diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-05-02 09:52:00 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-05-02 20:59:50 +1000 |
| commit | 67f1459efd2e85bf03d032539283fa8107218936 (patch) | |
| tree | 8398f9c5d63bb4c5694023f8671a00a5db38c951 /regress/cert-userkey.sh | |
| parent | 0e8eeec8e75f6d0eaf33317376f773160018a9c7 (diff) | |
upstream commit
unit and regress tests for SHA256/512; ok markus
Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 49 |
1 files changed, 31 insertions, 18 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index c38c00a02..096d9e47a 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.15 2016/05/02 09:52:00 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -9,9 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | |||
| 9 | 9 | ||
| 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 11 | 11 | ||
| 12 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | ||
| 13 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | ||
| 14 | fi | ||
| 15 | |||
| 12 | kname() { | 16 | kname() { |
| 13 | n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` | 17 | case $ktype in |
| 14 | echo "$n*,ssh-rsa*,ssh-ed25519*" | 18 | rsa-sha2-*) ;; |
| 19 | *) printf $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' ;; | ||
| 20 | esac | ||
| 21 | echo "*,ssh-rsa*,ssh-ed25519*" | ||
| 15 | } | 22 | } |
| 16 | 23 | ||
| 17 | # Create a CA key | 24 | # Create a CA key |
| @@ -19,18 +26,24 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | |||
| 19 | fail "ssh-keygen of user_ca_key failed" | 26 | fail "ssh-keygen of user_ca_key failed" |
| 20 | 27 | ||
| 21 | # Generate and sign user keys | 28 | # Generate and sign user keys |
| 22 | for ktype in $PLAIN_TYPES ; do | 29 | for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do |
| 23 | verbose "$tid: sign user ${ktype} cert" | 30 | verbose "$tid: sign user ${ktype} cert" |
| 24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 31 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 25 | -f $OBJ/cert_user_key_${ktype} || \ | 32 | -f $OBJ/cert_user_key_${ktype} || \ |
| 26 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 33 | fatal "ssh-keygen of cert_user_key_${ktype} failed" |
| 27 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 34 | # Generate RSA/SHA2 certs for rsa-sha2* keys. |
| 28 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 35 | case $ktype in |
| 29 | fail "couldn't sign cert_user_key_${ktype}" | 36 | rsa-sha2-*) tflag="-t $ktype" ;; |
| 37 | *) tflag="" ;; | ||
| 38 | esac | ||
| 39 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ | ||
| 40 | -I "regress user key for $USER" \ | ||
| 41 | -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ | ||
| 42 | fatal "couldn't sign cert_user_key_${ktype}" | ||
| 30 | done | 43 | done |
| 31 | 44 | ||
| 32 | # Test explicitly-specified principals | 45 | # Test explicitly-specified principals |
| 33 | for ktype in $PLAIN_TYPES ; do | 46 | for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do |
| 34 | t=$(kname $ktype) | 47 | t=$(kname $ktype) |
| 35 | for privsep in yes no ; do | 48 | for privsep in yes no ; do |
| 36 | _prefix="${ktype} privsep $privsep" | 49 | _prefix="${ktype} privsep $privsep" |
| @@ -67,7 +80,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 67 | if [ $? -eq 0 ]; then | 80 | if [ $? -eq 0 ]; then |
| 68 | fail "ssh cert connect succeeded unexpectedly" | 81 | fail "ssh cert connect succeeded unexpectedly" |
| 69 | fi | 82 | fi |
| 70 | 83 | ||
| 71 | # Wrong authorized_principals | 84 | # Wrong authorized_principals |
| 72 | verbose "$tid: ${_prefix} wrong authorized_principals" | 85 | verbose "$tid: ${_prefix} wrong authorized_principals" |
