- djm@cvs.openbsd.org 2013/01/18 00:45:29

[regress/Makefile regress/cert-userkey.sh regress/krl.sh] Tests for Key Revocation Lists (KRLs)
author: Damien Miller <djm@mindrot.org> 2013-01-18 11:51:56 +1100
committer: Damien Miller <djm@mindrot.org> 2013-01-18 11:51:56 +1100
commit: ebafebda8570b2b013327cdc6627f9c5fb9733c1 (patch)
tree: e08b1095cb132f11d9921427dd94ee0ed053b090
parent: f3747bf4014a450c9aaf1d88b010f6e579d10072 (diff)
4 files changed, 180 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index 65403d6e7..a45d24b29 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,10 @@
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/01/18 00:45:29
+     [regress/Makefile regress/cert-userkey.sh regress/krl.sh]
+     Tests for Key Revocation Lists (KRLs)
 20130117
 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
diff --git a/regress/Makefile b/regress/Makefile
index af1fa31df..18f9f124c 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $
+#       $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
 tests:          prereq $(REGRESS_TARGETS)
@@ -60,7 +60,8 @@ LTESTS= 	connect \
                host-expand \
                keys-command \
                forward-control \
-                integrity
+                integrity \
+                krl
 INTEROP_TESTS=  putty-transfer putty-ciphers putty-kex conch-ciphers
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -77,11 +78,11 @@ CLEANFILES=	t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                ls.copy banner.in banner.out empty.in \
                scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
                sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
-                known_hosts-cert host_ca_key* cert_host_key* \
+                known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
                putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
                key.rsa-* key.dsa-* key.ecdsa-* \
                authorized_principals_${USER} expect actual ready \
-                sshd_proxy.* authorized_keys_${USER}.* modpipe
+                sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
 # Enable all malloc(3) randomisations and checks
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index aa85cd6cb..3bba9f8f2 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -184,14 +184,32 @@ basic_tests() {
                        (
                                cat $OBJ/sshd_proxy_bak
                                echo "UsePrivilegeSeparation $privsep"
-                                echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+                                echo "RevokedKeys $OBJ/cert_user_key_revoked"
                                echo "$extra_sshd"
                        ) > $OBJ/sshd_proxy
+                        cp $OBJ/cert_user_key_${ktype}.pub \
+                            $OBJ/cert_user_key_revoked
                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
                        if [ $? -eq 0 ]; then
                                fail "ssh cert connect succeeded unexpecedly"
                        fi
+                        verbose "$tid: ${_prefix} revoked via KRL"
+                        rm $OBJ/cert_user_key_revoked
+                        ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
+                            $OBJ/cert_user_key_${ktype}.pub
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                        if [ $? -eq 0 ]; then
+                                fail "ssh cert connect succeeded unexpecedly"
+                        fi
+                        verbose "$tid: ${_prefix} empty KRL"
+                        ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                        if [ $? -ne 0 ]; then
+                                fail "ssh cert connect failed"
+                        fi
                done
        
                # Revoked CA
diff --git a/regress/krl.sh b/regress/krl.sh
new file mode 100644
index 000000000..3ee5a9060
--- /dev/null
+++ b/regress/krl.sh
@@ -0,0 +1,151 @@
+#       $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
+#       Placed in the Public Domain.
+tid="key revocation lists"
+# Do most testing with ssh-keygen; it uses the same verification code as sshd.
+# Old keys will interfere with ssh-keygen.
+rm -f $OBJ/revoked-* $OBJ/krl-*
+# Generate a CA key
+$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
+        fatal "$SSHKEYGEN CA failed"
+# A specification that revokes some certificates by serial numbers
+# The serial pattern is chosen to ensure the KRL includes list, range and
+# bitmap sections.
