diff options
| author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:58:01 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:58:01 +1100 |
| commit | 700dcfa3e0a98be44f2e3675849055984f04a70a (patch) | |
| tree | c10708a700b61025695b7755c25aa98f3dff0d9b /regress/cert-userkey.sh | |
| parent | 017d1e777ef197eab866b9d0046e000a46baf10b (diff) | |
- djm@cvs.openbsd.org 2010/03/04 10:38:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
additional regression tests for revoked keys and TrustedUserCAKeys
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 161 |
1 files changed, 117 insertions, 44 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 874915205..7a58e7b75 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -6,13 +6,9 @@ tid="certified user keys" | |||
| 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | 8 | ||
| 9 | # Create a CA key and add it to authorized_keys | 9 | # Create a CA key |
| 10 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | 10 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ |
| 11 | fail "ssh-keygen of user_ca_key failed" | 11 | fail "ssh-keygen of user_ca_key failed" |
| 12 | ( | ||
| 13 | echon 'cert-authority ' | ||
| 14 | cat $OBJ/user_ca_key.pub | ||
| 15 | ) > $OBJ/authorized_keys_$USER | ||
| 16 | 12 | ||
| 17 | # Generate and sign user keys | 13 | # Generate and sign user keys |
| 18 | for ktype in rsa dsa ; do | 14 | for ktype in rsa dsa ; do |
| @@ -26,64 +22,140 @@ for ktype in rsa dsa ; do | |||
| 26 | fail "couldn't sign cert_user_key_${ktype}" | 22 | fail "couldn't sign cert_user_key_${ktype}" |
| 27 | done | 23 | done |
| 28 | 24 | ||
| 29 | # Basic connect tests | 25 | basic_tests() { |
| 30 | for privsep in yes no ; do | 26 | auth=$1 |
| 27 | if test "x$auth" = "xauthorized_keys" ; then | ||
| 28 | # Add CA to authorized_keys | ||
| 29 | ( | ||
| 30 | echon 'cert-authority ' | ||
| 31 | cat $OBJ/user_ca_key.pub | ||
| 32 | ) > $OBJ/authorized_keys_$USER | ||
| 33 | else | ||
| 34 | echo > $OBJ/authorized_keys_$USER | ||
| 35 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
| 36 | fi | ||
| 37 | |||
| 31 | for ktype in rsa dsa ; do | 38 | for ktype in rsa dsa ; do |
| 32 | verbose "$tid: user ${ktype} cert connect privsep $privsep" | 39 | for privsep in yes no ; do |
| 40 | _prefix="${ktype} privsep $privsep $auth" | ||
| 41 | # Simple connect | ||
| 42 | verbose "$tid: ${_prefix} connect" | ||
| 43 | ( | ||
| 44 | cat $OBJ/sshd_proxy_bak | ||
| 45 | echo "UsePrivilegeSeparation $privsep" | ||
| 46 | echo "$extra_sshd" | ||
| 47 | ) > $OBJ/sshd_proxy | ||
| 48 | |||
| 49 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 50 | -F $OBJ/ssh_proxy somehost true | ||
| 51 | if [ $? -ne 0 ]; then | ||
| 52 | fail "ssh cert connect failed" | ||
| 53 | fi | ||
| 54 | |||
| 55 | # Revoked keys | ||
| 56 | verbose "$tid: ${_prefix} revoked key" | ||
| 57 | ( | ||
| 58 | cat $OBJ/sshd_proxy_bak | ||
| 59 | echo "UsePrivilegeSeparation $privsep" | ||
| 60 | echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" | ||
| 61 | echo "$extra_sshd" | ||
| 62 | ) > $OBJ/sshd_proxy | ||
| 63 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 64 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 65 | if [ $? -eq 0 ]; then | ||
| 66 | fail "ssh cert connect succeeded unexpecedly" | ||
| 67 | fi | ||
| 68 | done | ||
| 69 | |||
| 70 | # Revoked CA | ||
| 71 | verbose "$tid: ${ktype} $auth revoked CA key" | ||
| 33 | ( | 72 | ( |
| 34 | cat $OBJ/sshd_proxy_bak | 73 | cat $OBJ/sshd_proxy_bak |
| 35 | echo "UsePrivilegeSeparation $privsep" | 74 | echo "RevokedKeys $OBJ/user_ca_key.pub" |
| 75 | echo "$extra_sshd" | ||
| 36 | ) > $OBJ/sshd_proxy | 76 | ) > $OBJ/sshd_proxy |
| 37 | |||
| 38 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 77 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| 39 | somehost true | 78 | somehost true >/dev/null 2>&1 |
| 40 | if [ $? -ne 0 ]; then | 79 | if [ $? -eq 0 ]; then |
| 41 | fail "ssh cert connect failed" | 80 | fail "ssh cert connect succeeded unexpecedly" |
| 42 | fi | 81 | fi |
| 43 | done | 82 | done |
| 44 | done | 83 | |
| 84 | verbose "$tid: $auth CA does not authenticate" | ||
| 85 | ( | ||
| 86 | cat $OBJ/sshd_proxy_bak | ||
| 87 | echo "$extra_sshd" | ||
| 88 | ) > $OBJ/sshd_proxy | ||
| 89 | verbose "$tid: ensure CA key does not authenticate user" | ||
| 90 | ${SSH} -2i $OBJ/user_ca_key \ | ||
