summaryrefslogtreecommitdiff
path: root/regress/cert-hostkey.sh
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-04-18 08:15:14 +1000
committerDamien Miller <djm@mindrot.org>2010-04-18 08:15:14 +1000
commit53f4bb65999cef5634fba2bb4fbef3a70650ce4c (patch)
tree002e247813a243f01f75668a2557018fdc04a705 /regress/cert-hostkey.sh
parentc617aa9ff541d00df413846835ad31e556e71b31 (diff)
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/04/16 01:58:45 [regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for v01 certificate format includes interop tests for v00 certs
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r--regress/cert-hostkey.sh174
1 files changed, 101 insertions, 73 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3fda667cb..0265e8f6b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
28 -I "regress host key for $USER" \ 28 -I "regress host key for $USER" \
29 -n $HOSTS $OBJ/cert_host_key_${ktype} || 29 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
30 fail "couldn't sign cert_host_key_${ktype}" 30 fail "couldn't sign cert_host_key_${ktype}"
31 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
32 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
33 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
34 -I "regress host key for $USER" \
35 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
36 fail "couldn't sign cert_host_key_${ktype}_v00"
31done 37done
32 38
33# Basic connect tests 39# Basic connect tests
34for privsep in yes no ; do 40for privsep in yes no ; do
35 for ktype in rsa dsa ; do 41 for ktype in rsa dsa rsa_v00 dsa_v00; do
36 verbose "$tid: host ${ktype} cert connect privsep $privsep" 42 verbose "$tid: host ${ktype} cert connect privsep $privsep"
37 ( 43 (
38 cat $OBJ/sshd_proxy_bak 44 cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
61 echon '@revoked ' 67 echon '@revoked '
62 echon "* " 68 echon "* "
63 cat $OBJ/cert_host_key_dsa.pub 69 cat $OBJ/cert_host_key_dsa.pub
70 echon '@revoked '
71 echon "* "
72 cat $OBJ/cert_host_key_rsa_v00.pub
73 echon '@revoked '
74 echon "* "
75 cat $OBJ/cert_host_key_dsa_v00.pub
64) > $OBJ/known_hosts-cert 76) > $OBJ/known_hosts-cert
65for privsep in yes no ; do 77for privsep in yes no ; do
66 for ktype in rsa dsa ; do 78 for ktype in rsa dsa rsa_v00 dsa_v00; do
67 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 79 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
68 ( 80 (
69 cat $OBJ/sshd_proxy_bak 81 cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
90 echon "* " 102 echon "* "
91 cat $OBJ/host_ca_key.pub 103 cat $OBJ/host_ca_key.pub
92) > $OBJ/known_hosts-cert 104) > $OBJ/known_hosts-cert
93for ktype in rsa dsa ; do 105for ktype in rsa dsa rsa_v00 dsa_v00 ; do
94 verbose "$tid: host ${ktype} revoked cert" 106 verbose "$tid: host ${ktype} revoked cert"
95 ( 107 (
96 cat $OBJ/sshd_proxy_bak 108 cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
116 ident=$1 128 ident=$1
117 result=$2 129 result=$2
118 sign_opts=$3 130 sign_opts=$3
119
120 verbose "$tid: test host cert connect $ident expect $result"
121
122 ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
123 $sign_opts \
124 $OBJ/cert_host_key_rsa ||
125 fail "couldn't sign cert_host_key_rsa"
126 (
127 cat $OBJ/sshd_proxy_bak
128 echo HostKey $OBJ/cert_host_key_rsa
129 echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
130 ) > $OBJ/sshd_proxy
131 131
132 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 132 for kt in rsa rsa_v00 ; do
133 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 133 case $kt in
134 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 134 *_v00) args="-t v00" ;;
135 rc=$? 135 *) args="" ;;
136 if [ "x$result" = "xsuccess" ] ; then 136 esac
137 if [ $rc -ne 0 ]; then 137
138 fail "ssh cert connect $ident failed unexpectedly" 138 verbose "$tid: host cert connect $ident $kt expect $result"
139 fi 139 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
140 else 140 -I "regress host key for $USER" \
141 if [ $rc -eq 0 ]; then 141 $sign_opts $args \
142 fail "ssh cert connect $ident succeeded unexpectedly" 142 $OBJ/cert_host_key_${kt} ||
143 fail "couldn't sign cert_host_key_${kt}"
144 (
145 cat $OBJ/sshd_proxy_bak
146 echo HostKey $OBJ/cert_host_key_${kt}
147 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
148 ) > $OBJ/sshd_proxy
149
150 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
151 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153 rc=$?
