diff options
author | Colin Watson <cjwatson@debian.org> | 2016-08-06 10:49:58 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-08-06 10:49:58 +0100 |
commit | a8ed8d256b2e2c05b0c15565a7938028c5192277 (patch) | |
tree | 87abbdc914a38b43e4e5bb9581ad1f46eabbf88e /regress/cert-hostkey.sh | |
parent | f0329aac23c61e1a5197d6d57349a63f459bccb0 (diff) | |
parent | 99522ba7ec6963a05c04a156bf20e3ba3605987c (diff) |
Import openssh_7.3p1.orig.tar.gz
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r-- | regress/cert-hostkey.sh | 126 |
1 files changed, 69 insertions, 57 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3f53922c8..62261cf8b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
30 | 30 | ||
31 | HOSTS='localhost-with-alias,127.0.0.1,::1' | 31 | HOSTS='localhost-with-alias,127.0.0.1,::1' |
32 | 32 | ||
33 | # Create a CA key and add it to known hosts. Ed25519 chosed for speed. | 33 | kh_ca() { |
34 | for k in "$@" ; do | ||
35 | printf "@cert-authority $HOSTS " | ||
36 | cat $OBJ/$k || fatal "couldn't cat $k" | ||
37 | done | ||
38 | } | ||
39 | kh_revoke() { | ||
40 | for k in "$@" ; do | ||
41 | printf "@revoked * " | ||
42 | cat $OBJ/$k || fatal "couldn't cat $k" | ||
43 | done | ||
44 | } | ||
45 | |||
46 | # Create a CA key and add it to known hosts. Ed25519 chosen for speed. | ||
47 | # RSA for testing RSA/SHA2 signatures. | ||
34 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ | 48 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ |
35 | fail "ssh-keygen of host_ca_key failed" | 49 | fail "ssh-keygen of host_ca_key failed" |
36 | ( | 50 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\ |
37 | printf '@cert-authority ' | 51 | fail "ssh-keygen of host_ca_key failed" |
38 | printf "$HOSTS " | 52 | |
39 | cat $OBJ/host_ca_key.pub | 53 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
40 | ) > $OBJ/known_hosts-cert.orig | ||
41 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 54 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
42 | 55 | ||
43 | # Plain text revocation files | 56 | # Plain text revocation files |
44 | touch $OBJ/host_revoked_empty | 57 | touch $OBJ/host_revoked_empty |
45 | touch $OBJ/host_revoked_plain | 58 | touch $OBJ/host_revoked_plain |
46 | touch $OBJ/host_revoked_cert | 59 | touch $OBJ/host_revoked_cert |
47 | cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca | 60 | cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca |
48 | 61 | ||
49 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | 62 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` |
50 | 63 | ||
64 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | ||
65 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | ||
66 | fi | ||
67 | |||
51 | # Prepare certificate, plain key and CA KRLs | 68 | # Prepare certificate, plain key and CA KRLs |
52 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" | 69 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" |
53 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" | 70 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" |
54 | ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" | 71 | ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" |
55 | ${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \ | 72 | ${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \ |
56 | || fatal "KRL init failed" | 73 | || fatal "KRL init failed" |
57 | 74 | ||
58 | # Generate and sign host keys | 75 | # Generate and sign host keys |
59 | serial=1 | 76 | serial=1 |
60 | for ktype in $PLAIN_TYPES ; do | 77 | for ktype in $PLAIN_TYPES ; do |
61 | verbose "$tid: sign host ${ktype} cert" | 78 | verbose "$tid: sign host ${ktype} cert" |
62 | # Generate and sign a host key | 79 | # Generate and sign a host key |
63 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 80 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do | |||
66 | ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ | 83 | ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ |
67 | $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" | 84 | $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" |
68 | cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain | 85 | cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain |
69 | ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \ | 86 | case $ktype in |
87 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; | ||
88 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | ||
89 | esac | ||
90 | ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \ | ||
