diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-07-03 04:39:23 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-07-15 16:04:02 +1000 |
| commit | 6a977a4b68747ade189e43d302f33403fd4a47ac (patch) | |
| tree | 51474b3b479b4e16d20309d8d6b5ccf235e4c152 /regress/cert-userkey.sh | |
| parent | 0c4123ad5e93fb90fee9c6635b13a6cdabaac385 (diff) | |
upstream commit
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 39 |
1 files changed, 7 insertions, 32 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index b093a9196..d461b9e34 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
| 8 | 8 | ||
| 9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 10 | 10 | ||
| 11 | type_has_legacy() { | ||
| 12 | case $1 in | ||
| 13 | ed25519*|ecdsa*) return 1 ;; | ||
| 14 | esac | ||
| 15 | return 0 | ||
| 16 | } | ||
| 17 | |||
| 18 | # Create a CA key | 11 | # Create a CA key |
| 19 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | 12 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ |
| 20 | fail "ssh-keygen of user_ca_key failed" | 13 | fail "ssh-keygen of user_ca_key failed" |
| @@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do | |||
| 28 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 21 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 29 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 22 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
| 30 | fail "couldn't sign cert_user_key_${ktype}" | 23 | fail "couldn't sign cert_user_key_${ktype}" |
| 31 | type_has_legacy $ktype || continue | ||
| 32 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | ||
| 33 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | ||
| 34 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
| 35 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | ||
| 36 | "regress user key for $USER" \ | ||
| 37 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || | ||
| 38 | fatal "couldn't sign cert_user_key_${ktype}_v00" | ||
| 39 | done | 24 | done |
| 40 | 25 | ||
| 41 | # Test explicitly-specified principals | 26 | # Test explicitly-specified principals |
| 42 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 27 | for ktype in $PLAIN_TYPES ; do |
| 43 | for privsep in yes no ; do | 28 | for privsep in yes no ; do |
| 44 | _prefix="${ktype} privsep $privsep" | 29 | _prefix="${ktype} privsep $privsep" |
| 45 | 30 | ||
| @@ -165,7 +150,7 @@ basic_tests() { | |||
| 165 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 150 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 166 | fi | 151 | fi |
| 167 | 152 | ||
| 168 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 153 | for ktype in $PLAIN_TYPES ; do |
| 169 | for privsep in yes no ; do | 154 | for privsep in yes no ; do |
| 170 | _prefix="${ktype} privsep $privsep $auth" | 155 | _prefix="${ktype} privsep $privsep $auth" |
| 171 | # Simple connect | 156 | # Simple connect |
| @@ -257,12 +242,7 @@ test_one() { | |||
| 257 | fi | 242 | fi |
| 258 | 243 | ||
| 259 | for auth in $auth_choice ; do | 244 | for auth in $auth_choice ; do |
| 260 | for ktype in rsa rsa_v00 ; do | 245 | for ktype in rsa ed25519 ; do |
| 261 | case $ktype in | ||
| 262 | *_v00) keyv="-t v00" ;; | ||
| 263 | *) keyv="" ;; | ||
| 264 | esac | ||
| 265 | |||
| 266 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 246 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 267 | if test "x$auth" = "xauthorized_keys" ; then | 247 | if test "x$auth" = "xauthorized_keys" ; then |
| 268 | # Add CA to authorized_keys | 248 | # Add CA to authorized_keys |
| @@ -282,8 +262,7 @@ test_one() { | |||
| 282 | verbose "$tid: $ident auth $auth expect $result $ktype" | 262 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 283 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 263 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 284 | -I "regress user key for $USER" \ | 264 | -I "regress user key for $USER" \ |
| 285 | $sign_opts $keyv \ | 265 | $sign_opts $OBJ/cert_user_key_${ktype} || |
| 286 | $OBJ/cert_user_key_${ktype} || | ||
| 287 | fail "couldn't sign cert_user_key_${ktype}" | 266 | fail "couldn't sign cert_user_key_${ktype}" |
| 288 | 267 | ||
| 289 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 268 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| @@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \ | |||
| 335 | 314 | ||
| 336 | # Wrong certificate | 315 | # Wrong certificate |
| 337 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 316 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 338 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 317 | for ktype in $PLAIN_TYPES ; do |
| 339 | case $ktype in | ||
| 340 | *_v00) args="-t v00" ;; | ||
| 341 | *) args="" ;; | ||
| 342 | esac | ||
| 343 | # Self-sign | 318 | # Self-sign |
| 344 | ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ | 319 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
| 345 | "regress user key for $USER" \ | 320 | "regress user key for $USER" \ |
| 346 | -n $USER $OBJ/cert_user_key_${ktype} || | 321 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 347 | fail "couldn't sign cert_user_key_${ktype}" | 322 | fail "couldn't sign cert_user_key_${ktype}" |