| 91 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 92 | if [ $? -eq 0 ]; then | ||
| 93 | fail "ssh cert connect with CA key succeeded unexpectedly" | ||
| 94 | fi | ||
| 95 | } | ||
| 45 | 96 | ||
| 46 | verbose "$tid: ensure CA key does not authenticate user" | 97 | basic_tests authorized_keys |
| 47 | ${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 98 | basic_tests TrustedUserCAKeys |
| 48 | if [ $? -eq 0 ]; then | ||
| 49 | fail "ssh cert connect with CA key succeeded unexpectedly" | ||
| 50 | fi | ||
| 51 | 99 | ||
| 52 | test_one() { | 100 | test_one() { |
| 53 | ident=$1 | 101 | ident=$1 |
| 54 | result=$2 | 102 | result=$2 |
| 55 | sign_opts=$3 | 103 | sign_opts=$3 |
| 56 | 104 | auth_choice=$4 | |
| 57 | verbose "$tid: test user cert connect $ident expect $result" | 105 | |
| 106 | if test "x$auth_choice" = "x" ; then | ||
| 107 | auth_choice="authorized_keys TrustedUserCAKeys" | ||
| 108 | fi | ||
| 58 | 109 | ||
| 59 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 110 | for auth in $auth_choice ; do |
| 60 | $sign_opts \ | 111 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 61 | $OBJ/cert_user_key_rsa || | 112 | if test "x$auth" = "xauthorized_keys" ; then |
| 62 | fail "couldn't sign cert_user_key_rsa" | 113 | # Add CA to authorized_keys |
| 114 | ( | ||
| 115 | echon 'cert-authority ' | ||
| 116 | cat $OBJ/user_ca_key.pub | ||
| 117 | ) > $OBJ/authorized_keys_$USER | ||
| 118 | else | ||
| 119 | echo > $OBJ/authorized_keys_$USER | ||
| 120 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ | ||
| 121 | $OBJ/sshd_proxy | ||
| 63 | 122 | ||
| 64 | ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ | ||
| 65 | somehost true >/dev/null 2>&1 | ||
| 66 | rc=$? | ||
| 67 | if [ "x$result" = "xsuccess" ] ; then | ||
| 68 | if [ $rc -ne 0 ]; then | ||
| 69 | fail "ssh cert connect $ident failed unexpectedly" | ||
| 70 | fi | 123 | fi |
| 71 | else | 124 | |
| 72 | if [ $rc -eq 0 ]; then | 125 | verbose "$tid: $ident auth $auth expect $result" |
| 73 | fail "ssh cert connect $ident succeeded unexpectedly" | 126 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 127 | -I "regress user key for $USER" \ | ||
| 128 | $sign_opts \ | ||
| 129 | $OBJ/cert_user_key_rsa || | ||
| 130 | fail "couldn't sign cert_user_key_rsa" | ||
| 131 | |||
| 132 | ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ | ||
| 133 | somehost true >/dev/null 2>&1 | ||
| 134 | rc=$? | ||
| 135 | if [ "x$result" = "xsuccess" ] ; then | ||
| 136 | if [ $rc -ne 0 ]; then | ||
| 137 | fail "$ident failed unexpectedly" | ||
| 138 | fi | ||
| 139 | else | ||
| 140 | if [ $rc -eq 0 ]; then | ||
| 141 | fail "$ident succeeded unexpectedly" | ||
| 142 | fi | ||
| 74 | fi | 143 | fi |
| 75 | fi | 144 | done |
| 76 | cleanup | ||
| 77 | } | 145 | } |
| 78 | 146 | ||
| 79 | test_one "host-certificate" failure "-h" | 147 | test_one "correct principal" success "-n ${USER}" |
| 80 | test_one "empty principals" success "" | 148 | test_one "host-certificate" failure "-n ${USER} -h" |
| 81 | test_one "wrong principals" failure "-n foo" | 149 | test_one "wrong principals" failure "-n foo" |
| 82 | test_one "cert not yet valid" failure "-V20200101:20300101" | 150 | test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" |
| 83 | test_one "cert expired" failure "-V19800101:19900101" | 151 | test_one "cert expired" failure "-n ${USER} -V19800101:19900101" |
| 84 | test_one "cert valid interval" success "-V-1w:+2w" | 152 | test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" |
| 85 | test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" | 153 | test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" |
| 86 | test_one "force-command" failure "-Oforce-command=false" | 154 | test_one "force-command" failure "-n ${USER} -Oforce-command=false" |
| 155 | |||
| 156 | # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals | ||
| 157 | test_one "empty principals" success "" authorized_keys | ||
| 158 | test_one "empty principals" failure "" TrustedUserCAKeys | ||
| 87 | 159 | ||
| 88 | # Wrong certificate | 160 | # Wrong certificate |
| 89 | for ktype in rsa dsa ; do | 161 | for ktype in rsa dsa ; do |
| @@ -101,3 +173,4 @@ for ktype in rsa dsa ; do | |||
| 101 | done | 173 | done |
| 102 | 174 | ||
| 103 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 175 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 176 | |||