+cat << EOF >> $OBJ/revoked-serials
+serial: 1-4
+serial: 10
+serial: 15
+serial: 30
+serial: 50
+serial: 999
+# The following sum to 500-799
+serial: 500
+serial: 501
+serial: 502
+serial: 503-600
+serial: 700-797
+serial: 798
+serial: 799
+serial: 599-701
+EOF
+# A specification that revokes some certificated by key ID.
+touch $OBJ/revoked-keyid
+for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+        # Fill in by-ID revocation spec.
+        echo "id: revoked $n" >> $OBJ/revoked-keyid
+done
+keygen() {
+        N=$1
+        f=$OBJ/revoked-`printf "%04d" $N`
+        # Vary the keytype. We use mostly ECDSA since this is fastest by far.
+        keytype=ecdsa
+        case $N in
+        2 | 10 | 510 | 1001)    keytype=rsa;;
+        4 | 30 | 520 | 1002)    keytype=dsa;;
+        esac
+        $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
+                || fatal "$SSHKEYGEN failed"
+        # Sign cert
+        $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
+                || fatal "$SSHKEYGEN sign failed"
+        echo $f
+}
+# Generate some keys.
+verbose "$tid: generating test keys"
+REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
+for n in $REVOKED_SERIALS ; do
+        f=`keygen $n`
+        REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
+        REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
+done
+NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
+NOTREVOKED=""
+for n in $NOTREVOKED_SERIALS ; do
+        NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
+        NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
+done
+genkrls() {
+        OPTS=$1
+$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+# KRLs from serial/key-id spec need the CA specified.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
+        >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
+        >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+}
+verbose "$tid: generating KRLs"
+genkrls
+check_krl() {
+        KEY=$1
+        KRL=$2
+        EXPECT_REVOKED=$3
+        TAG=$4
+        $SSHKEYGEN -Qf $KRL $KEY >/dev/null
+        result=$?
+        if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+                fatal "key $KEY not revoked by KRL $KRL: $TAG"
+        elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+                fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
+        fi
+}
+test_all() {
+        FILES=$1
+        TAG=$2
+        KEYS_RESULT=$3
+        ALL_RESULT=$4
+        SERIAL_RESULT=$5
+        KEYID_RESULT=$6
+        CERTS_RESULT=$7
+        CA_RESULT=$8
+        verbose "$tid: checking revocations for $TAG"
+        for f in $FILES ; do
+                check_krl $f $OBJ/krl-empty  no             "$TAG"
+                check_krl $f $OBJ/krl-keys   $KEYS_RESULT   "$TAG"
+                check_krl $f $OBJ/krl-all    $ALL_RESULT    "$TAG"
+                check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
+                check_krl $f $OBJ/krl-keyid  $KEYID_RESULT  "$TAG"
+                check_krl $f $OBJ/krl-cert  $CERTS_RESULT   "$TAG"
+                check_krl $f $OBJ/krl-ca     $CA_RESULT     "$TAG"
+        done
+}
+#                                            keys  all serial  keyid  certs   CA
+test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
+test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
+test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
+test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
+# Check update. Results should be identical.
+verbose "$tid: testing KRL update"
+for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
+    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
+        cp -f $OBJ/krl-empty $f
+        genkrls -u
+done
+#                                            keys  all serial  keyid  certs   CA
+test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
+test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
+test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
+test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
author	Damien Miller <djm@mindrot.org>	2013-01-18 11:51:56 +1100
committer	Damien Miller <djm@mindrot.org>	2013-01-18 11:51:56 +1100
commit	ebafebda8570b2b013327cdc6627f9c5fb9733c1 (patch)
tree	e08b1095cb132f11d9921427dd94ee0ed053b090
parent	f3747bf4014a450c9aaf1d88b010f6e579d10072 (diff)

diff --git a/ChangeLog b/ChangeLog index 65403d6e7..a45d24b29 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -8,6 +8,10 @@
8	a single bit of incremental cost to revoke a certificate by serial number.	8	a single bit of incremental cost to revoke a certificate by serial number.
