diff options
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r-- | regress/cert-userkey.sh | 64 |
1 files changed, 42 insertions, 22 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6700db27..b093a919 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,43 +1,45 @@ -# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified user keys" -# used to disable ECC based tests on platforms without ECC -ecdsa="" -if test "x$TEST_SSH_ECC" = "xyes"; then - ecdsa=ecdsa -fi - rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Create a CA key ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ fail "ssh-keygen of user_ca_key failed" # Generate and sign user keys -for ktype in rsa dsa $ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign user ${ktype} cert" ${SSHKEYGEN} -q -N '' -t ${ktype} \ -f $OBJ/cert_user_key_${ktype} || \ fail "ssh-keygen of cert_user_key_${ktype} failed" - ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ - "regress user key for $USER" \ - -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || + ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || - fail "couldn't sign cert_user_key_${ktype}_v00" + fatal "couldn't sign cert_user_key_${ktype}_v00" done # Test explicitly-specified principals -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep" @@ -127,7 +129,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do # Wrong principals list verbose "$tid: ${_prefix} wrong principals key option" ( - echon 'cert-authority,principals="gregorsamsa" ' + printf 'cert-authority,principals="gregorsamsa" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -139,7 +141,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do # Correct principals list verbose "$tid: ${_prefix} correct principals key option" ( - echon 'cert-authority,principals="mekmitasdigoat" ' + printf 'cert-authority,principals="mekmitasdigoat" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -155,7 +157,7 @@ basic_tests() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon 'cert-authority ' + printf 'cert-authority ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else @@ -163,7 +165,7 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -185,14 +187,32 @@ basic_tests() { ( cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" - echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" + echo "RevokedKeys $OBJ/cert_user_key_revoked" echo "$extra_sshd" ) > $OBJ/sshd_proxy + cp $OBJ/cert_user_key_${ktype}.pub \ + $OBJ/cert_user_key_revoked + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + verbose "$tid: ${_prefix} revoked via KRL" + rm $OBJ/cert_user_key_revoked + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ + $OBJ/cert_user_key_${ktype}.pub ${SSH} -2i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 if [ $? -eq 0 ]; then fail "ssh cert connect succeeded unexpecedly" fi + verbose "$tid: ${_prefix} empty KRL" + ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi done # Revoked CA @@ -247,7 +267,7 @@ test_one() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon "cert-authority${auth_opt} " + printf "cert-authority${auth_opt} " cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else @@ -315,7 +335,7 @@ test_one "principals key option no principals" failure "" \ # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; *) args="" ;; |