upstream commit

regression test for 'wildcard CA' serial/key ID revocations
author: djm@openbsd.org <djm@openbsd.org> 2015-01-30 01:11:39 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-30 12:19:29 +1100
commit: 86936ec245a15c7abe71a0722610998b0a28b194 (patch)
tree: f4f45b480fa6ff7a52b2e097ebb1c60e439fdcc9
parent: 4509b5d4a4fa645a022635bfa7e86d09b285001f (diff)
1 files changed, 44 insertions, 30 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
index 799f9d093..1077358ff 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: krl.sh,v 1.5 2015/01/19 17:31:13 djm Exp $
+#       $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
 #       Placed in the Public Domain.
 tid="key revocation lists"
@@ -74,26 +74,26 @@ verbose "$tid: generating test keys"
 REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
 for n in $REVOKED_SERIALS ; do
        f=`keygen $n`
-        REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
+        RKEYS="$RKEYS ${f}.pub"
-        REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
+        RCERTS="$RCERTS ${f}-cert.pub"
 done
 UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
 UNREVOKED=""
 for n in $UNREVOKED_SERIALS ; do
        f=`keygen $n`
-        UNREVOKED_KEYS="$UNREVOKED_KEYS ${f}.pub"
+        UKEYS="$UKEYS ${f}.pub"
-        UNREVOKED_CERTS="$UNREVOKED_CERTS ${f}-cert.pub"
+        UCERTS="$UCERTS ${f}-cert.pub"
 done
 genkrls() {
        OPTS=$1
 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
        >/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
        >/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
        >/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
        >/dev/null || fatal "$SSHKEYGEN KRL failed"
 $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
        >/dev/null || fatal "$SSHKEYGEN KRL failed"
@@ -102,14 +102,20 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
        >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
        >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
+# These should succeed; they specify an explicit CA key.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
+        $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
+        $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
+# These should succeed; they specify an wildcard CA key.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
        >/dev/null || fatal "$SSHKEYGEN KRL failed"
 # Revoke the same serials with the second CA key to ensure a multi-CA
 # KRL is generated.
 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
        $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
-        >/dev/null || fatal "$SSHKEYGEN KRL failed"
 }
 ## XXX dump with trace and grep for set cert serials
@@ -131,7 +137,7 @@ check_krl() {
                fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
        fi
 }
-test_all() {
+test_rev() {
        FILES=$1
        TAG=$2
        KEYS_RESULT=$3
@@ -140,32 +146,40 @@ test_all() {
        KEYID_RESULT=$6
        CERTS_RESULT=$7
        CA_RESULT=$8
+        SERIAL_WRESULT=$9
+        KEYID_WRESULT=$10
        verbose "$tid: checking revocations for $TAG"
        for f in $FILES ; do
-                check_krl $f $OBJ/krl-empty  no             "$TAG"
+                check_krl $f $OBJ/krl-empty             no              "$TAG"
-                check_krl $f $OBJ/krl-keys   $KEYS_RESULT   "$TAG"
+                check_krl $f $OBJ/krl-keys              $KEYS_RESULT    "$TAG"
-                check_krl $f $OBJ/krl-all    $ALL_RESULT    "$TAG"
+                check_krl $f $OBJ/krl-all               $ALL_RESULT     "$TAG"
-                check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
+                check_krl $f $OBJ/krl-serial            $SERIAL_RESULT  "$TAG"
-                check_krl $f $OBJ/krl-keyid  $KEYID_RESULT  "$TAG"
+                check_krl $f $OBJ/krl-keyid             $KEYID_RESULT   "$TAG"
-                check_krl $f $OBJ/krl-cert  $CERTS_RESULT   "$TAG"
+                check_krl $f $OBJ/krl-cert              $CERTS_RESULT   "$TAG"
-                check_krl $f $OBJ/krl-ca     $CA_RESULT     "$TAG"
+                check_krl $f $OBJ/krl-ca                $CA_RESULT      "$TAG"
+                check_krl $f $OBJ/krl-serial-wild       $SERIAL_WRESULT "$TAG"
+                check_krl $f $OBJ/krl-keyid-wild        $KEYID_WRESULT  "$TAG"
        done
 }
-#                                            keys  all serial  keyid  certs   CA
-test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
+test_all() {
-test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
+        #                                                               wildcard
-test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
+        #                                   keys all sr# k.ID cert  CA sr.# k.ID
-test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
+        test_rev "$RKEYS"     "revoked keys" yes yes  no   no   no  no   no   no
+        test_rev "$UKEYS"   "unrevoked keys"  no  no  no   no   no  no   no   no
+        test_rev "$RCERTS"   "revoked certs" yes yes yes  yes  yes yes  yes  yes
+        test_rev "$UCERTS" "unrevoked certs"  no  no  no   no   no yes   no   no
