1 files changed, 42 insertions, 22 deletions

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6700db27..b093a919 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,43 +1,45 @@
-#	$OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
 
-# used to disable ECC based tests on platforms without ECC
-ecdsa=""
-if test "x$TEST_SSH_ECC" = "xyes"; then
-	ecdsa=ecdsa
-fi
-
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
+PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+
+type_has_legacy() {
+	case $1 in
+		ed25519*|ecdsa*) return 1 ;;
+	esac
+	return 0
+}
+
 # Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
 
 # Generate and sign user keys
-for ktype in rsa dsa $ecdsa ; do 
+for ktype in $PLAIN_TYPES ; do 
 	verbose "$tid: sign user ${ktype} cert"
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
 	    -f $OBJ/cert_user_key_${ktype} || \
 		fail "ssh-keygen of cert_user_key_${ktype} failed"
-	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
-	    "regress user key for $USER" \
-	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
+	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+	    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
-	# v00 ecdsa certs do not exist
-	test "${ktype}" = "ecdsa" && continue
+	type_has_legacy $ktype || continue
 	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
 	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+	verbose "$tid: sign host ${ktype}_v00 cert"
 	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
 	    "regress user key for $USER" \
 	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-		fail "couldn't sign cert_user_key_${ktype}_v00"
+		fatal "couldn't sign cert_user_key_${ktype}_v00"
 done
 
 # Test explicitly-specified principals
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 	for privsep in yes no ; do
 		_prefix="${ktype} privsep $privsep"
 
@@ -127,7 +129,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
 		# Wrong principals list
 		verbose "$tid: ${_prefix} wrong principals key option"
 		(
-			echon 'cert-authority,principals="gregorsamsa" '
+			printf 'cert-authority,principals="gregorsamsa" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
 		${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -139,7 +141,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
 		# Correct principals list
 		verbose "$tid: ${_prefix} correct principals key option"
 		(
-			echon 'cert-authority,principals="mekmitasdigoat" '
+			printf 'cert-authority,principals="mekmitasdigoat" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
 		${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -155,7 +157,7 @@ basic_tests() {
 	if test "x$auth" = "xauthorized_keys" ; then
 		# Add CA to authorized_keys
 		(
-			echon 'cert-authority '
+			printf 'cert-authority '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
 	else
@@ -163,7 +165,7 @@ basic_tests() {
 		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
 	fi
 	
-	for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
 			# Simple connect
@@ -185,14 +187,32 @@ basic_tests() {
 			(
 				cat $OBJ/sshd_proxy_bak
 				echo "UsePrivilegeSeparation $privsep"
-				echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+				echo "RevokedKeys $OBJ/cert_user_key_revoked"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
+			cp $OBJ/cert_user_key_${ktype}.pub \
+			    $OBJ/cert_user_key_revoked
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			if [ $? -eq 0 ]; then
+				fail "ssh cert connect succeeded unexpecedly"
+			fi
+			verbose "$tid: ${_prefix} revoked via KRL"
+			rm $OBJ/cert_user_key_revoked
+			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
+			    $OBJ/cert_user_key_${ktype}.pub
 			${SSH} -2i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
 			fi
+			verbose "$tid: ${_prefix} empty KRL"
+			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			if [ $? -ne 0 ]; then
+				fail "ssh cert connect failed"
+			fi
 		done
 	
 		# Revoked CA
@@ -247,7 +267,7 @@ test_one() {
 			if test "x$auth" = "xauthorized_keys" ; then
 				# Add CA to authorized_keys
 				(
-					echon "cert-authority${auth_opt} "
+					printf "cert-authority${auth_opt} "
 					cat $OBJ/user_ca_key.pub
 				) > $OBJ/authorized_keys_$USER
 			else
@@ -315,7 +335,7 @@ test_one "principals key option no principals" failure "" \
 
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 	case $ktype in
 	*_v00) args="-t v00" ;;
 	*) args="" ;;