diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-11-26 23:43:10 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-27 11:02:49 +1100 |
| commit | ad44ca81bea83657d558aaef5a1d789a9032bac3 (patch) | |
| tree | c4143c62227e817790c3362d409cdef93b5b52da /regress/krl.sh | |
| parent | c6efa8a91af1d4fdb43909a23a0a4ffa012155ad (diff) | |
| download | openssh-git-ad44ca81bea83657d558aaef5a1d789a9032bac3.tar.gz | |
upstream: test FIDO2/U2F key types; ok markus@
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
Diffstat (limited to 'regress/krl.sh')
| -rw-r--r-- | regress/krl.sh | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/regress/krl.sh b/regress/krl.sh index c9b2e67e..1efd80bf 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,16 +1,19 @@ -# $OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $ +# $OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" # Use ed25519 by default since it's fast and it's supported when building # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. -ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519 -for t in `${SSH} -Q key-plain | grep -v ^sk-`; do +ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; +ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; +for t in `${SSH} -Q key-plain | maybe_filter_sk`; do case "$t" in ecdsa*) ktype2=ecdsa ;; ssh-rsa) ktype3=rsa ;; ssh-dss) ktype4=dsa ;; + sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; + sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; esac done @@ -34,6 +37,7 @@ serial: 10 serial: 15 serial: 30 serial: 50 +serial: 90 serial: 999 # The following sum to 500-799 serial: 500 @@ -51,7 +55,7 @@ EOF # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid -for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do +for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do test "x$n" = "x499" && continue # Fill in by-ID revocation spec. echo "id: revoked $n" >> $OBJ/revoked-keyid @@ -64,9 +68,11 @@ keygen() { # supported. keytype=$ktype1 case $N in - 2 | 10 | 510 | 1001) keytype=$ktype2 ;; - 4 | 30 | 520 | 1002) keytype=$ktype3 ;; - 8 | 50 | 530 | 1003) keytype=$ktype4 ;; + 2 | 10 | 510 | 1001) keytype=$ktype2 ;; + 4 | 30 | 520 | 1002) keytype=$ktype3 ;; + 8 | 50 | 530 | 1003) keytype=$ktype4 ;; + 16 | 70 | 540 | 1004) keytype=$ktype5 ;; + 32 | 90 | 550 | 1005) keytype=$ktype6 ;; esac $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ || fatal "$SSHKEYGEN failed" @@ -78,7 +84,7 @@ keygen() { # Generate some keys. verbose "$tid: generating test keys" -REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" +REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999" for n in $REVOKED_SERIALS ; do f=`keygen $n` RKEYS="$RKEYS ${f}.pub" |