV1X5hBb/TDn8mYU9vt
+nBxCAcwwqcQ4CtJrrPXHS6sxWSGz3vC9DuLdc1K9imCV1LUW1P9Gjp8AtEr/++oz
+v+CQXS2EQwKBgDVZ7O0GWEQ+St3LxhOetUIPJ3ajNUrdv/AvYGOla9Cg/l3RmrW0
+gX8agIdHxb451EEowyK0MOUi1479Y5LKg7FxvbZcFcjF/WDFv6pboIpXPeHCQAV2
+hcc80E2NUFQbhCk+pVSWntH43No7LRK+5WK514Ti71wloidLHzIDTbPdAoGAQafV
+588gj06xxu9inT4pTEYKhWjbIfr3rEL0juFkO1/1Q7OQFYEBLQKzgjLrNYd4pFC2
+pP4VRItXx5Gh3hgHBriNnyEmXkuepFC6ulC/emhHM8qZjK/i/eQVZ8cDdUU1TdkK
+Eu80aXi5h9/lSP8X0rBbX04k8tHFhfJE4gylYTMCgYAYU9xPpX3hJ8U2ZpD4vSnk
+/3XrjEdkACrmmt9kacnc3IC5CKB6OfNN6PkEHC3s7DzHTr5LYqSvh1PV7dqJ+4g9
+7rUXdnHh0YIAvD8gz6H+QRglxB1OnOJ9AWwUonzt1ySAAuZMqLTdmq9pXz8Gg7IY
+CrF5rU6DMEElaGiHpcwlQA==
-----END PRIVATE KEY-----
diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c
index acca07dd04..6fbdd78a57 100644
--- a/src/util/cert/libcrypto/cert.c
+++ b/src/util/cert/libcrypto/cert.c
@@ -322,6 +322,8 @@ static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key,
+ modulus_len
+ exponent_len
+ 1; /* see comment about missing 00 below */
+ if (exponent[0] & 0x80)
+ size++;
buf = talloc_size(mem_ctx, size);
if (buf == NULL) {
@@ -334,7 +336,12 @@ static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key,
SAFEALIGN_SET_UINT32(buf, htobe32(SSH_RSA_HEADER_LEN), &c);
safealign_memcpy(&buf[c], SSH_RSA_HEADER, SSH_RSA_HEADER_LEN, &c);
- SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len), &c);
+ if (exponent[0] & 0x80){
+ SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len+1), &c);
+ SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c);
+ } else {
+ SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len), &c);
+ }
safealign_memcpy(&buf[c], exponent, exponent_len, &c);
/* Adding missing 00 which AFAIK is added to make sure
From 889682c0b0e2c96cd0ac2706a36444a3ec4ab9ee Mon Sep 17 00:00:00 2001
From: peptekmail <peptekm...@gmail.com>
Date: Sat, 3 Apr 2021 02:37:08 +0200
Subject: [PATCH 2/6] python syntax
---
src/tests/intg/test_ssh_pubkey.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 949f082124..9392836a0c 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -243,10 +243,11 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
"""
- Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match.
+ Test that we can retrieve an SSH public key derived from a cert in ldap.
+ Compare with the sshpubkey derived via openssl, they should match.
"""
- for u in [1,7]:
- pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u)
+ for u in [1, 7]:
+ pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_pubsshkey_000%s.pub" % u)
with open(pubsshkey_path, 'r') as f:
pubsshkey = f.read()
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
@@ -254,6 +255,7 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
print(pubsshkey)
assert sshpubkey == pubsshkey
+
@pytest.fixture()
def sighup_client(request):
test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,
@@ -289,7 +291,8 @@ def add_user_with_many_keys(request, ldap_conn):
@pytest.fixture
def add_user_with_ssh_cert(request, ldap_conn):
- # Add a certificate to ldap, to manually test a cert from a smartcard, export it and insert below.
+ # Add a certificate to ldap, to manually test a cert from a smartcard.
+ # Export it and insert below.
config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
@@ -297,8 +300,8 @@ def add_user_with_ssh_cert(request, ldap_conn):
ent_list.add_user("user7", 1007, 2001)
create_ldap_fixture(request, ldap_conn, ent_list)
- for u in [1,7]:
- der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_x509_000%s.der" % u)
+ for u in [1, 7]:
+ der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_x509_000%s.der" % u)
with open(der_path, 'rb') as f:
val = f.read()
From b8e451d5a476d230fa47240b0949de433027bf75 Mon Sep 17 00:00:00 2001
From: peptekmail <peptekm...@gmail.com>
Date: Sat, 3 Apr 2021 02:47:31 +0200
Subject: [PATCH 3/6] python syntax
---
src/tests/intg/test_ssh_pubkey.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 9392836a0c..545cdc031c 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -247,7 +247,8 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
Compare with the sshpubkey derived via openssl, they should match.