| 73 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 86 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
| @@ -166,8 +179,8 @@ basic_tests() { | |||
| 166 | echo > $OBJ/authorized_keys_$USER | 179 | echo > $OBJ/authorized_keys_$USER |
| 167 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 180 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 168 | fi | 181 | fi |
| 169 | 182 | ||
| 170 | for ktype in $PLAIN_TYPES ; do | 183 | for ktype in $PLAIN_TYPES ; do |
| 171 | t=$(kname $ktype) | 184 | t=$(kname $ktype) |
| 172 | for privsep in yes no ; do | 185 | for privsep in yes no ; do |
| 173 | _prefix="${ktype} privsep $privsep $auth" | 186 | _prefix="${ktype} privsep $privsep $auth" |
| @@ -183,7 +196,7 @@ basic_tests() { | |||
| 183 | cat $OBJ/ssh_proxy_bak | 196 | cat $OBJ/ssh_proxy_bak |
| 184 | echo "PubkeyAcceptedKeyTypes ${t}" | 197 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 185 | ) > $OBJ/ssh_proxy | 198 | ) > $OBJ/ssh_proxy |
| 186 | 199 | ||
| 187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 200 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 188 | -F $OBJ/ssh_proxy somehost true | 201 | -F $OBJ/ssh_proxy somehost true |
| 189 | if [ $? -ne 0 ]; then | 202 | if [ $? -ne 0 ]; then |
| @@ -223,7 +236,7 @@ basic_tests() { | |||
| 223 | fail "ssh cert connect failed" | 236 | fail "ssh cert connect failed" |
| 224 | fi | 237 | fi |
| 225 | done | 238 | done |
| 226 | 239 | ||
| 227 | # Revoked CA | 240 | # Revoked CA |
| 228 | verbose "$tid: ${ktype} $auth revoked CA key" | 241 | verbose "$tid: ${ktype} $auth revoked CA key" |
| 229 | ( | 242 | ( |
| @@ -238,7 +251,7 @@ basic_tests() { | |||
| 238 | fail "ssh cert connect succeeded unexpecedly" | 251 | fail "ssh cert connect succeeded unexpecedly" |
| 239 | fi | 252 | fi |
| 240 | done | 253 | done |
| 241 | 254 | ||
| 242 | verbose "$tid: $auth CA does not authenticate" | 255 | verbose "$tid: $auth CA does not authenticate" |
| 243 | ( | 256 | ( |
| 244 | cat $OBJ/sshd_proxy_bak | 257 | cat $OBJ/sshd_proxy_bak |
| @@ -286,7 +299,7 @@ test_one() { | |||
| 286 | echo $auth_opt >> $OBJ/sshd_proxy | 299 | echo $auth_opt >> $OBJ/sshd_proxy |
| 287 | fi | 300 | fi |
| 288 | fi | 301 | fi |
| 289 | 302 | ||
| 290 | verbose "$tid: $ident auth $auth expect $result $ktype" | 303 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 291 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 304 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 292 | -I "regress user key for $USER" \ | 305 | -I "regress user key for $USER" \ |
| @@ -342,13 +355,13 @@ test_one "principals key option no principals" failure "" \ | |||
| 342 | 355 | ||
| 343 | # Wrong certificate | 356 | # Wrong certificate |
| 344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 357 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 345 | for ktype in $PLAIN_TYPES ; do | 358 | for ktype in $PLAIN_TYPES ; do |
| 346 | t=$(kname $ktype) | 359 | t=$(kname $ktype) |
| 347 | # Self-sign | 360 | # Self-sign |
| 348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 361 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
| 349 | "regress user key for $USER" \ | 362 | "regress user key for $USER" \ |
| 350 | -n $USER $OBJ/cert_user_key_${ktype} || | 363 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 351 | fail "couldn't sign cert_user_key_${ktype}" | 364 | fatal "couldn't sign cert_user_key_${ktype}" |
| 352 | verbose "$tid: user ${ktype} connect wrong cert" | 365 | verbose "$tid: user ${ktype} connect wrong cert" |
| 353 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 366 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| 354 | somehost true >/dev/null 2>&1 | 367 | somehost true >/dev/null 2>&1 |