- djm@cvs.openbsd.org 2010/03/04 10:38:23

[regress/cert-hostkey.sh regress/cert-userkey.sh] additional regression tests for revoked keys and TrustedUserCAKeys
author: Damien Miller <djm@mindrot.org> 2010-03-04 21:58:01 +1100
committer: Damien Miller <djm@mindrot.org> 2010-03-04 21:58:01 +1100
commit: 700dcfa3e0a98be44f2e3675849055984f04a70a (patch)
tree: c10708a700b61025695b7755c25aa98f3dff0d9b
parent: 017d1e777ef197eab866b9d0046e000a46baf10b (diff)
3 files changed, 183 insertions, 45 deletions
diff --git a/ChangeLog b/ChangeLog
index 116ce569a..f6c61d89d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,9 @@
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
+   - djm@cvs.openbsd.org 2010/03/04 10:38:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     additional regression tests for revoked keys and TrustedUserCAKeys
 20100303
 - (djm) [PROTOCOL.certkeys] Add RCS Ident
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9097a1359..3fda667cb 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -50,6 +50,68 @@ for privsep in yes no ; do
        done
 done
+# Revoked certificates with key present
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_rsa.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_dsa.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${ktype}
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        echo UsePrivilegeSeparation $privsep
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+        done
+done
+# Revoked CA
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+        verbose "$tid: host ${ktype} revoked cert"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect succeeded unexpectedly"
+        fi
+done
+# Create a CA key and add it to known hosts
+(
+        echon '@cert-authority '
+        echon "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
 test_one() {
        ident=$1
        result=$2
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 874915205..7a58e7b75 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -6,13 +6,9 @@ tid="certified user keys"
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-# Create a CA key and add it to authorized_keys
+# Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
        fail "ssh-keygen of user_ca_key failed"
-(
-        echon 'cert-authority '
-        cat $OBJ/user_ca_key.pub
-) > $OBJ/authorized_keys_$USER
 # Generate and sign user keys
 for ktype in rsa dsa ; do 
@@ -26,64 +22,140 @@ for ktype in rsa dsa ; do
                fail "couldn't sign cert_user_key_${ktype}"
 done
-# Basic connect tests
+basic_tests() {
-for privsep in yes no ; do
+        auth=$1
+        if test "x$auth" = "xauthorized_keys" ; then
+                # Add CA to authorized_keys
+                (
+                        echon 'cert-authority '
+                        cat $OBJ/user_ca_key.pub
+                ) > $OBJ/authorized_keys_$USER
+        else
+                echo > $OBJ/authorized_keys_$USER
+                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
+        fi
+        
        for ktype in rsa dsa ; do 
-                verbose "$tid: user ${ktype} cert connect privsep $privsep"
+                for privsep in yes no ; do
+                        _prefix="${ktype} privsep $privsep $auth"
+                        # Simple connect
+                        verbose "$tid: ${_prefix} connect"
+                        (
+                                cat $OBJ/sshd_proxy_bak
+                                echo "UsePrivilegeSeparation $privsep"
+                                echo "$extra_sshd"
+                        ) > $OBJ/sshd_proxy
+        
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true
+                        if [ $? -ne 0 ]; then
+                                fail "ssh cert connect failed"
+                        fi
+                        # Revoked keys
+                        verbose "$tid: ${_prefix} revoked key"
+                        (
+                                cat $OBJ/sshd_proxy_bak
+                                echo "UsePrivilegeSeparation $privsep"
+                                echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+                                echo "$extra_sshd"
+                        ) > $OBJ/sshd_proxy
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                        if [ $? -eq 0 ]; then
+                                fail "ssh cert connect succeeded unexpecedly"
+                        fi
+                done
+        
+                # Revoked CA
+                verbose "$tid: ${ktype} $auth revoked CA key"
                (
                        cat $OBJ/sshd_proxy_bak
-                        echo "UsePrivilegeSeparation $privsep"
+                        echo "RevokedKeys $OBJ/user_ca_key.pub"
+                        echo "$extra_sshd"
                ) > $OBJ/sshd_proxy
                ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
-                    somehost true
+                    somehost true >/dev/null 2>&1
-                if [ $? -ne 0 ]; then
+                if [ $? -eq 0 ]; then
-                        fail "ssh cert connect failed"
+                        fail "ssh cert connect succeeded unexpecedly"
                fi
        done
-done
+        
+        verbose "$tid: $auth CA does not authenticate"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo "$extra_sshd"
+        ) > $OBJ/sshd_proxy
+        verbose "$tid: ensure CA key does not authenticate user"
+        ${SSH} -2i $OBJ/user_ca_key \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        if [ $? -eq 0 ]; then
+                fail "ssh cert connect with CA key succeeded unexpectedly"
+        fi
+}
-verbose "$tid: ensure CA key does not authenticate user"
+basic_tests authorized_keys
-${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+basic_tests TrustedUserCAKeys
-if [ $? -eq 0 ]; then
-        fail "ssh cert connect with CA key succeeded unexpectedly"
-fi
 test_one() {
        ident=$1
        result=$2
        sign_opts=$3
-        
+        auth_choice=$4
-        verbose "$tid: test user cert connect $ident expect $result"
+        if test "x$auth_choice" = "x" ; then
+                auth_choice="authorized_keys TrustedUserCAKeys"
+        fi
-        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+        for auth in $auth_choice ; do
-            $sign_opts \
+                cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-            $OBJ/cert_user_key_rsa ||
+                if test "x$auth" = "xauthorized_keys" ; then
-                fail "couldn't sign cert_user_key_rsa"
+                        # Add CA to authorized_keys
+                        (
+                                echon 'cert-authority '
+                                cat $OBJ/user_ca_key.pub
+                        ) > $OBJ/authorized_keys_$USER
+                else
+                        echo > $OBJ/authorized_keys_$USER
+                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+                            $OBJ/sshd_proxy
-        ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-            somehost true >/dev/null 2>&1
-        rc=$?