70 | -I "regress host key for $USER" \ | 91 | -I "regress host key for $USER" \ |
71 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 92 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
72 | fatal "couldn't sign cert_host_key_${ktype}" | 93 | fatal "couldn't sign cert_host_key_${ktype}" |
@@ -100,7 +121,7 @@ attempt_connect() { | |||
100 | 121 | ||
101 | # Basic connect and revocation tests. | 122 | # Basic connect and revocation tests. |
102 | for privsep in yes no ; do | 123 | for privsep in yes no ; do |
103 | for ktype in $PLAIN_TYPES ; do | 124 | for ktype in $PLAIN_TYPES ; do |
104 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 125 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
105 | ( | 126 | ( |
106 | cat $OBJ/sshd_proxy_bak | 127 | cat $OBJ/sshd_proxy_bak |
@@ -131,18 +152,14 @@ for privsep in yes no ; do | |||
131 | done | 152 | done |
132 | 153 | ||
133 | # Revoked certificates with key present | 154 | # Revoked certificates with key present |
134 | ( | 155 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
135 | printf '@cert-authority ' | 156 | for ktype in $PLAIN_TYPES ; do |
136 | printf "$HOSTS " | 157 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" |
137 | cat $OBJ/host_ca_key.pub | 158 | kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig |
138 | for ktype in $PLAIN_TYPES ; do | 159 | done |
139 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" | ||
140 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" | ||
141 | done | ||
142 | ) > $OBJ/known_hosts-cert.orig | ||
143 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 160 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
144 | for privsep in yes no ; do | 161 | for privsep in yes no ; do |
145 | for ktype in $PLAIN_TYPES ; do | 162 | for ktype in $PLAIN_TYPES ; do |
146 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 163 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
147 | ( | 164 | ( |
148 | cat $OBJ/sshd_proxy_bak | 165 | cat $OBJ/sshd_proxy_bak |
@@ -162,16 +179,10 @@ for privsep in yes no ; do | |||
162 | done | 179 | done |
163 | 180 | ||
164 | # Revoked CA | 181 | # Revoked CA |
165 | ( | 182 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
166 | printf '@cert-authority ' | 183 | kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig |
167 | printf "$HOSTS " | ||
168 | cat $OBJ/host_ca_key.pub | ||
169 | printf '@revoked ' | ||
170 | printf "* " | ||
171 | cat $OBJ/host_ca_key.pub | ||
172 | ) > $OBJ/known_hosts-cert.orig | ||
173 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 184 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
174 | for ktype in $PLAIN_TYPES ; do | 185 | for ktype in $PLAIN_TYPES ; do |
175 | verbose "$tid: host ${ktype} revoked cert" | 186 | verbose "$tid: host ${ktype} revoked cert" |
176 | ( | 187 | ( |
177 | cat $OBJ/sshd_proxy_bak | 188 | cat $OBJ/sshd_proxy_bak |
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do | |||
188 | done | 199 | done |
189 | 200 | ||
190 | # Create a CA key and add it to known hosts | 201 | # Create a CA key and add it to known hosts |
191 | ( | 202 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
192 | printf '@cert-authority ' | ||
193 | printf "$HOSTS " | ||
194 | cat $OBJ/host_ca_key.pub | ||
195 | ) > $OBJ/known_hosts-cert.orig | ||
196 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 203 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
197 | 204 | ||
198 | test_one() { | 205 | test_one() { |
@@ -201,16 +208,19 @@ test_one() { | |||
201 | sign_opts=$3 | 208 | sign_opts=$3 |
202 | 209 | ||
203 | for kt in rsa ed25519 ; do | 210 | for kt in rsa ed25519 ; do |
204 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ | 211 | case $ktype in |
205 | -I "regress host key for $USER" \ | 212 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; |
213 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | ||
214 | esac | ||
215 | ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \ | ||
206 | $sign_opts $OBJ/cert_host_key_${kt} || | 216 | $sign_opts $OBJ/cert_host_key_${kt} || |
207 | fail "couldn't sign cert_host_key_${kt}" | 217 | fatal "couldn't sign cert_host_key_${kt}" |
208 | ( | 218 | ( |
209 | cat $OBJ/sshd_proxy_bak | 219 | cat $OBJ/sshd_proxy_bak |
210 | echo HostKey $OBJ/cert_host_key_${kt} | 220 | echo HostKey $OBJ/cert_host_key_${kt} |
211 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | 221 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
212 | ) > $OBJ/sshd_proxy | 222 | ) > $OBJ/sshd_proxy |
213 | 223 | ||