+}
+test_all
 # Check update. Results should be identical.
 verbose "$tid: testing KRL update"
 for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
-    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
+    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
+    $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
        cp -f $OBJ/krl-empty $f
        genkrls -u
 done
-#                                            keys  all serial  keyid  certs   CA
-test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
+test_all
-test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
-test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
-test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
author	djm@openbsd.org <djm@openbsd.org>	2015-01-30 01:11:39 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-30 12:19:29 +1100
commit	86936ec245a15c7abe71a0722610998b0a28b194 (patch)
tree	f4f45b480fa6ff7a52b2e097ebb1c60e439fdcc9
parent	4509b5d4a4fa645a022635bfa7e86d09b285001f (diff)

diff --git a/regress/krl.sh b/regress/krl.sh index 799f9d093..1077358ff 100644 --- a/regress/krl.sh +++ b/regress/krl.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: krl.sh,v 1.5 2015/01/19 17:31:13 djm Exp $	1	# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="key revocation lists"	4	tid="key revocation lists"
@@ -74,26 +74,26 @@ verbose "$tid: generating test keys"
74	REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"	74	REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
75	for n in $REVOKED_SERIALS ; do	75	for n in $REVOKED_SERIALS ; do
76	f=`keygen $n`	76	f=`keygen $n`
77	REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"	77	RKEYS="$RKEYS ${f}.pub"
78	REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"	78	RCERTS="$RCERTS ${f}-cert.pub"
79	done	79	done
80	UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"	80	UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
81	UNREVOKED=""	81	UNREVOKED=""
82	for n in $UNREVOKED_SERIALS ; do	82	for n in $UNREVOKED_SERIALS ; do
83	f=`keygen $n`	83	f=`keygen $n`
84	UNREVOKED_KEYS="$UNREVOKED_KEYS ${f}.pub"	84	UKEYS="$UKEYS ${f}.pub"
85	UNREVOKED_CERTS="$UNREVOKED_CERTS ${f}-cert.pub"	85	UCERTS="$UCERTS ${f}-cert.pub"
86	done	86	done
87		87
88	genkrls() {	88	genkrls() {
89	OPTS=$1	89	OPTS=$1
90	$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \	90	$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
91	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	91	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
92	$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \	92	$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
93	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	93	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
94	$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \	94	$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
95	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	95	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
96	$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \	96	$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
97	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	97	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
98	$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \	98	$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
99	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	99	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
@@ -102,14 +102,20 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
102	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"	102	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
103	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \	103	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
104	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"	104	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
105	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \	105	# These should succeed; they specify an explicit CA key.
		106	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
		107	$OBJ/revoked-serials >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		108	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
		109	$OBJ/revoked-keyid >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		110	# These should succeed; they specify an wildcard CA key.
		111	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
		112	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		113	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
106	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	114	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
107	# Revoke the same serials with the second CA key to ensure a multi-CA	115	# Revoke the same serials with the second CA key to ensure a multi-CA
108	# KRL is generated.	116	# KRL is generated.
109	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \	117	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
110	$OBJ/revoked-serials >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"	118	$OBJ/revoked-serials >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
111	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
112	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
113	}	119	}
114		120
115	## XXX dump with trace and grep for set cert serials	121	## XXX dump with trace and grep for set cert serials
@@ -131,7 +137,7 @@ check_krl() {
131	fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"	137	fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
132	fi	138	fi
133	}	139	}
134	test_all() {	140	test_rev() {
135	FILES=$1	141	FILES=$1
136	TAG=$2	142	TAG=$2
137	KEYS_RESULT=$3	143	KEYS_RESULT=$3
@@ -140,32 +146,40 @@ test_all() {
140	KEYID_RESULT=$6	146	KEYID_RESULT=$6
141	CERTS_RESULT=$7	147	CERTS_RESULT=$7
142	CA_RESULT=$8	148	CA_RESULT=$8
		149	SERIAL_WRESULT=$9
		150	KEYID_WRESULT=$10
143	verbose "$tid: checking revocations for $TAG"	151	verbose "$tid: checking revocations for $TAG"
144	for f in $FILES ; do	152	for f in $FILES ; do
145	check_krl $f $OBJ/krl-empty no "$TAG"	153	check_krl $f $OBJ/krl-empty no "$TAG"
146	check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"	154	check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
147	check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"	155	check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
148	check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"	156	check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
149	check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"	157	check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
150	check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"	158	check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
151	check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"	159	check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
		160	check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
		161	check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
152	done	162	done
153	}	163	}
154	# keys all serial keyid certs CA	164
155	test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no	165	test_all() {
156	test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no	166	# wildcard
157	test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes	167	# keys all sr# k.ID cert CA sr.# k.ID
158	test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes	168	test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
		169	test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
		170	test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
		171	test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
		172	}
		173
		174	test_all
159		175
160	# Check update. Results should be identical.	176	# Check update. Results should be identical.
161	verbose "$tid: testing KRL update"	177	verbose "$tid: testing KRL update"
162	for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \	178	for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
163	$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do	179	$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
		180	$OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
164	cp -f $OBJ/krl-empty $f	181	cp -f $OBJ/krl-empty $f
165	genkrls -u	182	genkrls -u
166	done	183	done
167	# keys all serial keyid certs CA	184
168	test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no	185	test_all
169	test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
170	test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
171	test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes