New upstream release (7.3p1).

author: Colin Watson <cjwatson@debian.org> 2016-08-06 10:49:59 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-08-07 12:18:58 +0100
commit: 477bb7636238c106f8cd7c868a8c0c5eabcfb3db (patch)
tree: 601176af2ecf358c36b766776a86845ad7a3cd6f /regress/cert-hostkey.sh
parent: 747fac2de0d889183f67f6900194c0462c558544 (diff)
parent: 4c914ccd85bbf391c4dc61b85e3c178fef465e3f (diff)
1 files changed, 69 insertions, 57 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3f53922c8..62261cf8b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 HOSTS='localhost-with-alias,127.0.0.1,::1'
-# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
+kh_ca() {
+        for k in "$@" ; do
+                printf "@cert-authority $HOSTS "
+                cat $OBJ/$k || fatal "couldn't cat $k"
+        done
+}
+kh_revoke() {
+        for k in "$@" ; do
+                printf "@revoked * "
+                cat $OBJ/$k || fatal "couldn't cat $k"
+        done
+}
+# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
+# RSA for testing RSA/SHA2 signatures.
 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/host_ca_key ||\
        fail "ssh-keygen of host_ca_key failed"
-(
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key2 ||\
-        printf '@cert-authority '
+        fail "ssh-keygen of host_ca_key failed"
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 # Plain text revocation files
 touch $OBJ/host_revoked_empty
 touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
-cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
+cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+        PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
-${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
+${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
        || fatal "KRL init failed"
 # Generate and sign host keys
 serial=1
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        verbose "$tid: sign host ${ktype} cert"
        # Generate and sign a host key
        ${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
        ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
            $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
        cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
-        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
+        case $ktype in
+        rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+        *)              tflag=""; ca="$OBJ/host_ca_key" ;;
+        esac
+        ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
                fatal "couldn't sign cert_host_key_${ktype}"
@@ -100,7 +121,7 @@ attempt_connect() {
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES ; do 
+        for ktype in $PLAIN_TYPES ; do
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -131,18 +152,14 @@ for privsep in yes no ; do
 done
 # Revoked certificates with key present
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
+for ktype in $PLAIN_TYPES ; do
-        printf "$HOSTS "
+        test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
-        cat $OBJ/host_ca_key.pub
+        kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
-        for ktype in $PLAIN_TYPES ; do
+done
-                test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
-                printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
-        done
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES ; do 
+        for ktype in $PLAIN_TYPES ; do
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -162,16 +179,10 @@ for privsep in yes no ; do
 done
 # Revoked CA
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
+kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
-        printf '@revoked '
-        printf "* "
-        cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
 done
 # Create a CA key and add it to known hosts
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 test_one() {
@@ -201,16 +208,19 @@ test_one() {
        sign_opts=$3
        for kt in rsa ed25519 ; do
-                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
+                case $ktype in
-                    -I "regress host key for $USER" \
+                rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+                *)              tflag=""; ca="$OBJ/host_ca_key" ;;
+                esac
+                ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
                    $sign_opts $OBJ/cert_host_key_${kt} ||
-                        fail "couldn't sign cert_host_key_${kt}"
+                        fatal "couldn't sign cert_host_key_${kt}"
                (
                        cat $OBJ/sshd_proxy_bak
                        echo HostKey $OBJ/cert_host_key_${kt}
                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
                ) > $OBJ/sshd_proxy
-        
                cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@@ -237,17 +247,20 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
        verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
        # Generate and sign a host key
-        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+        ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \
-            -f $OBJ/cert_host_key_${ktype} || \
                fail "ssh-keygen of cert_host_key_${ktype} failed"
-        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+        case $ktype in
+        rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+        *)              tflag=""; ca="$OBJ/host_ca_key" ;;
+        esac
+        ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                fail "couldn't sign cert_host_key_${ktype}"
+                fatal "couldn't sign cert_host_key_${ktype}"
        (
                printf "$HOSTS "
