diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-05-02 09:52:00 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-05-02 20:59:50 +1000 |
| commit | 67f1459efd2e85bf03d032539283fa8107218936 (patch) | |
| tree | 8398f9c5d63bb4c5694023f8671a00a5db38c951 /regress/cert-hostkey.sh | |
| parent | 0e8eeec8e75f6d0eaf33317376f773160018a9c7 (diff) | |
upstream commit
unit and regress tests for SHA256/512; ok markus
Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
Diffstat (limited to 'regress/cert-hostkey.sh')
| -rw-r--r-- | regress/cert-hostkey.sh | 126 |
1 files changed, 69 insertions, 57 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3f53922c8..62261cf8b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
| 30 | 30 | ||
| 31 | HOSTS='localhost-with-alias,127.0.0.1,::1' | 31 | HOSTS='localhost-with-alias,127.0.0.1,::1' |
| 32 | 32 | ||
| 33 | # Create a CA key and add it to known hosts. Ed25519 chosed for speed. | 33 | kh_ca() { |
| 34 | for k in "$@" ; do | ||
| 35 | printf "@cert-authority $HOSTS " | ||
| 36 | cat $OBJ/$k || fatal "couldn't cat $k" | ||
| 37 | done | ||
| 38 | } | ||
| 39 | kh_revoke() { | ||
| 40 | for k in "$@" ; do | ||
| 41 | printf "@revoked * " | ||
| 42 | cat $OBJ/$k || fatal "couldn't cat $k" | ||
| 43 | done | ||
| 44 | } | ||
| 45 | |||
| 46 | # Create a CA key and add it to known hosts. Ed25519 chosen for speed. | ||
| 47 | # RSA for testing RSA/SHA2 signatures. | ||
| 34 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ | 48 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ |
| 35 | fail "ssh-keygen of host_ca_key failed" | 49 | fail "ssh-keygen of host_ca_key failed" |
| 36 | ( | 50 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\ |
| 37 | printf '@cert-authority ' | 51 | fail "ssh-keygen of host_ca_key failed" |
| 38 | printf "$HOSTS " | 52 | |
| 39 | cat $OBJ/host_ca_key.pub | 53 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
| 40 | ) > $OBJ/known_hosts-cert.orig | ||
| 41 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 54 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 42 | 55 | ||
| 43 | # Plain text revocation files | 56 | # Plain text revocation files |
| 44 | touch $OBJ/host_revoked_empty | 57 | touch $OBJ/host_revoked_empty |
| 45 | touch $OBJ/host_revoked_plain | 58 | touch $OBJ/host_revoked_plain |
| 46 | touch $OBJ/host_revoked_cert | 59 | touch $OBJ/host_revoked_cert |
| 47 | cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca | 60 | cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca |
| 48 | 61 | ||
| 49 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | 62 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` |
| 50 | 63 | ||
| 64 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | ||
| 65 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | ||
| 66 | fi | ||
| 67 | |||
| 51 | # Prepare certificate, plain key and CA KRLs | 68 | # Prepare certificate, plain key and CA KRLs |
| 52 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" | 69 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" |
| 53 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" | 70 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" |
| 54 | ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" | 71 | ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" |
| 55 | ${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \ | 72 | ${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \ |
| 56 | || fatal "KRL init failed" | 73 | || fatal "KRL init failed" |
| 57 | 74 | ||
| 58 | # Generate and sign host keys | 75 | # Generate and sign host keys |
| 59 | serial=1 | 76 | serial=1 |
| 60 | for ktype in $PLAIN_TYPES ; do | 77 | for ktype in $PLAIN_TYPES ; do |
| 61 | verbose "$tid: sign host ${ktype} cert" | 78 | verbose "$tid: sign host ${ktype} cert" |
| 62 | # Generate and sign a host key | 79 | # Generate and sign a host key |
| 63 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 80 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| @@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do | |||
| 66 | ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ | 83 | ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ |
| 67 | $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" | 84 | $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" |
| 68 | cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain | 85 | cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain |
| 69 | ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \ | 86 | case $ktype in |
| 87 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; | ||
| 88 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | ||
| 89 | esac | ||
| 90 | ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \ | ||
| 70 | -I "regress host key for $USER" \ | 91 | -I "regress host key for $USER" \ |
| 71 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 92 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 72 | fatal "couldn't sign cert_host_key_${ktype}" | 93 | fatal "couldn't sign cert_host_key_${ktype}" |
| @@ -100,7 +121,7 @@ attempt_connect() { | |||
| 100 | 121 | ||
| 101 | # Basic connect and revocation tests. | 122 | # Basic connect and revocation tests. |
| 102 | for privsep in yes no ; do | 123 | for privsep in yes no ; do |
| 103 | for ktype in $PLAIN_TYPES ; do | 124 | for ktype in $PLAIN_TYPES ; do |
| 104 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 125 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
| 105 | ( | 126 | ( |
| 106 | cat $OBJ/sshd_proxy_bak | 127 | cat $OBJ/sshd_proxy_bak |
| @@ -131,18 +152,14 @@ for privsep in yes no ; do | |||
| 131 | done | 152 | done |
| 132 | 153 | ||
| 133 | # Revoked certificates with key present | 154 | # Revoked certificates with key present |
| 134 | ( | 155 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
| 135 | printf '@cert-authority ' | 156 | for ktype in $PLAIN_TYPES ; do |
| 136 | printf "$HOSTS " | 157 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" |
| 137 | cat $OBJ/host_ca_key.pub | 158 | kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig |
| 138 | for ktype in $PLAIN_TYPES ; do | 159 | done |
| 139 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" | ||
| 140 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" | ||
| 141 | done | ||
| 142 | ) > $OBJ/known_hosts-cert.orig | ||
| 143 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 160 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 144 | for privsep in yes no ; do | 161 | for privsep in yes no ; do |
| 145 | for ktype in $PLAIN_TYPES ; do | 162 | for ktype in $PLAIN_TYPES ; do |
| 146 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 163 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
| 147 | ( | 164 | ( |
| 148 | cat $OBJ/sshd_proxy_bak | 165 | cat $OBJ/sshd_proxy_bak |
| @@ -162,16 +179,10 @@ for privsep in yes no ; do | |||
| 162 | done | 179 | done |
| 163 | 180 | ||
| 164 | # Revoked CA | 181 | # Revoked CA |
| 165 | ( | 182 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
| 166 | printf '@cert-authority ' | 183 | kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig |
| 167 | printf "$HOSTS " | ||
| 168 | cat $OBJ/host_ca_key.pub | ||
| 169 | printf '@revoked ' | ||
| 170 | printf "* " | ||
| 171 | cat $OBJ/host_ca_key.pub | ||
| 172 | ) > $OBJ/known_hosts-cert.orig | ||
| 173 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 184 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 174 | for ktype in $PLAIN_TYPES ; do | 185 | for ktype in $PLAIN_TYPES ; do |
| 175 | verbose "$tid: host ${ktype} revoked cert" | 186 | verbose "$tid: host ${ktype} revoked cert" |
| 176 | ( | 187 | ( |
| 177 | cat $OBJ/sshd_proxy_bak | 188 | cat $OBJ/sshd_proxy_bak |
| @@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 188 | done | 199 | done |
| 189 | 200 | ||
| 190 | # Create a CA key and add it to known hosts | 201 | # Create a CA key and add it to known hosts |
| 191 | ( | 202 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
| 192 | printf '@cert-authority ' | ||
| 193 | printf "$HOSTS " | ||
| 194 | cat $OBJ/host_ca_key.pub | ||
| 195 | ) > $OBJ/known_hosts-cert.orig | ||
| 196 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 203 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 197 | 204 | ||
| 198 | test_one() { | 205 | test_one() { |
| @@ -201,16 +208,19 @@ test_one() { | |||
| 201 | sign_opts=$3 | 208 | sign_opts=$3 |
| 202 | 209 | ||
| 203 | for kt in rsa ed25519 ; do | 210 | for kt in rsa ed25519 ; do |
| 204 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ | 211 | case $ktype in |
| 205 | -I "regress host key for $USER" \ | 212 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; |
| 213 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | ||
| 214 | esac | ||
| 215 | ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \ | ||
| 206 | $sign_opts $OBJ/cert_host_key_${kt} || | 216 | $sign_opts $OBJ/cert_host_key_${kt} || |
| 207 | fail "couldn't sign cert_host_key_${kt}" | 217 | fatal "couldn't sign cert_host_key_${kt}" |
| 208 | ( | 218 | ( |
| 209 | cat $OBJ/sshd_proxy_bak | 219 | cat $OBJ/sshd_proxy_bak |
| 210 | echo HostKey $OBJ/cert_host_key_${kt} | 220 | echo HostKey $OBJ/cert_host_key_${kt} |
| 211 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | 221 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
| 212 | ) > $OBJ/sshd_proxy | 222 | ) > $OBJ/sshd_proxy |
