diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-05-02 09:52:00 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-05-02 20:59:50 +1000 |
commit | 67f1459efd2e85bf03d032539283fa8107218936 (patch) | |
tree | 8398f9c5d63bb4c5694023f8671a00a5db38c951 /regress/cert-userkey.sh | |
parent | 0e8eeec8e75f6d0eaf33317376f773160018a9c7 (diff) |
upstream commit
unit and regress tests for SHA256/512; ok markus
Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r-- | regress/cert-userkey.sh | 49 |
1 files changed, 31 insertions, 18 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index c38c00a02..096d9e47a 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.15 2016/05/02 09:52:00 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -9,9 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | |||
9 | 9 | ||
10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
11 | 11 | ||
12 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | ||
13 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | ||
14 | fi | ||
15 | |||
12 | kname() { | 16 | kname() { |
13 | n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` | 17 | case $ktype in |
14 | echo "$n*,ssh-rsa*,ssh-ed25519*" | 18 | rsa-sha2-*) ;; |
19 | *) printf $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' ;; | ||
20 | esac | ||
21 | echo "*,ssh-rsa*,ssh-ed25519*" | ||
15 | } | 22 | } |
16 | 23 | ||
17 | # Create a CA key | 24 | # Create a CA key |
@@ -19,18 +26,24 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | |||
19 | fail "ssh-keygen of user_ca_key failed" | 26 | fail "ssh-keygen of user_ca_key failed" |
20 | 27 | ||
21 | # Generate and sign user keys | 28 | # Generate and sign user keys |
22 | for ktype in $PLAIN_TYPES ; do | 29 | for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do |
23 | verbose "$tid: sign user ${ktype} cert" | 30 | verbose "$tid: sign user ${ktype} cert" |
24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 31 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
25 | -f $OBJ/cert_user_key_${ktype} || \ | 32 | -f $OBJ/cert_user_key_${ktype} || \ |
26 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 33 | fatal "ssh-keygen of cert_user_key_${ktype} failed" |
27 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 34 | # Generate RSA/SHA2 certs for rsa-sha2* keys. |
28 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 35 | case $ktype in |
29 | fail "couldn't sign cert_user_key_${ktype}" | 36 | rsa-sha2-*) tflag="-t $ktype" ;; |
37 | *) tflag="" ;; | ||
38 | esac | ||
39 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ | ||
40 | -I "regress user key for $USER" \ | ||
41 | -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ | ||
42 | fatal "couldn't sign cert_user_key_${ktype}" | ||
30 | done | 43 | done |
31 | 44 | ||
32 | # Test explicitly-specified principals | 45 | # Test explicitly-specified principals |
33 | for ktype in $PLAIN_TYPES ; do | 46 | for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do |
34 | t=$(kname $ktype) | 47 | t=$(kname $ktype) |
35 | for privsep in yes no ; do | 48 | for privsep in yes no ; do |
36 | _prefix="${ktype} privsep $privsep" | 49 | _prefix="${ktype} privsep $privsep" |
@@ -67,7 +80,7 @@ for ktype in $PLAIN_TYPES ; do | |||
67 | if [ $? -eq 0 ]; then | 80 | if [ $? -eq 0 ]; then |
68 | fail "ssh cert connect succeeded unexpectedly" | 81 | fail "ssh cert connect succeeded unexpectedly" |
69 | fi | 82 | fi |
70 | 83 | ||
71 | # Wrong authorized_principals | 84 | # Wrong authorized_principals |
72 | verbose "$tid: ${_prefix} wrong authorized_principals" | 85 | verbose "$tid: ${_prefix} wrong authorized_principals" |
73 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 86 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
@@ -166,8 +179,8 @@ basic_tests() { | |||
166 | echo > $OBJ/authorized_keys_$USER | 179 | echo > $OBJ/authorized_keys_$USER |
167 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 180 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
168 | fi | 181 | fi |
169 | 182 | ||
170 | for ktype in $PLAIN_TYPES ; do | 183 | for ktype in $PLAIN_TYPES ; do |
171 | t=$(kname $ktype) | 184 | t=$(kname $ktype) |
172 | for privsep in yes no ; do | 185 | for privsep in yes no ; do |
173 | _prefix="${ktype} privsep $privsep $auth" | 186 | _prefix="${ktype} privsep $privsep $auth" |
@@ -183,7 +196,7 @@ basic_tests() { | |||
183 | cat $OBJ/ssh_proxy_bak | 196 | cat $OBJ/ssh_proxy_bak |
184 | echo "PubkeyAcceptedKeyTypes ${t}" | 197 | echo "PubkeyAcceptedKeyTypes ${t}" |
185 | ) > $OBJ/ssh_proxy | 198 | ) > $OBJ/ssh_proxy |
186 | 199 | ||
187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 200 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
188 | -F $OBJ/ssh_proxy somehost true | 201 | -F $OBJ/ssh_proxy somehost true |
189 | if [ $? -ne 0 ]; then | 202 | if [ $? -ne 0 ]; then |
@@ -223,7 +236,7 @@ basic_tests() { | |||
223 | fail "ssh cert connect failed" | 236 | fail "ssh cert connect failed" |
224 | fi | 237 | fi |
225 | done | 238 | done |
226 | 239 | ||
227 | # Revoked CA | 240 | # Revoked CA |
228 | verbose "$tid: ${ktype} $auth revoked CA key" | 241 | verbose "$tid: ${ktype} $auth revoked CA key" |
229 | ( | 242 | ( |
@@ -238,7 +251,7 @@ basic_tests() { | |||
238 | fail "ssh cert connect succeeded unexpecedly" | 251 | fail "ssh cert connect succeeded unexpecedly" |
239 | fi | 252 | fi |
240 | done | 253 | done |
241 | 254 | ||
242 | verbose "$tid: $auth CA does not authenticate" | 255 | verbose "$tid: $auth CA does not authenticate" |
243 | ( | 256 | ( |
244 | cat $OBJ/sshd_proxy_bak | 257 | cat $OBJ/sshd_proxy_bak |
@@ -286,7 +299,7 @@ test_one() { | |||
286 | echo $auth_opt >> $OBJ/sshd_proxy | 299 | echo $auth_opt >> $OBJ/sshd_proxy |
287 | fi | 300 | fi |
288 | fi | 301 | fi |
289 | 302 | ||
290 | verbose "$tid: $ident auth $auth expect $result $ktype" | 303 | verbose "$tid: $ident auth $auth expect $result $ktype" |
291 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 304 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
292 | -I "regress user key for $USER" \ | 305 | -I "regress user key for $USER" \ |
@@ -342,13 +355,13 @@ test_one "principals key option no principals" failure "" \ | |||
342 | 355 | ||
343 | # Wrong certificate | 356 | # Wrong certificate |
344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 357 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
345 | for ktype in $PLAIN_TYPES ; do | 358 | for ktype in $PLAIN_TYPES ; do |
346 | t=$(kname $ktype) | 359 | t=$(kname $ktype) |
347 | # Self-sign | 360 | # Self-sign |
348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 361 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
349 | "regress user key for $USER" \ | 362 | "regress user key for $USER" \ |
350 | -n $USER $OBJ/cert_user_key_${ktype} || | 363 | -n $USER $OBJ/cert_user_key_${ktype} || |
351 | fail "couldn't sign cert_user_key_${ktype}" | 364 | fatal "couldn't sign cert_user_key_${ktype}" |
352 | verbose "$tid: user ${ktype} connect wrong cert" | 365 | verbose "$tid: user ${ktype} connect wrong cert" |
353 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 366 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
354 | somehost true >/dev/null 2>&1 | 367 | somehost true >/dev/null 2>&1 |