summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2019-07-25 08:28:15 +0000
committerDarren Tucker <dtucker@dtucker.net>2019-07-25 20:01:19 +1000
commit1e94afdfa8df774ab7dd3bad52912b636dc31bbd (patch)
tree0919af20d3dba4560885d709c61e202d3aace86f
parent26bf693661a48b97b6023f702b2af643676ac21a (diff)
upstream: Make certificate tests work with the supported key
algorithms. Allows tests to pass when built without OpenSSL. OpenBSD-Regress-ID: 617169a6dd9d06db3697a449d9a26c284eca20fc
-rw-r--r--regress/cert-hostkey.sh12
-rw-r--r--regress/cert-userkey.sh19
2 files changed, 23 insertions, 8 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3ce777967..86ea62504 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -7,6 +7,7 @@ rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_* 7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
8 8
9# Allow all hostkey/pubkey types, prefer certs for the client 9# Allow all hostkey/pubkey types, prefer certs for the client
10rsa=0
10types="" 11types=""
11for i in `$SSH -Q key`; do 12for i in `$SSH -Q key`; do
12 if [ -z "$types" ]; then 13 if [ -z "$types" ]; then
@@ -19,6 +20,7 @@ for i in `$SSH -Q key`; do
19 types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" 20 types="rsa-sha2-256-cert-v01@openssh.com,$i,$types"
20 types="rsa-sha2-512-cert-v01@openssh.com,$types";; 21 types="rsa-sha2-512-cert-v01@openssh.com,$types";;
21 *rsa*) 22 *rsa*)
23 rsa=1
22 types="$types,rsa-sha2-512,rsa-sha2-256,$i";; 24 types="$types,rsa-sha2-512,rsa-sha2-256,$i";;
23 # Prefer certificate to plain keys. 25 # Prefer certificate to plain keys.
24 *cert*) types="$i,$types";; 26 *cert*) types="$i,$types";;
@@ -51,10 +53,12 @@ kh_revoke() {
51} 53}
52 54
53# Create a CA key and add it to known hosts. Ed25519 chosen for speed. 55# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
54# RSA for testing RSA/SHA2 signatures. 56# RSA for testing RSA/SHA2 signatures if supported.
57ktype2=ed25519
58[ "x$rsa" = "x1" ] && ktype2=rsa
55${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ 59${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
56 fail "ssh-keygen of host_ca_key failed" 60 fail "ssh-keygen of host_ca_key failed"
57${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\ 61${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/host_ca_key2 ||\
58 fail "ssh-keygen of host_ca_key failed" 62 fail "ssh-keygen of host_ca_key failed"
59 63
60kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 64kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -214,7 +218,7 @@ test_one() {
214 result=$2 218 result=$2
215 sign_opts=$3 219 sign_opts=$3
216 220
217 for kt in rsa ed25519 ; do 221 for kt in $PLAIN_TYPES; do
218 case $ktype in 222 case $ktype in
219 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; 223 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
220 *) tflag=""; ca="$OBJ/host_ca_key" ;; 224 *) tflag=""; ca="$OBJ/host_ca_key" ;;
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6849e9922..38c14a698 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -9,8 +9,10 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9 9
10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11EXTRA_TYPES="" 11EXTRA_TYPES=""
12rsa=""
12 13
13if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 14if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
15 rsa=rsa
14 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 16 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
15fi 17fi
16 18
@@ -20,11 +22,20 @@ kname() {
20 # subshell because some seds will add a newline 22 # subshell because some seds will add a newline
21 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 23 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
22 esac 24 esac
23 echo "$n*,ssh-rsa*,ssh-ed25519*" 25 if [ -z "$rsa" ]; then
26 echo "$n*,ssh-ed25519*"
27 else
28 echo "$n*,ssh-rsa*,ssh-ed25519*"
29 fi
24} 30}
25 31
26# Create a CA key 32# Create a CA key
27${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 33if [ ! -z "$rsa" ]; then
34 catype=rsa
35else
36 catype=ed25519
37fi
38${SSHKEYGEN} -q -N '' -t $catype -f $OBJ/user_ca_key ||\
28 fail "ssh-keygen of user_ca_key failed" 39 fail "ssh-keygen of user_ca_key failed"
29 40
30# Generate and sign user keys 41# Generate and sign user keys
@@ -283,7 +294,7 @@ test_one() {
283 fi 294 fi
284 295
285 for auth in $auth_choice ; do 296 for auth in $auth_choice ; do
286 for ktype in rsa ed25519 ; do 297 for ktype in $rsa ed25519 ; do
287 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 298 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
288 if test "x$auth" = "xauthorized_keys" ; then 299 if test "x$auth" = "xauthorized_keys" ; then
289 # Add CA to authorized_keys 300 # Add CA to authorized_keys