-        if [ "x$result" = "xsuccess" ] ; then
-                if [ $rc -ne 0 ]; then
-                        fail "ssh cert connect $ident failed unexpectedly"
                fi
-        else
+                
-                if [ $rc -eq 0 ]; then
+                verbose "$tid: $ident auth $auth expect $result"
-                        fail "ssh cert connect $ident succeeded unexpectedly"
+                ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+                    -I "regress user key for $USER" \
+                    $sign_opts \
+                    $OBJ/cert_user_key_rsa ||
+                        fail "couldn't sign cert_user_key_rsa"
+        
+                ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+                    somehost true >/dev/null 2>&1
+                rc=$?
+                if [ "x$result" = "xsuccess" ] ; then
+                        if [ $rc -ne 0 ]; then
+                                fail "$ident failed unexpectedly"
+                        fi
+                else
+                        if [ $rc -eq 0 ]; then
+                                fail "$ident succeeded unexpectedly"
+                        fi
                fi
-        fi
+        done
-        cleanup
 }
-test_one "host-certificate"     failure "-h"
+test_one "correct principal"    success "-n ${USER}"
-test_one "empty principals"     success ""
+test_one "host-certificate"     failure "-n ${USER} -h"
 test_one "wrong principals"     failure "-n foo"
-test_one "cert not yet valid"   failure "-V20200101:20300101"
+test_one "cert not yet valid"   failure "-n ${USER} -V20200101:20300101"
-test_one "cert expired"         failure "-V19800101:19900101"
+test_one "cert expired"         failure "-n ${USER} -V19800101:19900101"
-test_one "cert valid interval"  success "-V-1w:+2w"
+test_one "cert valid interval"  success "-n ${USER} -V-1w:+2w"
-test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
+test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
-test_one "force-command"        failure "-Oforce-command=false"
+test_one "force-command"        failure "-n ${USER} -Oforce-command=false"
+# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
+test_one "empty principals"     success "" authorized_keys
+test_one "empty principals"     failure "" TrustedUserCAKeys
 # Wrong certificate
 for ktype in rsa dsa ; do 
@@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
 done
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
author	Damien Miller <djm@mindrot.org>	2010-03-04 21:58:01 +1100
committer	Damien Miller <djm@mindrot.org>	2010-03-04 21:58:01 +1100
commit	700dcfa3e0a98be44f2e3675849055984f04a70a (patch)
tree	c10708a700b61025695b7755c25aa98f3dff0d9b
parent	017d1e777ef197eab866b9d0046e000a46baf10b (diff)

diff --git a/ChangeLog b/ChangeLog index 116ce569a..f6c61d89d 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -39,6 +39,9 @@
39	[regress/cert-hostkey.sh regress/cert-userkey.sh]	39	[regress/cert-hostkey.sh regress/cert-userkey.sh]
40	add an extra test to ensure that authentication with the wrong	40	add an extra test to ensure that authentication with the wrong
41	certificate fails as it should (and it does)	41	certificate fails as it should (and it does)
		42	- djm@cvs.openbsd.org 2010/03/04 10:38:23
		43	[regress/cert-hostkey.sh regress/cert-userkey.sh]
		44	additional regression tests for revoked keys and TrustedUserCAKeys
42		45
43	20100303	46	20100303
44	- (djm) [PROTOCOL.certkeys] Add RCS Ident	47	- (djm) [PROTOCOL.certkeys] Add RCS Ident


diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 9097a1359..3fda667cb 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -50,6 +50,68 @@ for privsep in yes no ; do
50	done	50	done
51	done	51	done
52		52
		53	# Revoked certificates with key present
		54	(
		55	echon '@cert-authority '
		56	echon "$HOSTS "
		57	cat $OBJ/host_ca_key.pub
		58	echon '@revoked '
		59	echon "* "
		60	cat $OBJ/cert_host_key_rsa.pub
		61	echon '@revoked '
		62	echon "* "
		63	cat $OBJ/cert_host_key_dsa.pub
		64	) > $OBJ/known_hosts-cert
		65	for privsep in yes no ; do
		66	for ktype in rsa dsa ; do
		67	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
		68	(
		69	cat $OBJ/sshd_proxy_bak
