diff options
author | Damien Miller <djm@mindrot.org> | 2010-04-18 08:15:14 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-04-18 08:15:14 +1000 |
commit | 53f4bb65999cef5634fba2bb4fbef3a70650ce4c (patch) | |
tree | 002e247813a243f01f75668a2557018fdc04a705 /regress/cert-hostkey.sh | |
parent | c617aa9ff541d00df413846835ad31e556e71b31 (diff) |
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/04/16 01:58:45
[regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for v01 certificate format
includes interop tests for v00 certs
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r-- | regress/cert-hostkey.sh | 174 |
1 files changed, 101 insertions, 73 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3fda667cb..0265e8f6b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do | |||
28 | -I "regress host key for $USER" \ | 28 | -I "regress host key for $USER" \ |
29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
30 | fail "couldn't sign cert_host_key_${ktype}" | 30 | fail "couldn't sign cert_host_key_${ktype}" |
31 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | ||
32 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | ||
33 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | ||
34 | -I "regress host key for $USER" \ | ||
35 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || | ||
36 | fail "couldn't sign cert_host_key_${ktype}_v00" | ||
31 | done | 37 | done |
32 | 38 | ||
33 | # Basic connect tests | 39 | # Basic connect tests |
34 | for privsep in yes no ; do | 40 | for privsep in yes no ; do |
35 | for ktype in rsa dsa ; do | 41 | for ktype in rsa dsa rsa_v00 dsa_v00; do |
36 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 42 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
37 | ( | 43 | ( |
38 | cat $OBJ/sshd_proxy_bak | 44 | cat $OBJ/sshd_proxy_bak |
@@ -61,9 +67,15 @@ done | |||
61 | echon '@revoked ' | 67 | echon '@revoked ' |
62 | echon "* " | 68 | echon "* " |
63 | cat $OBJ/cert_host_key_dsa.pub | 69 | cat $OBJ/cert_host_key_dsa.pub |
70 | echon '@revoked ' | ||
71 | echon "* " | ||
72 | cat $OBJ/cert_host_key_rsa_v00.pub | ||
73 | echon '@revoked ' | ||
74 | echon "* " | ||
75 | cat $OBJ/cert_host_key_dsa_v00.pub | ||
64 | ) > $OBJ/known_hosts-cert | 76 | ) > $OBJ/known_hosts-cert |
65 | for privsep in yes no ; do | 77 | for privsep in yes no ; do |
66 | for ktype in rsa dsa ; do | 78 | for ktype in rsa dsa rsa_v00 dsa_v00; do |
67 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 79 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
68 | ( | 80 | ( |
69 | cat $OBJ/sshd_proxy_bak | 81 | cat $OBJ/sshd_proxy_bak |
@@ -90,7 +102,7 @@ done | |||
90 | echon "* " | 102 | echon "* " |
91 | cat $OBJ/host_ca_key.pub | 103 | cat $OBJ/host_ca_key.pub |
92 | ) > $OBJ/known_hosts-cert | 104 | ) > $OBJ/known_hosts-cert |
93 | for ktype in rsa dsa ; do | 105 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do |
94 | verbose "$tid: host ${ktype} revoked cert" | 106 | verbose "$tid: host ${ktype} revoked cert" |
95 | ( | 107 | ( |
96 | cat $OBJ/sshd_proxy_bak | 108 | cat $OBJ/sshd_proxy_bak |
@@ -116,32 +128,39 @@ test_one() { | |||
116 | ident=$1 | 128 | ident=$1 |
117 | result=$2 | 129 | result=$2 |
118 | sign_opts=$3 | 130 | sign_opts=$3 |
119 | |||
120 | verbose "$tid: test host cert connect $ident expect $result" | ||
121 | |||
122 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ | ||
123 | $sign_opts \ | ||
124 | $OBJ/cert_host_key_rsa || | ||
125 | fail "couldn't sign cert_host_key_rsa" | ||
126 | ( | ||
127 | cat $OBJ/sshd_proxy_bak | ||
128 | echo HostKey $OBJ/cert_host_key_rsa | ||
129 | echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub | ||
130 | ) > $OBJ/sshd_proxy | ||
131 | 131 | ||
132 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 132 | for kt in rsa rsa_v00 ; do |
133 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 133 | case $kt in |
134 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 134 | *_v00) args="-t v00" ;; |
135 | rc=$? | 135 | *) args="" ;; |
136 | if [ "x$result" = "xsuccess" ] ; then | 136 | esac |
137 | if [ $rc -ne 0 ]; then | 137 | |
138 | fail "ssh cert connect $ident failed unexpectedly" | 138 | verbose "$tid: host cert connect $ident $kt expect $result" |
139 | fi | 139 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ |
140 | else | 140 | -I "regress host key for $USER" \ |
141 | if [ $rc -eq 0 ]; then | 141 | $sign_opts $args \ |
142 | fail "ssh cert connect $ident succeeded unexpectedly" | 142 | $OBJ/cert_host_key_${kt} || |
143 | fail "couldn't sign cert_host_key_${kt}" | ||
144 | ( | ||
145 | cat $OBJ/sshd_proxy_bak | ||
146 | echo HostKey $OBJ/cert_host_key_${kt} | ||
147 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | ||
148 | ) > $OBJ/sshd_proxy | ||
149 | |||
150 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | ||
151 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
152 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
153 | rc=$? | ||
154 | if [ "x$result" = "xsuccess" ] ; then | ||
155 | if [ $rc -ne 0 ]; then | ||
156 | fail "ssh cert connect $ident failed unexpectedly" | ||
157 | fi | ||
