- OpenBSD CVS Sync

- djm@cvs.openbsd.org 2010/04/16 01:58:45 [regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for v01 certificate format includes interop tests for v00 certs
author: Damien Miller <djm@mindrot.org> 2010-04-18 08:15:14 +1000
committer: Damien Miller <djm@mindrot.org> 2010-04-18 08:15:14 +1000
commit: 53f4bb65999cef5634fba2bb4fbef3a70650ce4c (patch)
tree: 002e247813a243f01f75668a2557018fdc04a705 /regress/cert-userkey.sh
parent: c617aa9ff541d00df413846835ad31e556e71b31 (diff)
1 files changed, 46 insertions, 34 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7a58e7b75..88d6d70a4 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
+        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
+        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
+            "regress user key for $USER" \
+            -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+                fail "couldn't sign cert_user_key_${ktype}_v00"
 done
 basic_tests() {
@@ -35,7 +41,7 @@ basic_tests() {
                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
        fi
        
-        for ktype in rsa dsa ; do 
+        for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
                for privsep in yes no ; do
                        _prefix="${ktype} privsep $privsep $auth"
                        # Simple connect
@@ -108,39 +114,41 @@ test_one() {
        fi
        for auth in $auth_choice ; do
-                cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+                for ktype in rsa rsa_v00 ; do
-                if test "x$auth" = "xauthorized_keys" ; then
+                        cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-                        # Add CA to authorized_keys
+                        if test "x$auth" = "xauthorized_keys" ; then
-                        (
+                                # Add CA to authorized_keys
-                                echon 'cert-authority '
+                                (
-                                cat $OBJ/user_ca_key.pub
+                                        echon 'cert-authority '
-                        ) > $OBJ/authorized_keys_$USER
+                                        cat $OBJ/user_ca_key.pub
-                else
+                                ) > $OBJ/authorized_keys_$USER
-                        echo > $OBJ/authorized_keys_$USER
+                        else
-                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+                                echo > $OBJ/authorized_keys_$USER
-                            $OBJ/sshd_proxy
+                                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
+                                    >> $OBJ/sshd_proxy
-                fi
-                
-                verbose "$tid: $ident auth $auth expect $result"
-                ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-                    -I "regress user key for $USER" \
-                    $sign_opts \
-                    $OBJ/cert_user_key_rsa ||
-                        fail "couldn't sign cert_user_key_rsa"
        
-                ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-                    somehost true >/dev/null 2>&1
-                rc=$?
-                if [ "x$result" = "xsuccess" ] ; then
-                        if [ $rc -ne 0 ]; then
-                                fail "$ident failed unexpectedly"
                        fi
-                else
+                        
-                        if [ $rc -eq 0 ]; then
+                        verbose "$tid: $ident auth $auth expect $result $ktype"
-                                fail "$ident succeeded unexpectedly"
+                        ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+                            -I "regress user key for $USER" \
+                            $sign_opts \
+                            $OBJ/cert_user_key_${ktype} ||
+                                fail "couldn't sign cert_user_key_${ktype}"
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                        rc=$?
+                        if [ "x$result" = "xsuccess" ] ; then
+                                if [ $rc -ne 0 ]; then
+                                        fail "$ident failed unexpectedly"
+                                fi
+                        else
+                                if [ $rc -eq 0 ]; then
+                                        fail "$ident succeeded unexpectedly"
+                                fi
                        fi
-                fi
+                done
        done
 }
@@ -158,9 +166,13 @@ test_one "empty principals"	success "" authorized_keys
 test_one "empty principals"     failure "" TrustedUserCAKeys
 # Wrong certificate
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+        case $ktype in
+        *_v00) args="-t v00" ;;
+        *) args="" ;;
+        esac
        # Self-sign
-        ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+        ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
author	Damien Miller <djm@mindrot.org>	2010-04-18 08:15:14 +1000
committer	Damien Miller <djm@mindrot.org>	2010-04-18 08:15:14 +1000
commit	53f4bb65999cef5634fba2bb4fbef3a70650ce4c (patch)
tree	002e247813a243f01f75668a2557018fdc04a705 /regress/cert-userkey.sh
parent	c617aa9ff541d00df413846835ad31e556e71b31 (diff)