154 if [ "x$result" = "xsuccess" ] ; then
155 if [ $rc -ne 0 ]; then
156 fail "ssh cert connect $ident failed unexpectedly"
157 fi
158 else
159 if [ $rc -eq 0 ]; then
160 fail "ssh cert connect $ident succeeded unexpectedly"
161 fi
143 fi 162 fi
144 fi 163 done
145} 164}
146 165
147test_one "user-certificate" failure "-n $HOSTS" 166test_one "user-certificate" failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
153test_one "cert has constraints" failure "-h -Oforce-command=false" 172test_one "cert has constraints" failure "-h -Oforce-command=false"
154 173
155# Check downgrade of cert to raw key when no CA found 174# Check downgrade of cert to raw key when no CA found
156rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 175for v in v01 v00 ; do
157for ktype in rsa dsa ; do 176 for ktype in rsa dsa ; do
158 verbose "$tid: host ${ktype} cert downgrade to raw key" 177 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
159 # Generate and sign a host key 178 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
160 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 179 # Generate and sign a host key
161 -f $OBJ/cert_host_key_${ktype} || \ 180 ${SSHKEYGEN} -q -N '' -t ${ktype} \
162 fail "ssh-keygen of cert_host_key_${ktype} failed" 181 -f $OBJ/cert_host_key_${ktype} || \
163 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ 182 fail "ssh-keygen of cert_host_key_${ktype} failed"
164 -n $HOSTS $OBJ/cert_host_key_${ktype} || 183 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
165 fail "couldn't sign cert_host_key_${ktype}" 184 -I "regress host key for $USER" \
166 ( 185 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
167 echon "$HOSTS " 186 fail "couldn't sign cert_host_key_${ktype}"
168 cat $OBJ/cert_host_key_${ktype}.pub 187 (
169 ) > $OBJ/known_hosts-cert 188 echon "$HOSTS "
170 ( 189 cat $OBJ/cert_host_key_${ktype}.pub
171 cat $OBJ/sshd_proxy_bak 190 ) > $OBJ/known_hosts-cert
172 echo HostKey $OBJ/cert_host_key_${ktype} 191 (
173 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 192 cat $OBJ/sshd_proxy_bak
174 ) > $OBJ/sshd_proxy 193 echo HostKey $OBJ/cert_host_key_${ktype}
175 194 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
176 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 195 ) > $OBJ/sshd_proxy
177 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 196
178 -F $OBJ/ssh_proxy somehost true 197 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
179 if [ $? -ne 0 ]; then 198 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
180 fail "ssh cert connect failed" 199 -F $OBJ/ssh_proxy somehost true
181 fi 200 if [ $? -ne 0 ]; then
201 fail "ssh cert connect failed"
202 fi
203 done
182done 204done
183 205
184# Wrong certificate 206# Wrong certificate
@@ -187,25 +209,31 @@ done
187 echon "$HOSTS " 209 echon "$HOSTS "
188 cat $OBJ/host_ca_key.pub 210 cat $OBJ/host_ca_key.pub
189) > $OBJ/known_hosts-cert 211) > $OBJ/known_hosts-cert
190for ktype in rsa dsa ; do 212for v in v01 v00 ; do
191 # Self-sign key 213 for kt in rsa dsa ; do
192 ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ 214 rm -f $OBJ/cert_host_key*
193 -I "regress host key for $USER" \ 215 # Self-sign key
194 -n $HOSTS $OBJ/cert_host_key_${ktype} || 216 ${SSHKEYGEN} -q -N '' -t ${kt} \
195 fail "couldn't sign cert_host_key_${ktype}" 217 -f $OBJ/cert_host_key_${kt} || \
196 verbose "$tid: host ${ktype} connect wrong cert" 218 fail "ssh-keygen of cert_host_key_${kt} failed"
197 ( 219 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
198 cat $OBJ/sshd_proxy_bak 220 -I "regress host key for $USER" \
199 echo HostKey $OBJ/cert_host_key_${ktype} 221 -n $HOSTS $OBJ/cert_host_key_${kt} ||
200 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 222 fail "couldn't sign cert_host_key_${kt}"
201 ) > $OBJ/sshd_proxy 223 verbose "$tid: host ${kt} connect wrong cert"
202 224 (
203 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 225 cat $OBJ/sshd_proxy_bak
204 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 226 echo HostKey $OBJ/cert_host_key_${kt}
205 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 227 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
206 if [ $? -eq 0 ]; then 228 ) > $OBJ/sshd_proxy
207 fail "ssh cert connect $ident succeeded unexpectedly" 229
208 fi 230 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
231 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
232 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
233 if [ $? -eq 0 ]; then
234 fail "ssh cert connect $ident succeeded unexpectedly"
235 fi
236 done
209done 237done
210 238
211rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 239rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*