diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2019-07-25 09:17:35 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2019-07-25 20:09:06 +1000 |
| commit | 061407efc19b41ab4a7485e5adcff2a12befacdb (patch) | |
| tree | c4c93ea77f01d5fad14a96e0c4bfe152dc569ffb | |
| parent | 47f8ff1fa5b76790c1d785815fd13ee6009f8012 (diff) | |
upstream: Only use supported key types during KRL test, preferring
ed25519 since it's supported by both OpenSSL and non-OpenSSL builds.
OpenBSD-Regress-ID: 9f2bb3eadd50fcc8245b1bd8fd6f0e53602f71aa
| -rw-r--r-- | regress/krl.sh | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/regress/krl.sh b/regress/krl.sh index a70c79c66..e18d0ec7f 100644 --- a/regress/krl.sh +++ b/regress/krl.sh | |||
| @@ -1,13 +1,18 @@ | |||
| 1 | # $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $ | 1 | # $OpenBSD: krl.sh,v 1.8 2019/07/25 09:17:35 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="key revocation lists" | 4 | tid="key revocation lists" |
| 5 | 5 | ||
| 6 | # If we don't support ecdsa keys then this tell will be much slower. | 6 | # Use ed25519 by default since it's fast and it's supported when building |
| 7 | ECDSA=ecdsa | 7 | # w/out OpenSSL. Populate ktype[2-4] with the other types if supported. |
| 8 | if test "x$TEST_SSH_ECC" != "xyes"; then | 8 | ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519 |
| 9 | ECDSA=rsa | 9 | for t in `${SSH} -Q key-plain`; do |
| 10 | fi | 10 | case "$t" in |
| 11 | ecdsa*) ktype2=ecdsa ;; | ||
| 12 | ssh-rsa) ktype3=rsa ;; | ||
| 13 | ssh-dss) ktype4=dsa ;; | ||
| 14 | esac | ||
| 15 | done | ||
| 11 | 16 | ||
| 12 | # Do most testing with ssh-keygen; it uses the same verification code as sshd. | 17 | # Do most testing with ssh-keygen; it uses the same verification code as sshd. |
| 13 | 18 | ||
| @@ -15,9 +20,9 @@ fi | |||
| 15 | rm -f $OBJ/revoked-* $OBJ/krl-* | 20 | rm -f $OBJ/revoked-* $OBJ/krl-* |
| 16 | 21 | ||
| 17 | # Generate a CA key | 22 | # Generate a CA key |
| 18 | $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || | 23 | $SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null || |
| 19 | fatal "$SSHKEYGEN CA failed" | 24 | fatal "$SSHKEYGEN CA failed" |
| 20 | $SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || | 25 | $SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || |
| 21 | fatal "$SSHKEYGEN CA2 failed" | 26 | fatal "$SSHKEYGEN CA2 failed" |
| 22 | 27 | ||
| 23 | # A specification that revokes some certificates by serial numbers | 28 | # A specification that revokes some certificates by serial numbers |
| @@ -55,11 +60,13 @@ done | |||
| 55 | keygen() { | 60 | keygen() { |
| 56 | N=$1 | 61 | N=$1 |
| 57 | f=$OBJ/revoked-`printf "%04d" $N` | 62 | f=$OBJ/revoked-`printf "%04d" $N` |
| 58 | # Vary the keytype. We use mostly ECDSA since this is fastest by far. | 63 | # Vary the keytype. We use mostly ed25519 since this is fast and well |
| 59 | keytype=$ECDSA | 64 | # supported. |
| 65 | keytype=$ktype1 | ||
| 60 | case $N in | 66 | case $N in |
| 61 | 2 | 10 | 510 | 1001) keytype=rsa;; | 67 | 2 | 10 | 510 | 1001) keytype=$ktype2 ;; |
| 62 | 4 | 30 | 520 | 1002) keytype=ed25519;; | 68 | 4 | 30 | 520 | 1002) keytype=$ktype3 ;; |
| 69 | 8 | 50 | 530 | 1003) keytype=$ktype4 ;; | ||
| 63 | esac | 70 | esac |
| 64 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ | 71 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ |
| 65 | || fatal "$SSHKEYGEN failed" | 72 | || fatal "$SSHKEYGEN failed" |