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7a58e7b75..88d6d70a4 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
20	"regress user key for $USER" \	20	"regress user key for $USER" \
21	-n $USER $OBJ/cert_user_key_${ktype} \|\|	21	-n $USER $OBJ/cert_user_key_${ktype} \|\|
22	fail "couldn't sign cert_user_key_${ktype}"	22	fail "couldn't sign cert_user_key_${ktype}"
		23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
		24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
		25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
		26	"regress user key for $USER" \
		27	-n $USER $OBJ/cert_user_key_${ktype}_v00 \|\|
		28	fail "couldn't sign cert_user_key_${ktype}_v00"
23	done	29	done
24		30
25	basic_tests() {	31	basic_tests() {
@@ -35,7 +41,7 @@ basic_tests() {
35	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"	41	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36	fi	42	fi
37		43
38	for ktype in rsa dsa ; do	44	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
39	for privsep in yes no ; do	45	for privsep in yes no ; do
40	_prefix="${ktype} privsep $privsep $auth"	46	_prefix="${ktype} privsep $privsep $auth"
41	# Simple connect	47	# Simple connect
@@ -108,39 +114,41 @@ test_one() {
108	fi	114	fi
109		115
110	for auth in $auth_choice ; do	116	for auth in $auth_choice ; do
111	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy	117	for ktype in rsa rsa_v00 ; do
112	if test "x$auth" = "xauthorized_keys" ; then	118	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
113	# Add CA to authorized_keys	119	if test "x$auth" = "xauthorized_keys" ; then
114	(	120	# Add CA to authorized_keys
115	echon 'cert-authority '	121	(
116	cat $OBJ/user_ca_key.pub	122	echon 'cert-authority '
117	) > $OBJ/authorized_keys_$USER	123	cat $OBJ/user_ca_key.pub
118	else	124	) > $OBJ/authorized_keys_$USER
119	echo > $OBJ/authorized_keys_$USER	125	else
120	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \	126	echo > $OBJ/authorized_keys_$USER
121	$OBJ/sshd_proxy	127	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
122		128	>> $OBJ/sshd_proxy
123	fi
124
125	verbose "$tid: $ident auth $auth expect $result"
126	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127	-I "regress user key for $USER" \
128	$sign_opts \
129	$OBJ/cert_user_key_rsa \|\|
130	fail "couldn't sign cert_user_key_rsa"
131		129
132	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133	somehost true >/dev/null 2>&1
134	rc=$?
135	if [ "x$result" = "xsuccess" ] ; then
136	if [ $rc -ne 0 ]; then
137	fail "$ident failed unexpectedly"
138	fi	130	fi
139	else	131
140	if [ $rc -eq 0 ]; then	132	verbose "$tid: $ident auth $auth expect $result $ktype"
141	fail "$ident succeeded unexpectedly"	133	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
		134	-I "regress user key for $USER" \
		135	$sign_opts \
		136	$OBJ/cert_user_key_${ktype} \|\|
		137	fail "couldn't sign cert_user_key_${ktype}"
		138
		139	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		140	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		141	rc=$?
		142	if [ "x$result" = "xsuccess" ] ; then
		143	if [ $rc -ne 0 ]; then
		144	fail "$ident failed unexpectedly"
		145	fi
		146	else
		147	if [ $rc -eq 0 ]; then
		148	fail "$ident succeeded unexpectedly"
		149	fi
142	fi	150	fi
143	fi	151	done
144	done	152	done
145	}	153	}
146		154
@@ -158,9 +166,13 @@ test_one "empty principals" success "" authorized_keys
158	test_one "empty principals" failure "" TrustedUserCAKeys	166	test_one "empty principals" failure "" TrustedUserCAKeys
159		167
160	# Wrong certificate	168	# Wrong certificate
161	for ktype in rsa dsa ; do	169	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
		170	case $ktype in
		171	*_v00) args="-t v00" ;;
		172	*) args="" ;;
		173	esac
162	# Self-sign	174	# Self-sign
163	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \	175	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
164	"regress user key for $USER" \	176	"regress user key for $USER" \
165	-n $USER $OBJ/cert_user_key_${ktype} \|\|	177	-n $USER $OBJ/cert_user_key_${ktype} \|\|
166	fail "couldn't sign cert_user_key_${ktype}"	178	fail "couldn't sign cert_user_key_${ktype}"