                cat $OBJ/cert_host_key_${ktype}.pub
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
                echo HostKey $OBJ/cert_host_key_${ktype}
                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
        ) > $OBJ/sshd_proxy
-        
        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
                -F $OBJ/ssh_proxy somehost true
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
 done
 # Wrong certificate
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for kt in $PLAIN_TYPES ; do 
+for kt in $PLAIN_TYPES ; do
+        verbose "$tid: host ${kt} connect wrong cert"
        rm -f $OBJ/cert_host_key*
        # Self-sign key
-        ${SSHKEYGEN} -q -N '' -t ${kt} \
+        ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \
-            -f $OBJ/cert_host_key_${kt} || \
                fail "ssh-keygen of cert_host_key_${kt} failed"
-        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+        case $kt in
+        rsa-sha2-*)     tflag="-t $kt" ;;
+        *)              tflag="" ;;
+        esac
+        ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                fail "couldn't sign cert_host_key_${kt}"
+                fatal "couldn't sign cert_host_key_${kt}"
-        verbose "$tid: host ${kt} connect wrong cert"
        (
                cat $OBJ/sshd_proxy_bak
                echo HostKey $OBJ/cert_host_key_${kt}
author	Colin Watson <cjwatson@debian.org>	2016-08-06 10:49:59 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-08-07 12:18:58 +0100
commit	477bb7636238c106f8cd7c868a8c0c5eabcfb3db (patch)
tree	601176af2ecf358c36b766776a86845ad7a3cd6f /regress/cert-hostkey.sh
parent	747fac2de0d889183f67f6900194c0462c558544 (diff)
parent	4c914ccd85bbf391c4dc61b85e3c178fef465e3f (diff)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3f53922c8..62261cf8b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
30		30
31	HOSTS='localhost-with-alias,127.0.0.1,::1'	31	HOSTS='localhost-with-alias,127.0.0.1,::1'
32		32
33	# Create a CA key and add it to known hosts. Ed25519 chosed for speed.	33	kh_ca() {
		34	for k in "$@" ; do
		35	printf "@cert-authority $HOSTS "
		36	cat $OBJ/$k \|\| fatal "couldn't cat $k"
		37	done
		38	}
		39	kh_revoke() {
		40	for k in "$@" ; do
		41	printf "@revoked * "
		42	cat $OBJ/$k \|\| fatal "couldn't cat $k"
		43	done
		44	}
		45
		46	# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
		47	# RSA for testing RSA/SHA2 signatures.
34	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key \|\|\	48	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key \|\|\
35	fail "ssh-keygen of host_ca_key failed"	49	fail "ssh-keygen of host_ca_key failed"
36	(	50	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 \|\|\
37	printf '@cert-authority '	51	fail "ssh-keygen of host_ca_key failed"
38	printf "$HOSTS "	52
39	cat $OBJ/host_ca_key.pub	53	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
40	) > $OBJ/known_hosts-cert.orig
41	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	54	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
42		55
43	# Plain text revocation files	56	# Plain text revocation files
44	touch $OBJ/host_revoked_empty	57	touch $OBJ/host_revoked_empty
45	touch $OBJ/host_revoked_plain	58	touch $OBJ/host_revoked_plain
46	touch $OBJ/host_revoked_cert	59	touch $OBJ/host_revoked_cert
47	cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca	60	cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
48		61
49	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`	62	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
50		63
		64	if echo "$PLAIN_TYPES" \| grep '^rsa$' >/dev/null 2>&1 ; then
		65	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
		66	fi
		67
51	# Prepare certificate, plain key and CA KRLs	68	# Prepare certificate, plain key and CA KRLs
52	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"	69	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"
53	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"	70	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"
54	${SSHKEYGEN} -kf $OBJ/host_krl_cert \|\| fatal "KRL init failed"	71	${SSHKEYGEN} -kf $OBJ/host_krl_cert \|\| fatal "KRL init failed"
55	${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \	72	${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
56	\|\| fatal "KRL init failed"	73	\|\| fatal "KRL init failed"
57		74
58	# Generate and sign host keys	75	# Generate and sign host keys
59	serial=1	76	serial=1
60	for ktype in $PLAIN_TYPES ; do	77	for ktype in $PLAIN_TYPES ; do
61	verbose "$tid: sign host ${ktype} cert"	78	verbose "$tid: sign host ${ktype} cert"
62	# Generate and sign a host key	79	# Generate and sign a host key
63	${SSHKEYGEN} -q -N '' -t ${ktype} \	80	${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
66	${SSHKEYGEN} -ukf $OBJ/host_krl_plain \	83	${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
67	$OBJ/cert_host_key_${ktype}.pub \|\| fatal "KRL update failed"	84	$OBJ/cert_host_key_${ktype}.pub \|\| fatal "KRL update failed"
68	cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain	85	cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
69	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \	86	case $ktype in
		87	rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
		88	*) tflag=""; ca="$OBJ/host_ca_key" ;;
		89	esac
		90	${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
70	-I "regress host key for $USER" \	91	-I "regress host key for $USER" \
71	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	92	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
72	fatal "couldn't sign cert_host_key_${ktype}"	93	fatal "couldn't sign cert_host_key_${ktype}"
@@ -100,7 +121,7 @@ attempt_connect() {
100		121
101	# Basic connect and revocation tests.	122	# Basic connect and revocation tests.
