diff options
Diffstat (limited to 'regress/sshsig.sh')
| -rw-r--r-- | regress/sshsig.sh | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh new file mode 100644 index 00000000..8af06e49 --- /dev/null +++ b/regress/sshsig.sh @@ -0,0 +1,140 @@ +# $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $ +# Placed in the Public Domain. + +tid="sshsig" + +DATA2=$OBJ/${DATANAME}.2 +cat ${DATA} ${DATA} > ${DATA2} + +rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key* + +sig_namespace="test-$$" +sig_principal="user-$$@example.com" + +# Make a "wrong key" +${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \ + || fatal "couldn't generate key" +WRONG=$OBJ/wrong-key.pub + +# Make a CA key. +${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \ + || fatal "couldn't generate key" +CA_PRIV=$OBJ/sigca-key +CA_PUB=$OBJ/sigca-key.pub + +SIGNKEYS="$SSH_KEYTYPES" +verbose "$tid: make certificates" +for t in $SSH_KEYTYPES ; do + ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \ + -I "regress signature key for $USER" \ + -n $sig_principal $OBJ/${t} || \ + fatal "couldn't sign ${t}" + SIGNKEYS="$SIGNKEYS ${t}-cert.pub" +done + +for t in $SIGNKEYS; do + verbose "$tid: check signature for $t" + keybase=`basename $t .pub` + sigfile=${OBJ}/sshsig-${keybase}.sig + pubkey=${OBJ}/${keybase}.pub + + ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ + < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed" + + (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 || \ + fail "failed signature for $t key" + + (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; + cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 || \ + fail "failed signature for $t key w/ limited namespace" + + # Invalid option + (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t key with bad signers option" + + # Wrong key trusted. + (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t key with wrong key trusted" + + # incorrect data + (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA2 >/dev/null 2>&1 && \ + fail "passed signature for wrong data with $t key" + + # wrong principal in signers + (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t key with wrong principal" + + # wrong namespace + (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t key with wrong namespace" + + # namespace excluded by option + (printf "$sig_principal namespaces=\"whatever\" " ; + cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t key with excluded namespace" + + # Remaining tests are for certificates only. + case "$keybase" in + *-cert) ;; + *) continue ;; + esac + + # correct CA key + (printf "$sig_principal cert-authority " ; + cat $CA_PUB) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 || \ + fail "failed signature for $t cert" + + # signing key listed as cert-authority + (printf "$sig_principal cert-authority" ; + cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature with $t key listed as CA" + + # CA key not flagged cert-authority + (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t cert with CA not marked" + + # mismatch between cert principal and file + (printf "josef.k@example.com cert-authority" ; + cat $CA_PUB) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "accepted signature for $t cert with wrong principal" +done + +# XXX test keys in agent. +# XXX test revocation + |