		70	echo HostKey $OBJ/cert_host_key_${ktype}
		71	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
		72	echo UsePrivilegeSeparation $privsep
		73	) > $OBJ/sshd_proxy
		74
		75	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		76	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		77	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		78	if [ $? -eq 0 ]; then
		79	fail "ssh cert connect succeeded unexpectedly"
		80	fi
		81	done
		82	done
		83
		84	# Revoked CA
		85	(
		86	echon '@cert-authority '
		87	echon "$HOSTS "
		88	cat $OBJ/host_ca_key.pub
		89	echon '@revoked '
		90	echon "* "
		91	cat $OBJ/host_ca_key.pub
		92	) > $OBJ/known_hosts-cert
		93	for ktype in rsa dsa ; do
		94	verbose "$tid: host ${ktype} revoked cert"
		95	(
		96	cat $OBJ/sshd_proxy_bak
		97	echo HostKey $OBJ/cert_host_key_${ktype}
		98	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
		99	) > $OBJ/sshd_proxy
		100	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		101	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		102	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		103	if [ $? -eq 0 ]; then
		104	fail "ssh cert connect succeeded unexpectedly"
		105	fi
		106	done
		107
		108	# Create a CA key and add it to known hosts
		109	(
		110	echon '@cert-authority '
		111	echon "$HOSTS "
		112	cat $OBJ/host_ca_key.pub
		113	) > $OBJ/known_hosts-cert
		114
53	test_one() {	115	test_one() {
54	ident=$1	116	ident=$1
55	result=$2	117	result=$2


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 874915205..7a58e7b75 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -6,13 +6,9 @@ tid="certified user keys"
6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*	6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak	7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8		8
9	# Create a CA key and add it to authorized_keys	9	# Create a CA key
10	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\	10	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
11	fail "ssh-keygen of user_ca_key failed"	11	fail "ssh-keygen of user_ca_key failed"
12	(
13	echon 'cert-authority '
14	cat $OBJ/user_ca_key.pub
15	) > $OBJ/authorized_keys_$USER
16		12
17	# Generate and sign user keys	13	# Generate and sign user keys
18	for ktype in rsa dsa ; do	14	for ktype in rsa dsa ; do
@@ -26,64 +22,140 @@ for ktype in rsa dsa ; do
26	fail "couldn't sign cert_user_key_${ktype}"	22	fail "couldn't sign cert_user_key_${ktype}"
27	done	23	done
28		24
29	# Basic connect tests	25	basic_tests() {
30	for privsep in yes no ; do	26	auth=$1
		27	if test "x$auth" = "xauthorized_keys" ; then
		28	# Add CA to authorized_keys
		29	(
		30	echon 'cert-authority '
		31	cat $OBJ/user_ca_key.pub
		32	) > $OBJ/authorized_keys_$USER
		33	else
		34	echo > $OBJ/authorized_keys_$USER
		35	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
		36	fi
		37
31	for ktype in rsa dsa ; do	38	for ktype in rsa dsa ; do
32	verbose "$tid: user ${ktype} cert connect privsep $privsep"	39	for privsep in yes no ; do
		40	_prefix="${ktype} privsep $privsep $auth"
		41	# Simple connect
		42	verbose "$tid: ${_prefix} connect"
		43	(
		44	cat $OBJ/sshd_proxy_bak
		45	echo "UsePrivilegeSeparation $privsep"
		46	echo "$extra_sshd"
		47	) > $OBJ/sshd_proxy
		48
		49	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		50	-F $OBJ/ssh_proxy somehost true
		51	if [ $? -ne 0 ]; then
		52	fail "ssh cert connect failed"
		53	fi
		54
		55	# Revoked keys
		56	verbose "$tid: ${_prefix} revoked key"
		57	(
		58	cat $OBJ/sshd_proxy_bak
		59	echo "UsePrivilegeSeparation $privsep"
		60	echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
		61	echo "$extra_sshd"
		62	) > $OBJ/sshd_proxy
		63	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		64	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		65	if [ $? -eq 0 ]; then
		66	fail "ssh cert connect succeeded unexpecedly"
		67	fi
		68	done
		69
		70	# Revoked CA
		71	verbose "$tid: ${ktype} $auth revoked CA key"
33	(	72	(
34	cat $OBJ/sshd_proxy_bak	73	cat $OBJ/sshd_proxy_bak
35	echo "UsePrivilegeSeparation $privsep"	74	echo "RevokedKeys $OBJ/user_ca_key.pub"
		75	echo "$extra_sshd"
36	) > $OBJ/sshd_proxy	76	) > $OBJ/sshd_proxy
37
38	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \	77	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
