- djm@cvs.openbsd.org 2010/02/26 20:33:21

[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys
author: Damien Miller <djm@mindrot.org> 2010-02-27 07:57:12 +1100
committer: Damien Miller <djm@mindrot.org> 2010-02-27 07:57:12 +1100
commit: 58ac6de9648ea1e4d99061013965e0581abff101 (patch)
tree: 5fdbf0d2139924884ab1328ac8077aafef2d75c5 /regress/cert-hostkey.sh
parent: 0a80ca190a39943029719facf7edb990def7ae62 (diff)
1 files changed, 122 insertions, 0 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
new file mode 100644
index 000000000..14cd2230b
--- /dev/null
+++ b/regress/cert-hostkey.sh
@@ -0,0 +1,122 @@
+#       $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#       Placed in the Public Domain.
+tid="certified host keys"
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+HOSTS='localhost-with-alias,127.0.0.1,::1'
+# Create a CA key and add it to known hosts
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
+        fail "ssh-keygen of host_ca_key failed"
+(
+        echo -n '@cert-authority '
+        echo -n "$HOSTS "
+        cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+# Generate and sign host keys
+for ktype in rsa dsa ; do 
+        verbose "$tid: sign host ${ktype} cert"
+        # Generate and sign a host key
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_host_key_${ktype} || \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
+        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+done
+# Basic connect tests
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: host ${ktype} cert connect privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${ktype}
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        echo UsePrivilegeSeparation $privsep
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy somehost true
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
+test_one() {
+        ident=$1
+        result=$2
+        sign_opts=$3
+        
+        verbose "$tid: test host cert connect $ident expect $result"
+        ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+            $sign_opts \
+            $OBJ/cert_host_key_rsa ||
+                fail "couldn't sign cert_host_key_rsa"
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_rsa
+                echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
+        ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+        rc=$?
+        if [ "x$result" = "xsuccess" ] ; then
+                if [ $rc -ne 0 ]; then
+                        fail "ssh cert connect $ident failed unexpectedly"
+                fi
+        else
+                if [ $rc -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        fi
+}
+test_one "user-certificate"     failure "-n $HOSTS"
+test_one "empty principals"     success "-h"
+test_one "wrong principals"     failure "-h -n foo"
+test_one "cert not yet valid"   failure "-h -V20200101:20300101"
+test_one "cert expired"         failure "-h -V19800101:19900101"
+test_one "cert valid interval"  success "-h -V-1w:+2w"
+test_one "cert has constraints" failure "-h -Oforce-command=false"
+# Check downgrade of cert to raw key when no CA found
+rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+for ktype in rsa dsa ; do 
+        verbose "$tid: host ${ktype} cert downgrade to raw key"
+        # Generate and sign a host key
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_host_key_${ktype} || \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
+        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                fail "couldn't sign cert_host_key_${ktype}"
+        (
+                echo -n "$HOSTS "
+                cat $OBJ/cert_host_key_${ktype}.pub
+        ) > $OBJ/known_hosts-cert
+        (
+                cat $OBJ/sshd_proxy_bak
+                echo HostKey $OBJ/cert_host_key_${ktype}
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        ) > $OBJ/sshd_proxy
+        
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true
+        if [ $? -ne 0 ]; then
+                fail "ssh cert connect failed"
+        fi
+done
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
author	Damien Miller <djm@mindrot.org>	2010-02-27 07:57:12 +1100
committer	Damien Miller <djm@mindrot.org>	2010-02-27 07:57:12 +1100
commit	58ac6de9648ea1e4d99061013965e0581abff101 (patch)
tree	5fdbf0d2139924884ab1328ac8077aafef2d75c5 /regress/cert-hostkey.sh
parent	0a80ca190a39943029719facf7edb990def7ae62 (diff)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh new file mode 100644 index 000000000..14cd2230b --- /dev/null +++ b/regress/cert-hostkey.sh
@@ -0,0 +1,122 @@
	1	# $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="certified host keys"
	5
	6	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
	7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
	8
	9	HOSTS='localhost-with-alias,127.0.0.1,::1'
	10
	11	# Create a CA key and add it to known hosts
	12	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key \|\|\
	13	fail "ssh-keygen of host_ca_key failed"
	14	(
	15	echo -n '@cert-authority '
	16	echo -n "$HOSTS "
	17	cat $OBJ/host_ca_key.pub
	18	) > $OBJ/known_hosts-cert
	19
	20	# Generate and sign host keys
	21	for ktype in rsa dsa ; do
	22	verbose "$tid: sign host ${ktype} cert"
	23	# Generate and sign a host key
	24	${SSHKEYGEN} -q -N '' -t ${ktype} \
	25	-f $OBJ/cert_host_key_${ktype} \|\| \
	26	fail "ssh-keygen of cert_host_key_${ktype} failed"
	27	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
	28	-I "regress host key for $USER" \
	29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
	30	fail "couldn't sign cert_host_key_${ktype}"
	31	done
	32
	33	# Basic connect tests
	34	for privsep in yes no ; do
	35	for ktype in rsa dsa ; do
	36	verbose "$tid: host ${ktype} cert connect privsep $privsep"
	37	(
	38	cat $OBJ/sshd_proxy_bak
	39	echo HostKey $OBJ/cert_host_key_${ktype}
	40	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	41	echo UsePrivilegeSeparation $privsep
	42	) > $OBJ/sshd_proxy
	43
	44	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	45	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	46	-F $OBJ/ssh_proxy somehost true
	47	if [ $? -ne 0 ]; then
	48	fail "ssh cert connect failed"
	49	fi
	50	done
	51	done
	52
	53	test_one() {
	54	ident=$1
	55	result=$2
	56	sign_opts=$3
	57
	58	verbose "$tid: test host cert connect $ident expect $result"
	59
	60	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
	61	$sign_opts \
	62	$OBJ/cert_host_key_rsa \|\|
	63	fail "couldn't sign cert_host_key_rsa"
	64	(
	65	cat $OBJ/sshd_proxy_bak
	66	echo HostKey $OBJ/cert_host_key_rsa
	67	echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
	68	) > $OBJ/sshd_proxy
	69
	70	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	71	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	72	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	73	rc=$?
	74	if [ "x$result" = "xsuccess" ] ; then
	75	if [ $rc -ne 0 ]; then
	76	fail "ssh cert connect $ident failed unexpectedly"
	77	fi
	78	else
	79	if [ $rc -eq 0 ]; then
	80	fail "ssh cert connect $ident succeeded unexpectedly"
	81	fi
	82	fi
	83	}
	84
	85	test_one "user-certificate" failure "-n $HOSTS"
	86	test_one "empty principals" success "-h"
	87	test_one "wrong principals" failure "-h -n foo"
	88	test_one "cert not yet valid" failure "-h -V20200101:20300101"
	89	test_one "cert expired" failure "-h -V19800101:19900101"
	90	test_one "cert valid interval" success "-h -V-1w:+2w"
	91	test_one "cert has constraints" failure "-h -Oforce-command=false"
	92
	93	# Check downgrade of cert to raw key when no CA found
	94	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
	95	for ktype in rsa dsa ; do
	96	verbose "$tid: host ${ktype} cert downgrade to raw key"
	97	# Generate and sign a host key
	98	${SSHKEYGEN} -q -N '' -t ${ktype} \
	99	-f $OBJ/cert_host_key_${ktype} \|\| \
	100	fail "ssh-keygen of cert_host_key_${ktype} failed"
	101	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
	102	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
	103	fail "couldn't sign cert_host_key_${ktype}"
	104	(
	105	echo -n "$HOSTS "
	106	cat $OBJ/cert_host_key_${ktype}.pub
	107	) > $OBJ/known_hosts-cert
	108	(
	109	cat $OBJ/sshd_proxy_bak
	110	echo HostKey $OBJ/cert_host_key_${ktype}
	111	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
	112	) > $OBJ/sshd_proxy
	113
	114	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
	115	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
	116	-F $OBJ/ssh_proxy somehost true
	117	if [ $? -ne 0 ]; then
	118	fail "ssh cert connect failed"
	119	fi
	120	done
	121
	122	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*