summaryrefslogtreecommitdiff
path: root/regress/cert-hostkey.sh
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-08-06 10:49:58 +0100
committerColin Watson <cjwatson@debian.org>2016-08-06 10:49:58 +0100
commita8ed8d256b2e2c05b0c15565a7938028c5192277 (patch)
tree87abbdc914a38b43e4e5bb9581ad1f46eabbf88e /regress/cert-hostkey.sh
parentf0329aac23c61e1a5197d6d57349a63f459bccb0 (diff)
parent99522ba7ec6963a05c04a156bf20e3ba3605987c (diff)
Import openssh_7.3p1.orig.tar.gz
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r--regress/cert-hostkey.sh126
1 files changed, 69 insertions, 57 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3f53922c8..62261cf8b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
30 30
31HOSTS='localhost-with-alias,127.0.0.1,::1' 31HOSTS='localhost-with-alias,127.0.0.1,::1'
32 32
33# Create a CA key and add it to known hosts. Ed25519 chosed for speed. 33kh_ca() {
34 for k in "$@" ; do
35 printf "@cert-authority $HOSTS "
36 cat $OBJ/$k || fatal "couldn't cat $k"
37 done
38}
39kh_revoke() {
40 for k in "$@" ; do
41 printf "@revoked * "
42 cat $OBJ/$k || fatal "couldn't cat $k"
43 done
44}
45
46# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
47# RSA for testing RSA/SHA2 signatures.
34${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ 48${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
35 fail "ssh-keygen of host_ca_key failed" 49 fail "ssh-keygen of host_ca_key failed"
36( 50${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\
37 printf '@cert-authority ' 51 fail "ssh-keygen of host_ca_key failed"
38 printf "$HOSTS " 52
39 cat $OBJ/host_ca_key.pub 53kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
40) > $OBJ/known_hosts-cert.orig
41cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 54cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
42 55
43# Plain text revocation files 56# Plain text revocation files
44touch $OBJ/host_revoked_empty 57touch $OBJ/host_revoked_empty
45touch $OBJ/host_revoked_plain 58touch $OBJ/host_revoked_plain
46touch $OBJ/host_revoked_cert 59touch $OBJ/host_revoked_cert
47cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca 60cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
48 61
49PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 62PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
50 63
64if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
65 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
66fi
67
51# Prepare certificate, plain key and CA KRLs 68# Prepare certificate, plain key and CA KRLs
52${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" 69${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
53${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" 70${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
54${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" 71${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
55${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \ 72${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
56 || fatal "KRL init failed" 73 || fatal "KRL init failed"
57 74
58# Generate and sign host keys 75# Generate and sign host keys
59serial=1 76serial=1
60for ktype in $PLAIN_TYPES ; do 77for ktype in $PLAIN_TYPES ; do
61 verbose "$tid: sign host ${ktype} cert" 78 verbose "$tid: sign host ${ktype} cert"
62 # Generate and sign a host key 79 # Generate and sign a host key
63 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 80 ${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
66 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ 83 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
67 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" 84 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
68 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain 85 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
69 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \ 86 case $ktype in
87 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
88 *) tflag=""; ca="$OBJ/host_ca_key" ;;
89 esac
90 ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
70 -I "regress host key for $USER" \ 91 -I "regress host key for $USER" \
71 -n $HOSTS $OBJ/cert_host_key_${ktype} || 92 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
72 fatal "couldn't sign cert_host_key_${ktype}" 93 fatal "couldn't sign cert_host_key_${ktype}"
@@ -100,7 +121,7 @@ attempt_connect() {
100 121
101# Basic connect and revocation tests. 122# Basic connect and revocation tests.
102for privsep in yes no ; do 123for privsep in yes no ; do
103 for ktype in $PLAIN_TYPES ; do 124 for ktype in $PLAIN_TYPES ; do
104 verbose "$tid: host ${ktype} cert connect privsep $privsep" 125 verbose "$tid: host ${ktype} cert connect privsep $privsep"
105 ( 126 (
106 cat $OBJ/sshd_proxy_bak 127 cat $OBJ/sshd_proxy_bak
@@ -131,18 +152,14 @@ for privsep in yes no ; do
131done 152done
132 153
133# Revoked certificates with key present 154# Revoked certificates with key present
134( 155kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
135 printf '@cert-authority ' 156for ktype in $PLAIN_TYPES ; do
136 printf "$HOSTS " 157 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
137 cat $OBJ/host_ca_key.pub 158 kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
138 for ktype in $PLAIN_TYPES ; do 159done
139 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
140 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
141 done
142) > $OBJ/known_hosts-cert.orig
143cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 160cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
144for privsep in yes no ; do 161for privsep in yes no ; do
145 for ktype in $PLAIN_TYPES ; do 162 for ktype in $PLAIN_TYPES ; do
146 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 163 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
147 ( 164 (
148 cat $OBJ/sshd_proxy_bak 165 cat $OBJ/sshd_proxy_bak
@@ -162,16 +179,10 @@ for privsep in yes no ; do
162done 179done
163 180
164# Revoked CA 181# Revoked CA
165( 182kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
166 printf '@cert-authority ' 183kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
167 printf "$HOSTS "
168 cat $OBJ/host_ca_key.pub
169 printf '@revoked '
170 printf "* "
171 cat $OBJ/host_ca_key.pub
172) > $OBJ/known_hosts-cert.orig
173cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 184cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
174for ktype in $PLAIN_TYPES ; do 185for ktype in $PLAIN_TYPES ; do
175 verbose "$tid: host ${ktype} revoked cert" 186 verbose "$tid: host ${ktype} revoked cert"
176 ( 187 (
177 cat $OBJ/sshd_proxy_bak 188 cat $OBJ/sshd_proxy_bak
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
188done 199done
189 200
190# Create a CA key and add it to known hosts 201# Create a CA key and add it to known hosts
191( 202kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
192 printf '@cert-authority '
193 printf "$HOSTS "
194 cat $OBJ/host_ca_key.pub
195) > $OBJ/known_hosts-cert.orig
196cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 203cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
197 204
198test_one() { 205test_one() {
@@ -201,16 +208,19 @@ test_one() {
201 sign_opts=$3 208 sign_opts=$3
202 209
203 for kt in rsa ed25519 ; do 210 for kt in rsa ed25519 ; do
204 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 211 case $ktype in
205 -I "regress host key for $USER" \ 212 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
213 *) tflag=""; ca="$OBJ/host_ca_key" ;;
214 esac
215 ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
206 $sign_opts $OBJ/cert_host_key_${kt} || 216 $sign_opts $OBJ/cert_host_key_${kt} ||
207 fail "couldn't sign cert_host_key_${kt}" 217 fatal "couldn't sign cert_host_key_${kt}"
208 ( 218 (
209 cat $OBJ/sshd_proxy_bak 219 cat $OBJ/sshd_proxy_bak
210 echo HostKey $OBJ/cert_host_key_${kt} 220 echo HostKey $OBJ/cert_host_key_${kt}
211 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 221 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
212 ) > $OBJ/sshd_proxy 222 ) > $OBJ/sshd_proxy
213 223
214 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 224 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
215 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 225 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
216 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 226 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@@ -237,17 +247,20 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
237test_one "cert has constraints" failure "-h -Oforce-command=false" 247test_one "cert has constraints" failure "-h -Oforce-command=false"
238 248
239# Check downgrade of cert to raw key when no CA found 249# Check downgrade of cert to raw key when no CA found
240for ktype in $PLAIN_TYPES ; do 250for ktype in $PLAIN_TYPES ; do
241 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 251 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
242 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 252 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
243 # Generate and sign a host key 253 # Generate and sign a host key
244 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 254 ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \
245 -f $OBJ/cert_host_key_${ktype} || \
246 fail "ssh-keygen of cert_host_key_${ktype} failed" 255 fail "ssh-keygen of cert_host_key_${ktype} failed"
247 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 256 case $ktype in
257 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
258 *) tflag=""; ca="$OBJ/host_ca_key" ;;
259 esac
260 ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
248 -I "regress host key for $USER" \ 261 -I "regress host key for $USER" \
249 -n $HOSTS $OBJ/cert_host_key_${ktype} || 262 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
250 fail "couldn't sign cert_host_key_${ktype}" 263 fatal "couldn't sign cert_host_key_${ktype}"
251 ( 264 (
252 printf "$HOSTS " 265 printf "$HOSTS "
253 cat $OBJ/cert_host_key_${ktype}.pub 266 cat $OBJ/cert_host_key_${ktype}.pub
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
257 echo HostKey $OBJ/cert_host_key_${ktype} 270 echo HostKey $OBJ/cert_host_key_${ktype}
258 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 271 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
259 ) > $OBJ/sshd_proxy 272 ) > $OBJ/sshd_proxy
260 273
261 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 274 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
262 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 275 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
263 -F $OBJ/ssh_proxy somehost true 276 -F $OBJ/ssh_proxy somehost true
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
267done 280done
268 281
269# Wrong certificate 282# Wrong certificate
270( 283kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
271 printf '@cert-authority '
272 printf "$HOSTS "
273 cat $OBJ/host_ca_key.pub
274) > $OBJ/known_hosts-cert.orig
275cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 284cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
276for kt in $PLAIN_TYPES ; do 285for kt in $PLAIN_TYPES ; do
286 verbose "$tid: host ${kt} connect wrong cert"
277 rm -f $OBJ/cert_host_key* 287 rm -f $OBJ/cert_host_key*
278 # Self-sign key 288 # Self-sign key
279 ${SSHKEYGEN} -q -N '' -t ${kt} \ 289 ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \
280 -f $OBJ/cert_host_key_${kt} || \
281 fail "ssh-keygen of cert_host_key_${kt} failed" 290 fail "ssh-keygen of cert_host_key_${kt} failed"
282 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 291 case $kt in
292 rsa-sha2-*) tflag="-t $kt" ;;
293 *) tflag="" ;;
294 esac
295 ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
283 -I "regress host key for $USER" \ 296 -I "regress host key for $USER" \
284 -n $HOSTS $OBJ/cert_host_key_${kt} || 297 -n $HOSTS $OBJ/cert_host_key_${kt} ||
285 fail "couldn't sign cert_host_key_${kt}" 298 fatal "couldn't sign cert_host_key_${kt}"
286 verbose "$tid: host ${kt} connect wrong cert"
287 ( 299 (
288 cat $OBJ/sshd_proxy_bak 300 cat $OBJ/sshd_proxy_bak
289 echo HostKey $OBJ/cert_host_key_${kt} 301 echo HostKey $OBJ/cert_host_key_${kt}