158 | else | ||
159 | if [ $rc -eq 0 ]; then | ||
160 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
161 | fi | ||
143 | fi | 162 | fi |
144 | fi | 163 | done |
145 | } | 164 | } |
146 | 165 | ||
147 | test_one "user-certificate" failure "-n $HOSTS" | 166 | test_one "user-certificate" failure "-n $HOSTS" |
@@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w" | |||
153 | test_one "cert has constraints" failure "-h -Oforce-command=false" | 172 | test_one "cert has constraints" failure "-h -Oforce-command=false" |
154 | 173 | ||
155 | # Check downgrade of cert to raw key when no CA found | 174 | # Check downgrade of cert to raw key when no CA found |
156 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 175 | for v in v01 v00 ; do |
157 | for ktype in rsa dsa ; do | 176 | for ktype in rsa dsa ; do |
158 | verbose "$tid: host ${ktype} cert downgrade to raw key" | 177 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
159 | # Generate and sign a host key | 178 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
160 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 179 | # Generate and sign a host key |
161 | -f $OBJ/cert_host_key_${ktype} || \ | 180 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
162 | fail "ssh-keygen of cert_host_key_${ktype} failed" | 181 | -f $OBJ/cert_host_key_${ktype} || \ |
163 | ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ | 182 | fail "ssh-keygen of cert_host_key_${ktype} failed" |
164 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 183 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ |
165 | fail "couldn't sign cert_host_key_${ktype}" | 184 | -I "regress host key for $USER" \ |
166 | ( | 185 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
167 | echon "$HOSTS " | 186 | fail "couldn't sign cert_host_key_${ktype}" |
168 | cat $OBJ/cert_host_key_${ktype}.pub | 187 | ( |
169 | ) > $OBJ/known_hosts-cert | 188 | echon "$HOSTS " |
170 | ( | 189 | cat $OBJ/cert_host_key_${ktype}.pub |
171 | cat $OBJ/sshd_proxy_bak | 190 | ) > $OBJ/known_hosts-cert |
172 | echo HostKey $OBJ/cert_host_key_${ktype} | 191 | ( |
173 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 192 | cat $OBJ/sshd_proxy_bak |
174 | ) > $OBJ/sshd_proxy | 193 | echo HostKey $OBJ/cert_host_key_${ktype} |
175 | 194 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | |
176 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 195 | ) > $OBJ/sshd_proxy |
177 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 196 | |
178 | -F $OBJ/ssh_proxy somehost true | 197 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
179 | if [ $? -ne 0 ]; then | 198 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
180 | fail "ssh cert connect failed" | 199 | -F $OBJ/ssh_proxy somehost true |
181 | fi | 200 | if [ $? -ne 0 ]; then |
201 | fail "ssh cert connect failed" | ||
202 | fi | ||
203 | done | ||
182 | done | 204 | done |
183 | 205 | ||
184 | # Wrong certificate | 206 | # Wrong certificate |
@@ -187,25 +209,31 @@ done | |||
187 | echon "$HOSTS " | 209 | echon "$HOSTS " |
188 | cat $OBJ/host_ca_key.pub | 210 | cat $OBJ/host_ca_key.pub |
189 | ) > $OBJ/known_hosts-cert | 211 | ) > $OBJ/known_hosts-cert |
190 | for ktype in rsa dsa ; do | 212 | for v in v01 v00 ; do |
191 | # Self-sign key | 213 | for kt in rsa dsa ; do |
192 | ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ | 214 | rm -f $OBJ/cert_host_key* |
193 | -I "regress host key for $USER" \ | 215 | # Self-sign key |
194 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 216 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |
195 | fail "couldn't sign cert_host_key_${ktype}" | 217 | -f $OBJ/cert_host_key_${kt} || \ |
196 | verbose "$tid: host ${ktype} connect wrong cert" | 218 | fail "ssh-keygen of cert_host_key_${kt} failed" |
197 | ( | 219 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ |
198 | cat $OBJ/sshd_proxy_bak | 220 | -I "regress host key for $USER" \ |
199 | echo HostKey $OBJ/cert_host_key_${ktype} | 221 | -n $HOSTS $OBJ/cert_host_key_${kt} || |
200 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 222 | fail "couldn't sign cert_host_key_${kt}" |
201 | ) > $OBJ/sshd_proxy | 223 | verbose "$tid: host ${kt} connect wrong cert" |
202 | 224 | ( | |
203 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 225 | cat $OBJ/sshd_proxy_bak |
204 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 226 | echo HostKey $OBJ/cert_host_key_${kt} |
205 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | 227 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
206 | if [ $? -eq 0 ]; then | 228 | ) > $OBJ/sshd_proxy |
207 | fail "ssh cert connect $ident succeeded unexpectedly" | 229 | |
208 | fi | 230 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
231 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
232 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | ||
233 | if [ $? -eq 0 ]; then | ||
234 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
235 | fi | ||
236 | done | ||
209 | done | 237 | done |
210 | 238 | ||
211 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 239 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* |