diff options
| author | Damien Miller <djm@mindrot.org> | 2010-10-21 15:27:14 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-10-21 15:27:14 +1100 |
| commit | 6fd2d7de4b4ea3a361141cbe56f70bf70710546c (patch) | |
| tree | aceb98e9f0cda79fd151429555a8a7fd1e163ba3 /regress/cert-hostkey.sh | |
| parent | 68512c034140611e9df7a52e12ac5e4cd19f2db1 (diff) | |
- djm@cvs.openbsd.org 2010/08/31 12:24:09
[regress/cert-hostkey.sh regress/cert-userkey.sh]
tests for ECDSA certificates
Diffstat (limited to 'regress/cert-hostkey.sh')
| -rw-r--r-- | regress/cert-hostkey.sh | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 0265e8f6b..22ae4999d 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -18,7 +18,7 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ | |||
| 18 | ) > $OBJ/known_hosts-cert | 18 | ) > $OBJ/known_hosts-cert |
| 19 | 19 | ||
| 20 | # Generate and sign host keys | 20 | # Generate and sign host keys |
| 21 | for ktype in rsa dsa ; do | 21 | for ktype in rsa dsa ecdsa ; do |
| 22 | verbose "$tid: sign host ${ktype} cert" | 22 | verbose "$tid: sign host ${ktype} cert" |
| 23 | # Generate and sign a host key | 23 | # Generate and sign a host key |
| 24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| @@ -28,6 +28,8 @@ for ktype in rsa dsa ; do | |||
| 28 | -I "regress host key for $USER" \ | 28 | -I "regress host key for $USER" \ |
| 29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 30 | fail "couldn't sign cert_host_key_${ktype}" | 30 | fail "couldn't sign cert_host_key_${ktype}" |
| 31 | # v00 ecdsa certs do not exist | ||
| 32 | test "{ktype}" = "ecdsa" && continue | ||
| 31 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | 33 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 |
| 32 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | 34 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub |
| 33 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | 35 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ |
| @@ -38,7 +40,7 @@ done | |||
| 38 | 40 | ||
| 39 | # Basic connect tests | 41 | # Basic connect tests |
| 40 | for privsep in yes no ; do | 42 | for privsep in yes no ; do |
| 41 | for ktype in rsa dsa rsa_v00 dsa_v00; do | 43 | for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do |
| 42 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 44 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
| 43 | ( | 45 | ( |
| 44 | cat $OBJ/sshd_proxy_bak | 46 | cat $OBJ/sshd_proxy_bak |
| @@ -66,6 +68,9 @@ done | |||
| 66 | cat $OBJ/cert_host_key_rsa.pub | 68 | cat $OBJ/cert_host_key_rsa.pub |
| 67 | echon '@revoked ' | 69 | echon '@revoked ' |
| 68 | echon "* " | 70 | echon "* " |
| 71 | cat $OBJ/cert_host_key_ecdsa.pub | ||
| 72 | echon '@revoked ' | ||
| 73 | echon "* " | ||
| 69 | cat $OBJ/cert_host_key_dsa.pub | 74 | cat $OBJ/cert_host_key_dsa.pub |
| 70 | echon '@revoked ' | 75 | echon '@revoked ' |
| 71 | echon "* " | 76 | echon "* " |
| @@ -75,7 +80,7 @@ done | |||
| 75 | cat $OBJ/cert_host_key_dsa_v00.pub | 80 | cat $OBJ/cert_host_key_dsa_v00.pub |
| 76 | ) > $OBJ/known_hosts-cert | 81 | ) > $OBJ/known_hosts-cert |
| 77 | for privsep in yes no ; do | 82 | for privsep in yes no ; do |
| 78 | for ktype in rsa dsa rsa_v00 dsa_v00; do | 83 | for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do |
| 79 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 84 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
| 80 | ( | 85 | ( |
| 81 | cat $OBJ/sshd_proxy_bak | 86 | cat $OBJ/sshd_proxy_bak |
| @@ -102,7 +107,7 @@ done | |||
| 102 | echon "* " | 107 | echon "* " |
| 103 | cat $OBJ/host_ca_key.pub | 108 | cat $OBJ/host_ca_key.pub |
| 104 | ) > $OBJ/known_hosts-cert | 109 | ) > $OBJ/known_hosts-cert |
| 105 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | 110 | for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do |
| 106 | verbose "$tid: host ${ktype} revoked cert" | 111 | verbose "$tid: host ${ktype} revoked cert" |
| 107 | ( | 112 | ( |
| 108 | cat $OBJ/sshd_proxy_bak | 113 | cat $OBJ/sshd_proxy_bak |
| @@ -173,7 +178,9 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" | |||
| 173 | 178 | ||
| 174 | # Check downgrade of cert to raw key when no CA found | 179 | # Check downgrade of cert to raw key when no CA found |
| 175 | for v in v01 v00 ; do | 180 | for v in v01 v00 ; do |
| 176 | for ktype in rsa dsa ; do | 181 | for ktype in rsa dsa ecdsa ; do |
| 182 | # v00 ecdsa certs do not exist. | ||
| 183 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
| 177 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 184 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
| 178 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 185 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
| 179 | # Generate and sign a host key | 186 | # Generate and sign a host key |
| @@ -210,7 +217,9 @@ done | |||
| 210 | cat $OBJ/host_ca_key.pub | 217 | cat $OBJ/host_ca_key.pub |
| 211 | ) > $OBJ/known_hosts-cert | 218 | ) > $OBJ/known_hosts-cert |
| 212 | for v in v01 v00 ; do | 219 | for v in v01 v00 ; do |
| 213 | for kt in rsa dsa ; do | 220 | for kt in rsa dsa ecdsa ; do |
| 221 | # v00 ecdsa certs do not exist. | ||
| 222 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
| 214 | rm -f $OBJ/cert_host_key* | 223 | rm -f $OBJ/cert_host_key* |
| 215 | # Self-sign key | 224 | # Self-sign key |
| 216 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 225 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |