diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-04-30 23:34:55 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-05-01 11:59:42 +1000 |
commit | dd369320d2435b630a5974ab270d686dcd92d024 (patch) | |
tree | 97ae4bb34d835fbafad12180862195a9e9192d28 /regress/cert-file.sh | |
parent | 557f921aad004be15805e09fd9572969eb3d9321 (diff) | |
download | openssh-git-dd369320d2435b630a5974ab270d686dcd92d024.tar.gz |
upstream commit
eliminate explicit specification of protocol in tests and
loops over protocol. We only support SSHv2 now.
Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd
Diffstat (limited to 'regress/cert-file.sh')
-rw-r--r-- | regress/cert-file.sh | 131 |
1 files changed, 64 insertions, 67 deletions
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 43b8e020..8fd62c77 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config # XXX: verify that certificate used was what we expect. Needs exposure of # keys via enviornment variable or similar. -for p in ${SSH_PROTOCOLS}; do # Key with no .pub should work - finding the equivalent *-cert.pub. - verbose "protocol $p: identity cert with no plain public file" - ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ - -i $OBJ/user_key3 somehost exit 5$p - [ $? -ne 5$p ] && fail "ssh failed" - - # CertificateFile matching private key with no .pub file should work. - verbose "protocol $p: CertificateFile with no plain public file" - ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ - -oCertificateFile=$OBJ/user_key3-cert.pub \ - -i $OBJ/user_key3 somehost exit 5$p - [ $? -ne 5$p ] && fail "ssh failed" - - # Just keys should fail - verbose "protocol $p: plain keys" - ${SSH} $opts2 somehost exit 5$p - r=$? - if [ $r -eq 5$p ]; then - fail "ssh succeeded with no certs in protocol $p" - fi - - # Keys with untrusted cert should fail. - verbose "protocol $p: untrusted cert" - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -eq 5$p ]; then - fail "ssh succeeded with bad cert in protocol $p" - fi - - # Good cert with bad key should fail. - verbose "protocol $p: good cert, bad key" - opts3="$opts -i $OBJ/user_key2" - opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -eq 5$p ]; then - fail "ssh succeeded with no matching key in protocol $p" - fi - - # Keys with one trusted cert, should succeed. - verbose "protocol $p: single trusted" - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -ne 5$p ]; then - fail "ssh failed with trusted cert and key in protocol $p" - fi - - # Multiple certs and keys, with one trusted cert, should succeed. - verbose "protocol $p: multiple trusted" - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" - opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -ne 5$p ]; then - fail "ssh failed with multiple certs in protocol $p" - fi -done +verbose "identity cert with no plain public file" +${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ + -i $OBJ/user_key3 somehost exit 52 +[ $? -ne 52 ] && fail "ssh failed" + +# CertificateFile matching private key with no .pub file should work. +verbose "CertificateFile with no plain public file" +${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ + -oCertificateFile=$OBJ/user_key3-cert.pub \ + -i $OBJ/user_key3 somehost exit 52 +[ $? -ne 52 ] && fail "ssh failed" + +# Just keys should fail +verbose "plain keys" +${SSH} $opts2 somehost exit 52 +r=$? +if [ $r -eq 52 ]; then + fail "ssh succeeded with no certs" +fi + +# Keys with untrusted cert should fail. +verbose "untrusted cert" +opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -eq 52 ]; then + fail "ssh succeeded with bad cert" +fi + +# Good cert with bad key should fail. +verbose "good cert, bad key" +opts3="$opts -i $OBJ/user_key2" +opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -eq 52 ]; then + fail "ssh succeeded with no matching key" +fi + +# Keys with one trusted cert, should succeed. +verbose "single trusted" +opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -ne 52 ]; then + fail "ssh failed with trusted cert and key" +fi + +# Multiple certs and keys, with one trusted cert, should succeed. +verbose "multiple trusted" +opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" +opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} $opts3 somehost exit 52 +r=$? +if [ $r -ne 52 ]; then + fail "ssh failed with multiple certs" +fi #next, using an agent in combination with the keys SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 @@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then fi # try ssh with the agent and certificates -# note: ssh agent only uses certificates in protocol 2 opts="-F $OBJ/ssh_proxy" # with no certificates, shoud fail -${SSH} -2 $opts somehost exit 52 +${SSH} $opts somehost exit 52 if [ $? -eq 52 ]; then - fail "ssh connect with agent in protocol 2 succeeded with no cert" + fail "ssh connect with agent in succeeded with no cert" fi #with an untrusted certificate, should fail opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" -${SSH} -2 $opts somehost exit 52 +${SSH} $opts somehost exit 52 if [ $? -eq 52 ]; then - fail "ssh connect with agent in protocol 2 succeeded with bad cert" + fail "ssh connect with agent in succeeded with bad cert" fi #with an additional trusted certificate, should succeed opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" -${SSH} -2 $opts somehost exit 52 +${SSH} $opts somehost exit 52 if [ $? -ne 52 ]; then - fail "ssh connect with agent in protocol 2 failed with good cert" + fail "ssh connect with agent in failed with good cert" fi trace "kill agent" |