9	KRLs are loaded via the existing RevokedKeys sshd_config option.	9	KRLs are loaded via the existing RevokedKeys sshd_config option.
10	feedback and ok markus@	10	feedback and ok markus@
		11	- OpenBSD CVS Sync
		12	- djm@cvs.openbsd.org 2013/01/18 00:45:29
		13	[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
		14	Tests for Key Revocation Lists (KRLs)
11		15
12	20130117	16	20130117
13	- (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]	17	- (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]


diff --git a/regress/Makefile b/regress/Makefile index af1fa31df..18f9f124c 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $	1	# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
2		2
3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec	3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4	tests: prereq $(REGRESS_TARGETS)	4	tests: prereq $(REGRESS_TARGETS)
@@ -60,7 +60,8 @@ LTESTS= connect \
60	host-expand \	60	host-expand \
61	keys-command \	61	keys-command \
62	forward-control \	62	forward-control \
63	integrity	63	integrity \
		64	krl
64		65
65	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers	66	INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
66	#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp	67	#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -77,11 +78,11 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
77	ls.copy banner.in banner.out empty.in \	78	ls.copy banner.in banner.out empty.in \
78	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \	79	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
79	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \	80	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
80	known_hosts-cert host_ca_key* cert_host_key* \	81	known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
81	putty.rsa2 sshd_proxy_orig ssh_proxy_bak \	82	putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
82	key.rsa-* key.dsa-* key.ecdsa-* \	83	key.rsa-* key.dsa-* key.ecdsa-* \
83	authorized_principals_${USER} expect actual ready \	84	authorized_principals_${USER} expect actual ready \
84	sshd_proxy.* authorized_keys_${USER}.* modpipe	85	sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
85		86
86		87
87	# Enable all malloc(3) randomisations and checks	88	# Enable all malloc(3) randomisations and checks


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index aa85cd6cb..3bba9f8f2 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -184,14 +184,32 @@ basic_tests() {
184	(	184	(
185	cat $OBJ/sshd_proxy_bak	185	cat $OBJ/sshd_proxy_bak
186	echo "UsePrivilegeSeparation $privsep"	186	echo "UsePrivilegeSeparation $privsep"
187	echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"	187	echo "RevokedKeys $OBJ/cert_user_key_revoked"
188	echo "$extra_sshd"	188	echo "$extra_sshd"
189	) > $OBJ/sshd_proxy	189	) > $OBJ/sshd_proxy
		190	cp $OBJ/cert_user_key_${ktype}.pub \
		191	$OBJ/cert_user_key_revoked
190	${SSH} -2i $OBJ/cert_user_key_${ktype} \	192	${SSH} -2i $OBJ/cert_user_key_${ktype} \
191	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1	193	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
192	if [ $? -eq 0 ]; then	194	if [ $? -eq 0 ]; then
193	fail "ssh cert connect succeeded unexpecedly"	195	fail "ssh cert connect succeeded unexpecedly"
194	fi	196	fi
		197	verbose "$tid: ${_prefix} revoked via KRL"
		198	rm $OBJ/cert_user_key_revoked
		199	${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
		200	$OBJ/cert_user_key_${ktype}.pub
		201	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		202	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		203	if [ $? -eq 0 ]; then
		204	fail "ssh cert connect succeeded unexpecedly"
		205	fi
		206	verbose "$tid: ${_prefix} empty KRL"
		207	${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
		208	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		209	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		210	if [ $? -ne 0 ]; then
		211	fail "ssh cert connect failed"
		212	fi
195	done	213	done
196		214
197	# Revoked CA	215	# Revoked CA


diff --git a/regress/krl.sh b/regress/krl.sh new file mode 100644 index 000000000..3ee5a9060 --- /dev/null +++ b/regress/krl.sh
@@ -0,0 +1,151 @@
		1	# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="key revocation lists"
		5
		6	# Do most testing with ssh-keygen; it uses the same verification code as sshd.