214 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 224 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
215 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 225 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
216 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 226 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
@@ -237,17 +247,20 @@ test_one "cert valid interval" success "-h -V-1w:+2w" | |||
237 | test_one "cert has constraints" failure "-h -Oforce-command=false" | 247 | test_one "cert has constraints" failure "-h -Oforce-command=false" |
238 | 248 | ||
239 | # Check downgrade of cert to raw key when no CA found | 249 | # Check downgrade of cert to raw key when no CA found |
240 | for ktype in $PLAIN_TYPES ; do | 250 | for ktype in $PLAIN_TYPES ; do |
241 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 251 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
242 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 252 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
243 | # Generate and sign a host key | 253 | # Generate and sign a host key |
244 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 254 | ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \ |
245 | -f $OBJ/cert_host_key_${ktype} || \ | ||
246 | fail "ssh-keygen of cert_host_key_${ktype} failed" | 255 | fail "ssh-keygen of cert_host_key_${ktype} failed" |
247 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ | 256 | case $ktype in |
257 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; | ||
258 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | ||
259 | esac | ||
260 | ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \ | ||
248 | -I "regress host key for $USER" \ | 261 | -I "regress host key for $USER" \ |
249 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 262 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
250 | fail "couldn't sign cert_host_key_${ktype}" | 263 | fatal "couldn't sign cert_host_key_${ktype}" |
251 | ( | 264 | ( |
252 | printf "$HOSTS " | 265 | printf "$HOSTS " |
253 | cat $OBJ/cert_host_key_${ktype}.pub | 266 | cat $OBJ/cert_host_key_${ktype}.pub |
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do | |||
257 | echo HostKey $OBJ/cert_host_key_${ktype} | 270 | echo HostKey $OBJ/cert_host_key_${ktype} |
258 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 271 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
259 | ) > $OBJ/sshd_proxy | 272 | ) > $OBJ/sshd_proxy |
260 | 273 | ||
261 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 274 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
262 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 275 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
263 | -F $OBJ/ssh_proxy somehost true | 276 | -F $OBJ/ssh_proxy somehost true |
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do | |||
267 | done | 280 | done |
268 | 281 | ||
269 | # Wrong certificate | 282 | # Wrong certificate |
270 | ( | 283 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
271 | printf '@cert-authority ' | ||
272 | printf "$HOSTS " | ||
273 | cat $OBJ/host_ca_key.pub | ||
274 | ) > $OBJ/known_hosts-cert.orig | ||
275 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 284 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
276 | for kt in $PLAIN_TYPES ; do | 285 | for kt in $PLAIN_TYPES ; do |
286 | verbose "$tid: host ${kt} connect wrong cert" | ||
277 | rm -f $OBJ/cert_host_key* | 287 | rm -f $OBJ/cert_host_key* |
278 | # Self-sign key | 288 | # Self-sign key |
279 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 289 | ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \ |
280 | -f $OBJ/cert_host_key_${kt} || \ | ||
281 | fail "ssh-keygen of cert_host_key_${kt} failed" | 290 | fail "ssh-keygen of cert_host_key_${kt} failed" |
282 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ | 291 | case $kt in |
292 | rsa-sha2-*) tflag="-t $kt" ;; | ||
293 | *) tflag="" ;; | ||
294 | esac | ||
295 | ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \ | ||
283 | -I "regress host key for $USER" \ | 296 | -I "regress host key for $USER" \ |
284 | -n $HOSTS $OBJ/cert_host_key_${kt} || | 297 | -n $HOSTS $OBJ/cert_host_key_${kt} || |
285 | fail "couldn't sign cert_host_key_${kt}" | 298 | fatal "couldn't sign cert_host_key_${kt}" |
286 | verbose "$tid: host ${kt} connect wrong cert" | ||
287 | ( | 299 | ( |
288 | cat $OBJ/sshd_proxy_bak | 300 | cat $OBJ/sshd_proxy_bak |
289 | echo HostKey $OBJ/cert_host_key_${kt} | 301 | echo HostKey $OBJ/cert_host_key_${kt} |