diff options
author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:58:01 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:58:01 +1100 |
commit | 700dcfa3e0a98be44f2e3675849055984f04a70a (patch) | |
tree | c10708a700b61025695b7755c25aa98f3dff0d9b /regress/cert-hostkey.sh | |
parent | 017d1e777ef197eab866b9d0046e000a46baf10b (diff) |
- djm@cvs.openbsd.org 2010/03/04 10:38:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
additional regression tests for revoked keys and TrustedUserCAKeys
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r-- | regress/cert-hostkey.sh | 64 |
1 files changed, 63 insertions, 1 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 9097a1359..3fda667cb 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -50,6 +50,68 @@ for privsep in yes no ; do | |||
50 | done | 50 | done |
51 | done | 51 | done |
52 | 52 | ||
53 | # Revoked certificates with key present | ||
54 | ( | ||
55 | echon '@cert-authority ' | ||
56 | echon "$HOSTS " | ||
57 | cat $OBJ/host_ca_key.pub | ||
58 | echon '@revoked ' | ||
59 | echon "* " | ||
60 | cat $OBJ/cert_host_key_rsa.pub | ||
61 | echon '@revoked ' | ||
62 | echon "* " | ||
63 | cat $OBJ/cert_host_key_dsa.pub | ||
64 | ) > $OBJ/known_hosts-cert | ||
65 | for privsep in yes no ; do | ||
66 | for ktype in rsa dsa ; do | ||
67 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | ||
68 | ( | ||
69 | cat $OBJ/sshd_proxy_bak | ||
70 | echo HostKey $OBJ/cert_host_key_${ktype} | ||
71 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | ||
72 | echo UsePrivilegeSeparation $privsep | ||
73 | ) > $OBJ/sshd_proxy | ||
74 | |||
75 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | ||
76 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
77 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
78 | if [ $? -eq 0 ]; then | ||
79 | fail "ssh cert connect succeeded unexpectedly" | ||
80 | fi | ||
81 | done | ||
82 | done | ||
83 | |||
84 | # Revoked CA | ||
85 | ( | ||
86 | echon '@cert-authority ' | ||
87 | echon "$HOSTS " | ||
88 | cat $OBJ/host_ca_key.pub | ||
89 | echon '@revoked ' | ||
90 | echon "* " | ||
91 | cat $OBJ/host_ca_key.pub | ||
92 | ) > $OBJ/known_hosts-cert | ||
93 | for ktype in rsa dsa ; do | ||
94 | verbose "$tid: host ${ktype} revoked cert" | ||
95 | ( | ||
96 | cat $OBJ/sshd_proxy_bak | ||
97 | echo HostKey $OBJ/cert_host_key_${ktype} | ||
98 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | ||
99 | ) > $OBJ/sshd_proxy | ||
100 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | ||
101 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
102 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
103 | if [ $? -eq 0 ]; then | ||
104 | fail "ssh cert connect succeeded unexpectedly" | ||
105 | fi | ||
106 | done | ||
107 | |||
108 | # Create a CA key and add it to known hosts | ||
109 | ( | ||
110 | echon '@cert-authority ' | ||
111 | echon "$HOSTS " | ||
112 | cat $OBJ/host_ca_key.pub | ||
113 | ) > $OBJ/known_hosts-cert | ||
114 | |||
53 | test_one() { | 115 | test_one() { |
54 | ident=$1 | 116 | ident=$1 |
55 | result=$2 | 117 | result=$2 |