		7
		8	# Old keys will interfere with ssh-keygen.
		9	rm -f $OBJ/revoked-* $OBJ/krl-*
		10
		11	# Generate a CA key
		12	$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null \|\|
		13	fatal "$SSHKEYGEN CA failed"
		14
		15	# A specification that revokes some certificates by serial numbers
		16	# The serial pattern is chosen to ensure the KRL includes list, range and
		17	# bitmap sections.
		18	cat << EOF >> $OBJ/revoked-serials
		19	serial: 1-4
		20	serial: 10
		21	serial: 15
		22	serial: 30
		23	serial: 50
		24	serial: 999
		25	# The following sum to 500-799
		26	serial: 500
		27	serial: 501
		28	serial: 502
		29	serial: 503-600
		30	serial: 700-797
		31	serial: 798
		32	serial: 799
		33	serial: 599-701
		34	EOF
		35
		36	# A specification that revokes some certificated by key ID.
		37	touch $OBJ/revoked-keyid
		38	for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
		39	# Fill in by-ID revocation spec.
		40	echo "id: revoked $n" >> $OBJ/revoked-keyid
		41	done
		42
		43	keygen() {
		44	N=$1
		45	f=$OBJ/revoked-`printf "%04d" $N`
		46	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
		47	keytype=ecdsa
		48	case $N in
		49	2 \| 10 \| 510 \| 1001) keytype=rsa;;
		50	4 \| 30 \| 520 \| 1002) keytype=dsa;;
		51	esac
		52	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
		53	\|\| fatal "$SSHKEYGEN failed"
		54	# Sign cert
		55	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
		56	\|\| fatal "$SSHKEYGEN sign failed"
		57	echo $f
		58	}
		59
		60	# Generate some keys.
		61	verbose "$tid: generating test keys"
		62	REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
		63	for n in $REVOKED_SERIALS ; do
		64	f=`keygen $n`
		65	REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
		66	REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
		67	done
		68	NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
		69	NOTREVOKED=""
		70	for n in $NOTREVOKED_SERIALS ; do
		71	NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
		72	NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
		73	done
		74
		75	genkrls() {
		76	OPTS=$1
		77	$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
		78	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		79	$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
		80	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		81	$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
		82	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		83	$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
		84	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		85	$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
		86	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		87	# KRLs from serial/key-id spec need the CA specified.
		88	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
		89	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
		90	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
		91	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
		92	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
		93	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		94	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
		95	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
		96	}
		97
		98	verbose "$tid: generating KRLs"
		99	genkrls
		100
		101	check_krl() {
		102	KEY=$1
		103	KRL=$2
		104	EXPECT_REVOKED=$3
		105	TAG=$4
		106	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
		107	result=$?
		108	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
		109	fatal "key $KEY not revoked by KRL $KRL: $TAG"
		110	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
		111	fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
		112	fi
		113	}
		114	test_all() {
		115	FILES=$1
		116	TAG=$2
		117	KEYS_RESULT=$3
		118	ALL_RESULT=$4
		119	SERIAL_RESULT=$5
		120	KEYID_RESULT=$6
		121	CERTS_RESULT=$7
		122	CA_RESULT=$8
		123	verbose "$tid: checking revocations for $TAG"
		124	for f in $FILES ; do
		125	check_krl $f $OBJ/krl-empty no "$TAG"
		126	check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
		127	check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
		128	check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
		129	check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
		130	check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
		131	check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
		132	done
		133	}
		134	# keys all serial keyid certs CA
		135	test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
		136	test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
		137	test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
		138	test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
		139
		140	# Check update. Results should be identical.
		141	verbose "$tid: testing KRL update"
		142	for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
		143	$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
		144	cp -f $OBJ/krl-empty $f
		145	genkrls -u
		146	done
		147	# keys all serial keyid certs CA
		148	test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
		149	test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
		150	test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
		151	test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes