summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-01-18 11:51:56 +1100
committerDamien Miller <djm@mindrot.org>2013-01-18 11:51:56 +1100
commitebafebda8570b2b013327cdc6627f9c5fb9733c1 (patch)
treee08b1095cb132f11d9921427dd94ee0ed053b090
parentf3747bf4014a450c9aaf1d88b010f6e579d10072 (diff)
- djm@cvs.openbsd.org 2013/01/18 00:45:29
[regress/Makefile regress/cert-userkey.sh regress/krl.sh] Tests for Key Revocation Lists (KRLs)
-rw-r--r--ChangeLog4
-rw-r--r--regress/Makefile9
-rw-r--r--regress/cert-userkey.sh22
-rw-r--r--regress/krl.sh151
4 files changed, 180 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index 65403d6e7..a45d24b29 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,10 @@
8 a single bit of incremental cost to revoke a certificate by serial number. 8 a single bit of incremental cost to revoke a certificate by serial number.
9 KRLs are loaded via the existing RevokedKeys sshd_config option. 9 KRLs are loaded via the existing RevokedKeys sshd_config option.
10 feedback and ok markus@ 10 feedback and ok markus@
11 - OpenBSD CVS Sync
12 - djm@cvs.openbsd.org 2013/01/18 00:45:29
13 [regress/Makefile regress/cert-userkey.sh regress/krl.sh]
14 Tests for Key Revocation Lists (KRLs)
11 15
1220130117 1620130117
13 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] 17 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
diff --git a/regress/Makefile b/regress/Makefile
index af1fa31df..18f9f124c 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $ 1# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4tests: prereq $(REGRESS_TARGETS) 4tests: prereq $(REGRESS_TARGETS)
@@ -60,7 +60,8 @@ LTESTS= connect \
60 host-expand \ 60 host-expand \
61 keys-command \ 61 keys-command \
62 forward-control \ 62 forward-control \
63 integrity 63 integrity \
64 krl
64 65
65INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers 66INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
66#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 67#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -77,11 +78,11 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
77 ls.copy banner.in banner.out empty.in \ 78 ls.copy banner.in banner.out empty.in \
78 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 79 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
79 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 80 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
80 known_hosts-cert host_ca_key* cert_host_key* \ 81 known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
81 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 82 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
82 key.rsa-* key.dsa-* key.ecdsa-* \ 83 key.rsa-* key.dsa-* key.ecdsa-* \
83 authorized_principals_${USER} expect actual ready \ 84 authorized_principals_${USER} expect actual ready \
84 sshd_proxy.* authorized_keys_${USER}.* modpipe 85 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
85 86
86 87
87# Enable all malloc(3) randomisations and checks 88# Enable all malloc(3) randomisations and checks
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index aa85cd6cb..3bba9f8f2 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -184,14 +184,32 @@ basic_tests() {
184 ( 184 (
185 cat $OBJ/sshd_proxy_bak 185 cat $OBJ/sshd_proxy_bak
186 echo "UsePrivilegeSeparation $privsep" 186 echo "UsePrivilegeSeparation $privsep"
187 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" 187 echo "RevokedKeys $OBJ/cert_user_key_revoked"
188 echo "$extra_sshd" 188 echo "$extra_sshd"
189 ) > $OBJ/sshd_proxy 189 ) > $OBJ/sshd_proxy
190 cp $OBJ/cert_user_key_${ktype}.pub \
191 $OBJ/cert_user_key_revoked
190 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 192 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
191 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 193 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
192 if [ $? -eq 0 ]; then 194 if [ $? -eq 0 ]; then
193 fail "ssh cert connect succeeded unexpecedly" 195 fail "ssh cert connect succeeded unexpecedly"
194 fi 196 fi
197 verbose "$tid: ${_prefix} revoked via KRL"
198 rm $OBJ/cert_user_key_revoked
199 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
200 $OBJ/cert_user_key_${ktype}.pub
201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
202 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
203 if [ $? -eq 0 ]; then
204 fail "ssh cert connect succeeded unexpecedly"
205 fi
206 verbose "$tid: ${_prefix} empty KRL"
207 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
208 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
209 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
210 if [ $? -ne 0 ]; then
211 fail "ssh cert connect failed"
212 fi
195 done 213 done
196 214
197 # Revoked CA 215 # Revoked CA
diff --git a/regress/krl.sh b/regress/krl.sh
new file mode 100644
index 000000000..3ee5a9060
--- /dev/null
+++ b/regress/krl.sh
@@ -0,0 +1,151 @@
1# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain.
3
4tid="key revocation lists"
5
6# Do most testing with ssh-keygen; it uses the same verification code as sshd.
7
8# Old keys will interfere with ssh-keygen.
9rm -f $OBJ/revoked-* $OBJ/krl-*
10
11# Generate a CA key
12$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
13 fatal "$SSHKEYGEN CA failed"
14
15# A specification that revokes some certificates by serial numbers
16# The serial pattern is chosen to ensure the KRL includes list, range and
17# bitmap sections.
18cat << EOF >> $OBJ/revoked-serials
19serial: 1-4
20serial: 10
21serial: 15
22serial: 30
23serial: 50
24serial: 999
25# The following sum to 500-799
26serial: 500
27serial: 501
28serial: 502
29serial: 503-600
30serial: 700-797
31serial: 798
32serial: 799
33serial: 599-701
34EOF
35
36# A specification that revokes some certificated by key ID.
37touch $OBJ/revoked-keyid
38for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
39 # Fill in by-ID revocation spec.
40 echo "id: revoked $n" >> $OBJ/revoked-keyid
41done
42
43keygen() {
44 N=$1
45 f=$OBJ/revoked-`printf "%04d" $N`
46 # Vary the keytype. We use mostly ECDSA since this is fastest by far.
47 keytype=ecdsa
48 case $N in
49 2 | 10 | 510 | 1001) keytype=rsa;;
50 4 | 30 | 520 | 1002) keytype=dsa;;
51 esac
52 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
53 || fatal "$SSHKEYGEN failed"
54 # Sign cert
55 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
56 || fatal "$SSHKEYGEN sign failed"
57 echo $f
58}
59
60# Generate some keys.
61verbose "$tid: generating test keys"
62REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
63for n in $REVOKED_SERIALS ; do
64 f=`keygen $n`
65 REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
66 REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
67done
68NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
69NOTREVOKED=""
70for n in $NOTREVOKED_SERIALS ; do
71 NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
72 NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
73done
74
75genkrls() {
76 OPTS=$1
77$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
78 >/dev/null || fatal "$SSHKEYGEN KRL failed"
79$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
80 >/dev/null || fatal "$SSHKEYGEN KRL failed"
81$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
82 >/dev/null || fatal "$SSHKEYGEN KRL failed"
83$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
84 >/dev/null || fatal "$SSHKEYGEN KRL failed"
85$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
86 >/dev/null || fatal "$SSHKEYGEN KRL failed"
87# KRLs from serial/key-id spec need the CA specified.
88$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
89 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
90$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
91 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
92$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
93 >/dev/null || fatal "$SSHKEYGEN KRL failed"
94$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
95 >/dev/null || fatal "$SSHKEYGEN KRL failed"
96}
97
98verbose "$tid: generating KRLs"
99genkrls
100
101check_krl() {
102 KEY=$1
103 KRL=$2
104 EXPECT_REVOKED=$3
105 TAG=$4
106 $SSHKEYGEN -Qf $KRL $KEY >/dev/null
107 result=$?
108 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
109 fatal "key $KEY not revoked by KRL $KRL: $TAG"
110 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
111 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
112 fi
113}
114test_all() {
115 FILES=$1
116 TAG=$2
117 KEYS_RESULT=$3
118 ALL_RESULT=$4
119 SERIAL_RESULT=$5
120 KEYID_RESULT=$6
121 CERTS_RESULT=$7
122 CA_RESULT=$8
123 verbose "$tid: checking revocations for $TAG"
124 for f in $FILES ; do
125 check_krl $f $OBJ/krl-empty no "$TAG"
126 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
127 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
128 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
129 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
130 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
131 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
132 done
133}
134# keys all serial keyid certs CA
135test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
136test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
137test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
138test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
139
140# Check update. Results should be identical.
141verbose "$tid: testing KRL update"
142for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
143 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
144 cp -f $OBJ/krl-empty $f
145 genkrls -u
146done
147# keys all serial keyid certs CA
148test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
149test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
150test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
151test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes