- djm@cvs.openbsd.org 2010/05/07 11:31:26

[regress/Makefile regress/cert-userkey.sh] regress tests for AuthorizedPrincipalsFile and "principals=" key option. feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2010-05-21 14:48:16 +1000
committer: Damien Miller <djm@mindrot.org> 2010-05-21 14:48:16 +1000
commit: 3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b (patch)
tree: 65bf3f349a07e0ebb2683c904c57d69730c86eea /regress/cert-userkey.sh
parent: 4b1ec8381b1f459011cb61a6421e7cc45949cc60 (diff)
1 files changed, 112 insertions, 5 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 88d6d70a4..8fd1b48db 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
                fail "ssh-keygen of cert_user_key_${ktype} failed"
        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
            "regress user key for $USER" \
-            -n $USER $OBJ/cert_user_key_${ktype} ||
+            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
            "regress user key for $USER" \
-            -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
                fail "couldn't sign cert_user_key_${ktype}_v00"
 done
+# Test explicitly-specified principals
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+        for privsep in yes no ; do
+                _prefix="${ktype} privsep $privsep"
+                # Setup for AuthorizedPrincipalsFile
+                rm -f $OBJ/authorized_keys_$USER
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "UsePrivilegeSeparation $privsep"
+                        echo "AuthorizedPrincipalsFile " \
+                            "$OBJ/authorized_principals_%u"
+                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+                ) > $OBJ/sshd_proxy
+                # Missing authorized_principals
+                verbose "$tid: ${_prefix} missing authorized_principals"
+                rm -f $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+                # Empty authorized_principals
+                verbose "$tid: ${_prefix} empty authorized_principals"
+                echo > $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+        
+                # Wrong authorized_principals
+                verbose "$tid: ${_prefix} wrong authorized_principals"
+                echo gregorsamsa > $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+                # Correct authorized_principals
+                verbose "$tid: ${_prefix} correct authorized_principals"
+                echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+                # Setup for principals= key option
+                rm -f $OBJ/authorized_principals_$USER
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "UsePrivilegeSeparation $privsep"
+                ) > $OBJ/sshd_proxy
+                # Wrong principals list
+                verbose "$tid: ${_prefix} wrong principals key option"
+                (
+                        echon 'cert-authority,principals="gregorsamsa" '
+                        cat $OBJ/user_ca_key.pub
+                ) > $OBJ/authorized_keys_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect succeeded unexpectedly"
+                fi
+                # Correct principals list
+                verbose "$tid: ${_prefix} correct principals key option"
+                (
+                        echon 'cert-authority,principals="mekmitasdigoat" '
+                        cat $OBJ/user_ca_key.pub
+                ) > $OBJ/authorized_keys_$USER
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
 basic_tests() {
        auth=$1
        if test "x$auth" = "xauthorized_keys" ; then
@@ -108,6 +192,7 @@ test_one() {
        result=$2
        sign_opts=$3
        auth_choice=$4
+        auth_opt=$5
        if test "x$auth_choice" = "x" ; then
                auth_choice="authorized_keys TrustedUserCAKeys"
@@ -119,14 +204,16 @@ test_one() {
                        if test "x$auth" = "xauthorized_keys" ; then
                                # Add CA to authorized_keys
                                (
-                                        echon 'cert-authority '
+                                        echon "cert-authority${auth_opt} "
                                        cat $OBJ/user_ca_key.pub
                                ) > $OBJ/authorized_keys_$USER
                        else
                                echo > $OBJ/authorized_keys_$USER
                                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
                                    >> $OBJ/sshd_proxy
-        
+                                if test "x$auth_opt" != "x" ; then
+                                        echo $auth_opt >> $OBJ/sshd_proxy
+                                fi
                        fi
                        
                        verbose "$tid: $ident auth $auth expect $result $ktype"
@@ -165,7 +252,26 @@ test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
 test_one "empty principals"     success "" authorized_keys
 test_one "empty principals"     failure "" TrustedUserCAKeys
+# Check explicitly-specified principals: an empty principals list in the cert
+# should always be refused.
+# AuthorizedPrincipalsFile
+rm -f $OBJ/authorized_keys_$USER
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+test_one "AuthorizedPrincipalsFile no principals" failure "" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+# principals= key option
+rm -f $OBJ/authorized_principals_$USER
+test_one "principals key option principals" success "-n mekmitasdigoat" \
+    authorized_keys ',principals="mekmitasdigoat"'
+test_one "principals key option no principals" failure "" \
+    authorized_keys ',principals="mekmitasdigoat"'
 # Wrong certificate
+cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
 for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
        case $ktype in
        *_v00) args="-t v00" ;;
@@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
 done
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals_$USER
author	Damien Miller <djm@mindrot.org>	2010-05-21 14:48:16 +1000
committer	Damien Miller <djm@mindrot.org>	2010-05-21 14:48:16 +1000
commit	3bcce80b544174b70dfd6e0a4e9f1488ca6fa69b (patch)
tree	65bf3f349a07e0ebb2683c904c57d69730c86eea /regress/cert-userkey.sh
parent	4b1ec8381b1f459011cb61a6421e7cc45949cc60 (diff)

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 88d6d70a4..8fd1b48db 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -18,16 +18,100 @@ for ktype in rsa dsa ; do
18	fail "ssh-keygen of cert_user_key_${ktype} failed"	18	fail "ssh-keygen of cert_user_key_${ktype} failed"
19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \	19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20	"regress user key for $USER" \	20	"regress user key for $USER" \
21	-n $USER $OBJ/cert_user_key_${ktype} \|\|	21	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|
22	fail "couldn't sign cert_user_key_${ktype}"	22	fail "couldn't sign cert_user_key_${ktype}"
23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00	23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub	24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \	25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26	"regress user key for $USER" \	26	"regress user key for $USER" \
27	-n $USER $OBJ/cert_user_key_${ktype}_v00 \|\|	27	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 \|\|
28	fail "couldn't sign cert_user_key_${ktype}_v00"	28	fail "couldn't sign cert_user_key_${ktype}_v00"
29	done	29	done
30		30
		31	# Test explicitly-specified principals
		32	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
		33	for privsep in yes no ; do
		34	_prefix="${ktype} privsep $privsep"
		35
		36	# Setup for AuthorizedPrincipalsFile
		37	rm -f $OBJ/authorized_keys_$USER
		38	(
		39	cat $OBJ/sshd_proxy_bak
		40	echo "UsePrivilegeSeparation $privsep"
		41	echo "AuthorizedPrincipalsFile " \
		42	"$OBJ/authorized_principals_%u"
		43	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
		44	) > $OBJ/sshd_proxy
		45
		46	# Missing authorized_principals
		47	verbose "$tid: ${_prefix} missing authorized_principals"
		48	rm -f $OBJ/authorized_principals_$USER
		49	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		50	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		51	if [ $? -eq 0 ]; then
		52	fail "ssh cert connect succeeded unexpectedly"
		53	fi
		54
		55	# Empty authorized_principals
		56	verbose "$tid: ${_prefix} empty authorized_principals"
		57	echo > $OBJ/authorized_principals_$USER
		58	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		59	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		60	if [ $? -eq 0 ]; then
		61	fail "ssh cert connect succeeded unexpectedly"
		62	fi
		63
		64	# Wrong authorized_principals
		65	verbose "$tid: ${_prefix} wrong authorized_principals"
		66	echo gregorsamsa > $OBJ/authorized_principals_$USER
		67	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		68	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		69	if [ $? -eq 0 ]; then
		70	fail "ssh cert connect succeeded unexpectedly"
		71	fi
		72
		73	# Correct authorized_principals
		74	verbose "$tid: ${_prefix} correct authorized_principals"
		75	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		76	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		77	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		78	if [ $? -ne 0 ]; then
		79	fail "ssh cert connect failed"
		80	fi
		81
		82	# Setup for principals= key option
		83	rm -f $OBJ/authorized_principals_$USER
		84	(
		85	cat $OBJ/sshd_proxy_bak
		86	echo "UsePrivilegeSeparation $privsep"
		87	) > $OBJ/sshd_proxy
		88
		89	# Wrong principals list
		90	verbose "$tid: ${_prefix} wrong principals key option"
		91	(
		92	echon 'cert-authority,principals="gregorsamsa" '
		93	cat $OBJ/user_ca_key.pub
		94	) > $OBJ/authorized_keys_$USER
		95	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		96	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		97	if [ $? -eq 0 ]; then
		98	fail "ssh cert connect succeeded unexpectedly"
		99	fi
		100
		101	# Correct principals list
		102	verbose "$tid: ${_prefix} correct principals key option"
		103	(
		104	echon 'cert-authority,principals="mekmitasdigoat" '
		105	cat $OBJ/user_ca_key.pub
		106	) > $OBJ/authorized_keys_$USER
		107	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		108	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		109	if [ $? -ne 0 ]; then
		110	fail "ssh cert connect failed"
		111	fi
		112	done
		113	done
		114
31	basic_tests() {	115	basic_tests() {
32	auth=$1	116	auth=$1
33	if test "x$auth" = "xauthorized_keys" ; then	117	if test "x$auth" = "xauthorized_keys" ; then
@@ -108,6 +192,7 @@ test_one() {
108	result=$2	192	result=$2
109	sign_opts=$3	193	sign_opts=$3
110	auth_choice=$4	194	auth_choice=$4
		195	auth_opt=$5
111		196
112	if test "x$auth_choice" = "x" ; then	197	if test "x$auth_choice" = "x" ; then
113	auth_choice="authorized_keys TrustedUserCAKeys"	198	auth_choice="authorized_keys TrustedUserCAKeys"
@@ -119,14 +204,16 @@ test_one() {
119	if test "x$auth" = "xauthorized_keys" ; then	204	if test "x$auth" = "xauthorized_keys" ; then
120	# Add CA to authorized_keys	205	# Add CA to authorized_keys
121	(	206	(
122	echon 'cert-authority '	207	echon "cert-authority${auth_opt} "
123	cat $OBJ/user_ca_key.pub	208	cat $OBJ/user_ca_key.pub
124	) > $OBJ/authorized_keys_$USER	209	) > $OBJ/authorized_keys_$USER
125	else	210	else
126	echo > $OBJ/authorized_keys_$USER	211	echo > $OBJ/authorized_keys_$USER
127	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \	212	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
128	>> $OBJ/sshd_proxy	213	>> $OBJ/sshd_proxy
129		214	if test "x$auth_opt" != "x" ; then
		215	echo $auth_opt >> $OBJ/sshd_proxy
		216	fi
130	fi	217	fi
131		218
132	verbose "$tid: $ident auth $auth expect $result $ktype"	219	verbose "$tid: $ident auth $auth expect $result $ktype"
@@ -165,7 +252,26 @@ test_one "force-command" failure "-n ${USER} -Oforce-command=false"
165	test_one "empty principals" success "" authorized_keys	252	test_one "empty principals" success "" authorized_keys
166	test_one "empty principals" failure "" TrustedUserCAKeys	253	test_one "empty principals" failure "" TrustedUserCAKeys
167		254
		255	# Check explicitly-specified principals: an empty principals list in the cert
		256	# should always be refused.
		257
		258	# AuthorizedPrincipalsFile
		259	rm -f $OBJ/authorized_keys_$USER
		260	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
		261	test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
		262	TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
		263	test_one "AuthorizedPrincipalsFile no principals" failure "" \
		264	TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
		265
		266	# principals= key option
		267	rm -f $OBJ/authorized_principals_$USER
		268	test_one "principals key option principals" success "-n mekmitasdigoat" \
		269	authorized_keys ',principals="mekmitasdigoat"'
		270	test_one "principals key option no principals" failure "" \
		271	authorized_keys ',principals="mekmitasdigoat"'
		272
168	# Wrong certificate	273	# Wrong certificate
		274	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
169	for ktype in rsa dsa rsa_v00 dsa_v00 ; do	275	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
170	case $ktype in	276	case $ktype in
171	*_v00) args="-t v00" ;;	277	*_v00) args="-t v00" ;;
@@ -185,4 +291,5 @@ for ktype in rsa dsa rsa_v00 dsa_v00 ; do
185	done	291	done
186		292
187	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*	293	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
		294	rm -f $OBJ/authorized_principals_$USER
188		295