| 213 | 223 | ||
| 214 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 224 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 215 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 225 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 216 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 226 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| @@ -237,17 +247,20 @@ test_one "cert valid interval" success "-h -V-1w:+2w" | |||
| 237 | test_one "cert has constraints" failure "-h -Oforce-command=false" | 247 | test_one "cert has constraints" failure "-h -Oforce-command=false" |
| 238 | 248 | ||
| 239 | # Check downgrade of cert to raw key when no CA found | 249 | # Check downgrade of cert to raw key when no CA found |
| 240 | for ktype in $PLAIN_TYPES ; do | 250 | for ktype in $PLAIN_TYPES ; do |
| 241 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 251 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
| 242 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 252 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
| 243 | # Generate and sign a host key | 253 | # Generate and sign a host key |
| 244 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 254 | ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \ |
| 245 | -f $OBJ/cert_host_key_${ktype} || \ | ||
| 246 | fail "ssh-keygen of cert_host_key_${ktype} failed" | 255 | fail "ssh-keygen of cert_host_key_${ktype} failed" |
| 247 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ | 256 | case $ktype in |
| 257 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; | ||
| 258 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | ||
| 259 | esac | ||
| 260 | ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \ | ||
| 248 | -I "regress host key for $USER" \ | 261 | -I "regress host key for $USER" \ |
| 249 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 262 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 250 | fail "couldn't sign cert_host_key_${ktype}" | 263 | fatal "couldn't sign cert_host_key_${ktype}" |
| 251 | ( | 264 | ( |
| 252 | printf "$HOSTS " | 265 | printf "$HOSTS " |
| 253 | cat $OBJ/cert_host_key_${ktype}.pub | 266 | cat $OBJ/cert_host_key_${ktype}.pub |
| @@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 257 | echo HostKey $OBJ/cert_host_key_${ktype} | 270 | echo HostKey $OBJ/cert_host_key_${ktype} |
| 258 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 271 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
| 259 | ) > $OBJ/sshd_proxy | 272 | ) > $OBJ/sshd_proxy |
| 260 | 273 | ||
| 261 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 274 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 262 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 275 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 263 | -F $OBJ/ssh_proxy somehost true | 276 | -F $OBJ/ssh_proxy somehost true |
| @@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do | |||
| 267 | done | 280 | done |
| 268 | 281 | ||
| 269 | # Wrong certificate | 282 | # Wrong certificate |
| 270 | ( | 283 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
| 271 | printf '@cert-authority ' | ||
| 272 | printf "$HOSTS " | ||
| 273 | cat $OBJ/host_ca_key.pub | ||
| 274 | ) > $OBJ/known_hosts-cert.orig | ||
| 275 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 284 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 276 | for kt in $PLAIN_TYPES ; do | 285 | for kt in $PLAIN_TYPES ; do |
| 286 | verbose "$tid: host ${kt} connect wrong cert" | ||
| 277 | rm -f $OBJ/cert_host_key* | 287 | rm -f $OBJ/cert_host_key* |
| 278 | # Self-sign key | 288 | # Self-sign key |
| 279 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 289 | ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \ |
| 280 | -f $OBJ/cert_host_key_${kt} || \ | ||
| 281 | fail "ssh-keygen of cert_host_key_${kt} failed" | 290 | fail "ssh-keygen of cert_host_key_${kt} failed" |
| 282 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ | 291 | case $kt in |
| 292 | rsa-sha2-*) tflag="-t $kt" ;; | ||
| 293 | *) tflag="" ;; | ||
| 294 | esac | ||
| 295 | ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \ | ||
| 283 | -I "regress host key for $USER" \ | 296 | -I "regress host key for $USER" \ |
| 284 | -n $HOSTS $OBJ/cert_host_key_${kt} || | 297 | -n $HOSTS $OBJ/cert_host_key_${kt} || |
| 285 | fail "couldn't sign cert_host_key_${kt}" | 298 | fatal "couldn't sign cert_host_key_${kt}" |
| 286 | verbose "$tid: host ${kt} connect wrong cert" | ||
| 287 | ( | 299 | ( |
| 288 | cat $OBJ/sshd_proxy_bak | 300 | cat $OBJ/sshd_proxy_bak |
| 289 | echo HostKey $OBJ/cert_host_key_${kt} | 301 | echo HostKey $OBJ/cert_host_key_${kt} |