39	somehost true	78	somehost true >/dev/null 2>&1
40	if [ $? -ne 0 ]; then	79	if [ $? -eq 0 ]; then
41	fail "ssh cert connect failed"	80	fail "ssh cert connect succeeded unexpecedly"
42	fi	81	fi
43	done	82	done
44	done	83
		84	verbose "$tid: $auth CA does not authenticate"
		85	(
		86	cat $OBJ/sshd_proxy_bak
		87	echo "$extra_sshd"
		88	) > $OBJ/sshd_proxy
		89	verbose "$tid: ensure CA key does not authenticate user"
		90	${SSH} -2i $OBJ/user_ca_key \
		91	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		92	if [ $? -eq 0 ]; then
		93	fail "ssh cert connect with CA key succeeded unexpectedly"
		94	fi
		95	}
45		96
46	verbose "$tid: ensure CA key does not authenticate user"	97	basic_tests authorized_keys
47	${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1	98	basic_tests TrustedUserCAKeys
48	if [ $? -eq 0 ]; then
49	fail "ssh cert connect with CA key succeeded unexpectedly"
50	fi
51		99
52	test_one() {	100	test_one() {
53	ident=$1	101	ident=$1
54	result=$2	102	result=$2
55	sign_opts=$3	103	sign_opts=$3
56		104	auth_choice=$4
57	verbose "$tid: test user cert connect $ident expect $result"	105
		106	if test "x$auth_choice" = "x" ; then
		107	auth_choice="authorized_keys TrustedUserCAKeys"
		108	fi
58		109
59	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \	110	for auth in $auth_choice ; do
60	$sign_opts \	111	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
61	$OBJ/cert_user_key_rsa \|\|	112	if test "x$auth" = "xauthorized_keys" ; then
62	fail "couldn't sign cert_user_key_rsa"	113	# Add CA to authorized_keys
		114	(
		115	echon 'cert-authority '
		116	cat $OBJ/user_ca_key.pub
		117	) > $OBJ/authorized_keys_$USER
		118	else
		119	echo > $OBJ/authorized_keys_$USER
		120	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
		121	$OBJ/sshd_proxy
63		122
64	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
65	somehost true >/dev/null 2>&1
66	rc=$?
67	if [ "x$result" = "xsuccess" ] ; then
68	if [ $rc -ne 0 ]; then
69	fail "ssh cert connect $ident failed unexpectedly"
70	fi	123	fi
71	else	124
72	if [ $rc -eq 0 ]; then	125	verbose "$tid: $ident auth $auth expect $result"
73	fail "ssh cert connect $ident succeeded unexpectedly"	126	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
		127	-I "regress user key for $USER" \
		128	$sign_opts \
		129	$OBJ/cert_user_key_rsa \|\|
		130	fail "couldn't sign cert_user_key_rsa"
		131
		132	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
		133	somehost true >/dev/null 2>&1
		134	rc=$?
		135	if [ "x$result" = "xsuccess" ] ; then
		136	if [ $rc -ne 0 ]; then
		137	fail "$ident failed unexpectedly"
		138	fi
		139	else
		140	if [ $rc -eq 0 ]; then
		141	fail "$ident succeeded unexpectedly"
		142	fi
74	fi	143	fi
75	fi	144	done
76	cleanup
77	}	145	}
78		146
79	test_one "host-certificate" failure "-h"	147	test_one "correct principal" success "-n ${USER}"
80	test_one "empty principals" success ""	148	test_one "host-certificate" failure "-n ${USER} -h"
81	test_one "wrong principals" failure "-n foo"	149	test_one "wrong principals" failure "-n foo"
82	test_one "cert not yet valid" failure "-V20200101:20300101"	150	test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
83	test_one "cert expired" failure "-V19800101:19900101"	151	test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
84	test_one "cert valid interval" success "-V-1w:+2w"	152	test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
85	test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"	153	test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
86	test_one "force-command" failure "-Oforce-command=false"	154	test_one "force-command" failure "-n ${USER} -Oforce-command=false"
		155
		156	# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
		157	test_one "empty principals" success "" authorized_keys
		158	test_one "empty principals" failure "" TrustedUserCAKeys
87		159
88	# Wrong certificate	160	# Wrong certificate
89	for ktype in rsa dsa ; do	161	for ktype in rsa dsa ; do
@@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
101	done	173	done
102		174
103	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*	175	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
		176