- djm@cvs.openbsd.org 2010/02/26 20:33:21

[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys
author: Damien Miller <djm@mindrot.org> 2010-02-27 07:57:12 +1100
committer: Damien Miller <djm@mindrot.org> 2010-02-27 07:57:12 +1100
commit: 58ac6de9648ea1e4d99061013965e0581abff101 (patch)
tree: 5fdbf0d2139924884ab1328ac8077aafef2d75c5 /regress/cert-userkey.sh
parent: 0a80ca190a39943029719facf7edb990def7ae62 (diff)
1 files changed, 89 insertions, 0 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
new file mode 100644
index 000000000..307e7236f
--- /dev/null
+++ b/regress/cert-userkey.sh
@@ -0,0 +1,89 @@
+#       $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#       Placed in the Public Domain.
+tid="certified user keys"
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+# Create a CA key and add it to authorized_keys
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
+        fail "ssh-keygen of user_ca_key failed"
+(
+        echo -n 'cert-authority '
+        cat $OBJ/user_ca_key.pub
+) > $OBJ/authorized_keys_$USER
+# Generate and sign user keys
+for ktype in rsa dsa ; do 
+        verbose "$tid: sign user ${ktype} cert"
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+            -f $OBJ/cert_user_key_${ktype} || \
+                fail "ssh-keygen of cert_user_key_${ktype} failed"
+        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
+            "regress user key for $USER" \
+            -n $USER $OBJ/cert_user_key_${ktype} ||
+                fail "couldn't sign cert_user_key_${ktype}"
+done
+# Basic connect tests
+for privsep in yes no ; do
+        for ktype in rsa dsa ; do 
+                verbose "$tid: user ${ktype} cert connect privsep $privsep"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo "UsePrivilegeSeparation $privsep"
+                ) > $OBJ/sshd_proxy
+                ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+                    somehost true
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
+done
+verbose "$tid: ensure CA key does not authenticate user"
+${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+        fail "ssh cert connect with CA key succeeded unexpectedly"
+fi
+test_one() {
+        ident=$1
+        result=$2
+        sign_opts=$3
+        
+        verbose "$tid: test user cert connect $ident expect $result"
+        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+            $sign_opts \
+            $OBJ/cert_user_key_rsa ||
+                fail "couldn't sign cert_user_key_rsa"
+        ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+            somehost true >/dev/null 2>&1
+        rc=$?
+        if [ "x$result" = "xsuccess" ] ; then
+                if [ $rc -ne 0 ]; then
+                        fail "ssh cert connect $ident failed unexpectedly"
+                fi
+        else
+                if [ $rc -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        fi
+        cleanup
+}
+test_one "host-certificate"     failure "-h"
+test_one "empty principals"     success ""
+test_one "wrong principals"     failure "-n foo"
+test_one "cert not yet valid"   failure "-V20200101:20300101"
+test_one "cert expired"         failure "-V19800101:19900101"
+test_one "cert valid interval"  success "-V-1w:+2w"
+test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
+test_one "force-command"        failure "-Oforce-command=false"
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
author	Damien Miller <djm@mindrot.org>	2010-02-27 07:57:12 +1100
committer	Damien Miller <djm@mindrot.org>	2010-02-27 07:57:12 +1100
commit	58ac6de9648ea1e4d99061013965e0581abff101 (patch)
tree	5fdbf0d2139924884ab1328ac8077aafef2d75c5 /regress/cert-userkey.sh
parent	0a80ca190a39943029719facf7edb990def7ae62 (diff)

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh new file mode 100644 index 000000000..307e7236f --- /dev/null +++ b/regress/cert-userkey.sh
@@ -0,0 +1,89 @@
	1	# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="certified user keys"
	5
	6	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
	7	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
	8
	9	# Create a CA key and add it to authorized_keys
	10	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
	11	fail "ssh-keygen of user_ca_key failed"
	12	(
	13	echo -n 'cert-authority '
	14	cat $OBJ/user_ca_key.pub
	15	) > $OBJ/authorized_keys_$USER
	16
	17	# Generate and sign user keys
	18	for ktype in rsa dsa ; do
	19	verbose "$tid: sign user ${ktype} cert"
	20	${SSHKEYGEN} -q -N '' -t ${ktype} \
	21	-f $OBJ/cert_user_key_${ktype} \|\| \
	22	fail "ssh-keygen of cert_user_key_${ktype} failed"
	23	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
	24	"regress user key for $USER" \
	25	-n $USER $OBJ/cert_user_key_${ktype} \|\|
	26	fail "couldn't sign cert_user_key_${ktype}"
	27
	28	done
	29
	30	# Basic connect tests
	31	for privsep in yes no ; do
	32	for ktype in rsa dsa ; do
	33	verbose "$tid: user ${ktype} cert connect privsep $privsep"
	34	(
	35	cat $OBJ/sshd_proxy_bak
	36	echo "UsePrivilegeSeparation $privsep"
	37	) > $OBJ/sshd_proxy
	38
	39	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
	40	somehost true
	41	if [ $? -ne 0 ]; then
	42	fail "ssh cert connect failed"
	43	fi
	44	done
	45	done
	46
	47	verbose "$tid: ensure CA key does not authenticate user"
	48	${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
	49	if [ $? -eq 0 ]; then
	50	fail "ssh cert connect with CA key succeeded unexpectedly"
	51	fi
	52
	53	test_one() {
	54	ident=$1
	55	result=$2
	56	sign_opts=$3
	57
	58	verbose "$tid: test user cert connect $ident expect $result"
	59
	60	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
	61	$sign_opts \
	62	$OBJ/cert_user_key_rsa \|\|
	63	fail "couldn't sign cert_user_key_rsa"
	64
	65	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
	66	somehost true >/dev/null 2>&1
	67	rc=$?
	68	if [ "x$result" = "xsuccess" ] ; then
	69	if [ $rc -ne 0 ]; then
	70	fail "ssh cert connect $ident failed unexpectedly"
	71	fi
	72	else
	73	if [ $rc -eq 0 ]; then
	74	fail "ssh cert connect $ident succeeded unexpectedly"
	75	fi
	76	fi
	77	cleanup
	78	}
	79
	80	test_one "host-certificate" failure "-h"
	81	test_one "empty principals" success ""
	82	test_one "wrong principals" failure "-n foo"
	83	test_one "cert not yet valid" failure "-V20200101:20300101"
	84	test_one "cert expired" failure "-V19800101:19900101"
	85	test_one "cert valid interval" success "-V-1w:+2w"
	86	test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
	87	test_one "force-command" failure "-Oforce-command=false"
	88
	89	rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*