"""
for u in [1, 7]:
- pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_pubsshkey_000%s.pub" % u)
+ pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \
+ "SSSD_test_cert_pubsshkey_000%s.pub" % u)
with open(pubsshkey_path, 'r') as f:
pubsshkey = f.read()
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
@@ -301,7 +302,8 @@ def add_user_with_ssh_cert(request, ldap_conn):
create_ldap_fixture(request, ldap_conn, ent_list)
for u in [1, 7]:
- der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), "SSSD_test_cert_x509_000%s.der" % u)
+ der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \
+ "SSSD_test_cert_x509_000%s.der" % u)
with open(der_path, 'rb') as f:
val = f.read()
From 17b851ab2708eabfa08f0651f7fea2ba83e67efc Mon Sep 17 00:00:00 2001
From: peptekmail <peptekm...@gmail.com>
Date: Sat, 3 Apr 2021 11:07:05 +0200
Subject: [PATCH 4/6] python syntax
---
src/tests/intg/test_ssh_pubkey.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 545cdc031c..3ee3367bfd 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -247,8 +247,8 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
Compare with the sshpubkey derived via openssl, they should match.
"""
for u in [1, 7]:
- pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \
- "SSSD_test_cert_pubsshkey_000%s.pub" % u)
+ pubsshkey_path = os.path.dirname(config.PAM_CERT_DB_PATH)
+ pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u)
with open(pubsshkey_path, 'r') as f:
pubsshkey = f.read()
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
@@ -302,8 +302,8 @@ def add_user_with_ssh_cert(request, ldap_conn):
create_ldap_fixture(request, ldap_conn, ent_list)
for u in [1, 7]:
- der_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH), \
- "SSSD_test_cert_x509_000%s.der" % u)
+ der_path = os.path.dirname(config.PAM_CERT_DB_PATH)
+ der_path += "/SSSD_test_cert_x509_000%s.der" % u)
with open(der_path, 'rb') as f:
val = f.read()
From f85699b4154fb20ecd38d1ed80bf48859d8a436f Mon Sep 17 00:00:00 2001
From: peptekmail <peptekm...@gmail.com>
Date: Sat, 3 Apr 2021 16:44:46 +0200
Subject: [PATCH 5/6] python syntax
---
src/tests/intg/test_ssh_pubkey.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 3ee3367bfd..d58c1a5f05 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -248,7 +248,7 @@ def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
"""
for u in [1, 7]:
pubsshkey_path = os.path.dirname(config.PAM_CERT_DB_PATH)
- pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u)
+ pubsshkey_path += "/SSSD_test_cert_pubsshkey_000%s.pub" % u
with open(pubsshkey_path, 'r') as f:
pubsshkey = f.read()
sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
@@ -303,7 +303,7 @@ def add_user_with_ssh_cert(request, ldap_conn):
for u in [1, 7]:
der_path = os.path.dirname(config.PAM_CERT_DB_PATH)
- der_path += "/SSSD_test_cert_x509_000%s.der" % u)
+ der_path += "/SSSD_test_cert_x509_000%s.der" % u
with open(der_path, 'rb') as f:
val = f.read()
From 8966543089374ebc000c4b4a7a20f704f36874d3 Mon Sep 17 00:00:00 2001
From: peptekmail <peptekm...@gmail.com>
Date: Sat, 3 Apr 2021 21:46:15 +0200
Subject: [PATCH 6/6] Make distclean cleanup added files
---
src/tests/test_CA/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index add5103393..b319c56163 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -55,6 +55,7 @@ SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSS
fi
# SSSD_test_cert_0007 should produce a rsassapss signed cert with nondefault settings as seen by some 3rd party CA:s
+.INTERMEDIATE: SSSD_test_cert_req_0007.pem
SSSD_test_cert_req_0007.pem: $(srcdir)/SSSD_test_cert_key_0007.pem $(srcdir)/SSSD_test_cert_0007.config
if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0007.config) -eq 0 ]; then \
$(OPENSSL) req -new -key $< -config $(srcdir)/SSSD_test_cert_0007.config -sigopt rsa_padding_mode\:pss -sha256 -sigopt rsa_pss_saltlen\:20 -out $@ ; \
@@ -195,6 +196,7 @@ CLEANFILES = \
SSSD_test_CA.pem $(pwdfile) SSSD_test_CA_expired_crl.pem \
$(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \
softhsm2_*.conf \
+ SSSD_test_*.der \
$(NULL)
clean-local:
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