102	for privsep in yes no ; do	123	for privsep in yes no ; do
103	for ktype in $PLAIN_TYPES ; do	124	for ktype in $PLAIN_TYPES ; do
104	verbose "$tid: host ${ktype} cert connect privsep $privsep"	125	verbose "$tid: host ${ktype} cert connect privsep $privsep"
105	(	126	(
106	cat $OBJ/sshd_proxy_bak	127	cat $OBJ/sshd_proxy_bak
@@ -131,18 +152,14 @@ for privsep in yes no ; do
131	done	152	done
132		153
133	# Revoked certificates with key present	154	# Revoked certificates with key present
134	(	155	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
135	printf '@cert-authority '	156	for ktype in $PLAIN_TYPES ; do
136	printf "$HOSTS "	157	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
137	cat $OBJ/host_ca_key.pub	158	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
138	for ktype in $PLAIN_TYPES ; do	159	done
139	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
140	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
141	done
142	) > $OBJ/known_hosts-cert.orig
143	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	160	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
144	for privsep in yes no ; do	161	for privsep in yes no ; do
145	for ktype in $PLAIN_TYPES ; do	162	for ktype in $PLAIN_TYPES ; do
146	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	163	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
147	(	164	(
148	cat $OBJ/sshd_proxy_bak	165	cat $OBJ/sshd_proxy_bak
@@ -162,16 +179,10 @@ for privsep in yes no ; do
162	done	179	done
163		180
164	# Revoked CA	181	# Revoked CA
165	(	182	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
166	printf '@cert-authority '	183	kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
167	printf "$HOSTS "
168	cat $OBJ/host_ca_key.pub
169	printf '@revoked '
170	printf "* "
171	cat $OBJ/host_ca_key.pub
172	) > $OBJ/known_hosts-cert.orig
173	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	184	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
174	for ktype in $PLAIN_TYPES ; do	185	for ktype in $PLAIN_TYPES ; do
175	verbose "$tid: host ${ktype} revoked cert"	186	verbose "$tid: host ${ktype} revoked cert"
176	(	187	(
177	cat $OBJ/sshd_proxy_bak	188	cat $OBJ/sshd_proxy_bak
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
188	done	199	done
189		200
190	# Create a CA key and add it to known hosts	201	# Create a CA key and add it to known hosts
191	(	202	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
192	printf '@cert-authority '
193	printf "$HOSTS "
194	cat $OBJ/host_ca_key.pub
195	) > $OBJ/known_hosts-cert.orig
196	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	203	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
197		204
198	test_one() {	205	test_one() {
@@ -201,16 +208,19 @@ test_one() {
201	sign_opts=$3	208	sign_opts=$3
202		209
203	for kt in rsa ed25519 ; do	210	for kt in rsa ed25519 ; do
204	${SSHKEYGEN} -q -s $OBJ/host_ca_key \	211	case $ktype in
205	-I "regress host key for $USER" \	212	rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
		213	*) tflag=""; ca="$OBJ/host_ca_key" ;;
		214	esac
		215	${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
206	$sign_opts $OBJ/cert_host_key_${kt} \|\|	216	$sign_opts $OBJ/cert_host_key_${kt} \|\|
207	fail "couldn't sign cert_host_key_${kt}"	217	fatal "couldn't sign cert_host_key_${kt}"
208	(	218	(
209	cat $OBJ/sshd_proxy_bak	219	cat $OBJ/sshd_proxy_bak
210	echo HostKey $OBJ/cert_host_key_${kt}	220	echo HostKey $OBJ/cert_host_key_${kt}
211	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub	221	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
212	) > $OBJ/sshd_proxy	222	) > $OBJ/sshd_proxy
213		223
214	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	224	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
215	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	225	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
216	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	226	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@@ -237,17 +247,20 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
237	test_one "cert has constraints" failure "-h -Oforce-command=false"	247	test_one "cert has constraints" failure "-h -Oforce-command=false"
238		248
239	# Check downgrade of cert to raw key when no CA found	249	# Check downgrade of cert to raw key when no CA found
240	for ktype in $PLAIN_TYPES ; do	250	for ktype in $PLAIN_TYPES ; do
241	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	251	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
242	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"	252	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
243	# Generate and sign a host key	253	# Generate and sign a host key
244	${SSHKEYGEN} -q -N '' -t ${ktype} \	254	${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} \|\| \
245	-f $OBJ/cert_host_key_${ktype} \|\| \
246	fail "ssh-keygen of cert_host_key_${ktype} failed"	255	fail "ssh-keygen of cert_host_key_${ktype} failed"
247	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \	256	case $ktype in
		257	rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
		258	*) tflag=""; ca="$OBJ/host_ca_key" ;;
		259	esac
		260	${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
248	-I "regress host key for $USER" \	261	-I "regress host key for $USER" \
249	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	262	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
250	fail "couldn't sign cert_host_key_${ktype}"	263	fatal "couldn't sign cert_host_key_${ktype}"
251	(	264	(
252	printf "$HOSTS "	265	printf "$HOSTS "
253	cat $OBJ/cert_host_key_${ktype}.pub	266	cat $OBJ/cert_host_key_${ktype}.pub
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
257	echo HostKey $OBJ/cert_host_key_${ktype}	270	echo HostKey $OBJ/cert_host_key_${ktype}
258	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	271	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
259	) > $OBJ/sshd_proxy	272	) > $OBJ/sshd_proxy
260		273
261	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	274	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
262	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	275	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
263	-F $OBJ/ssh_proxy somehost true	276	-F $OBJ/ssh_proxy somehost true
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
267	done	280	done
268		281
269	# Wrong certificate	282	# Wrong certificate
270	(	283	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
271	printf '@cert-authority '
272	printf "$HOSTS "
273	cat $OBJ/host_ca_key.pub
274	) > $OBJ/known_hosts-cert.orig
275	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	284	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
276	for kt in $PLAIN_TYPES ; do	285	for kt in $PLAIN_TYPES ; do
		286	verbose "$tid: host ${kt} connect wrong cert"
277	rm -f $OBJ/cert_host_key*	287	rm -f $OBJ/cert_host_key*
278	# Self-sign key	288	# Self-sign key
279	${SSHKEYGEN} -q -N '' -t ${kt} \	289	${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} \|\| \
280	-f $OBJ/cert_host_key_${kt} \|\| \
281	fail "ssh-keygen of cert_host_key_${kt} failed"	290	fail "ssh-keygen of cert_host_key_${kt} failed"
282	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \	291	case $kt in
		292	rsa-sha2-*) tflag="-t $kt" ;;
		293	*) tflag="" ;;
		294	esac
		295	${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
283	-I "regress host key for $USER" \	296	-I "regress host key for $USER" \
284	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|	297	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
285	fail "couldn't sign cert_host_key_${kt}"	298	fatal "couldn't sign cert_host_key_${kt}"
286	verbose "$tid: host ${kt} connect wrong cert"
287	(	299	(
288	cat $OBJ/sshd_proxy_bak	300	cat $OBJ/sshd_proxy_bak
289	echo HostKey $OBJ/cert_host_key_${kt}	301	echo HostKey $OBJ/cert_host_key_${kt}