diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
| commit | ecebda56da46a03dafff923d91c382f31faa9eec (patch) | |
| tree | 449614b6c06a2622c74a609b31fcc46c60037c56 /regress/krl.sh | |
| parent | c6a2c0334e45419875687d250aed9bea78480f2e (diff) | |
| parent | ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff) | |
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'regress/krl.sh')
| -rw-r--r-- | regress/krl.sh | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/regress/krl.sh b/regress/krl.sh new file mode 100644 index 000000000..62a239c38 --- /dev/null +++ b/regress/krl.sh | |||
| @@ -0,0 +1,161 @@ | |||
| 1 | # $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $ | ||
| 2 | # Placed in the Public Domain. | ||
| 3 | |||
| 4 | tid="key revocation lists" | ||
| 5 | |||
| 6 | # If we don't support ecdsa keys then this tell will be much slower. | ||
| 7 | ECDSA=ecdsa | ||
| 8 | if test "x$TEST_SSH_ECC" != "xyes"; then | ||
| 9 | ECDSA=rsa | ||
| 10 | fi | ||
| 11 | |||
| 12 | # Do most testing with ssh-keygen; it uses the same verification code as sshd. | ||
| 13 | |||
| 14 | # Old keys will interfere with ssh-keygen. | ||
| 15 | rm -f $OBJ/revoked-* $OBJ/krl-* | ||
| 16 | |||
| 17 | # Generate a CA key | ||
| 18 | $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || | ||
| 19 | fatal "$SSHKEYGEN CA failed" | ||
| 20 | |||
| 21 | # A specification that revokes some certificates by serial numbers | ||
| 22 | # The serial pattern is chosen to ensure the KRL includes list, range and | ||
| 23 | # bitmap sections. | ||
| 24 | cat << EOF >> $OBJ/revoked-serials | ||
| 25 | serial: 1-4 | ||
| 26 | serial: 10 | ||
| 27 | serial: 15 | ||
| 28 | serial: 30 | ||
| 29 | serial: 50 | ||
| 30 | serial: 999 | ||
| 31 | # The following sum to 500-799 | ||
| 32 | serial: 500 | ||
| 33 | serial: 501 | ||
| 34 | serial: 502 | ||
| 35 | serial: 503-600 | ||
| 36 | serial: 700-797 | ||
| 37 | serial: 798 | ||
| 38 | serial: 799 | ||
| 39 | serial: 599-701 | ||
| 40 | EOF | ||
| 41 | |||
| 42 | jot() { | ||
| 43 | awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" | ||
| 44 | } | ||
| 45 | |||
| 46 | # A specification that revokes some certificated by key ID. | ||
| 47 | touch $OBJ/revoked-keyid | ||
| 48 | for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do | ||
| 49 | # Fill in by-ID revocation spec. | ||
| 50 | echo "id: revoked $n" >> $OBJ/revoked-keyid | ||
| 51 | done | ||
| 52 | |||
| 53 | keygen() { | ||
| 54 | N=$1 | ||
| 55 | f=$OBJ/revoked-`printf "%04d" $N` | ||
| 56 | # Vary the keytype. We use mostly ECDSA since this is fastest by far. | ||
| 57 | keytype=$ECDSA | ||
| 58 | case $N in | ||
| 59 | 2 | 10 | 510 | 1001) keytype=rsa;; | ||
| 60 | 4 | 30 | 520 | 1002) keytype=dsa;; | ||
| 61 | esac | ||
| 62 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ | ||
| 63 | || fatal "$SSHKEYGEN failed" | ||
| 64 | # Sign cert | ||
| 65 | $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ | ||
| 66 | || fatal "$SSHKEYGEN sign failed" | ||
| 67 | echo $f | ||
| 68 | } | ||
| 69 | |||
| 70 | # Generate some keys. | ||
| 71 | verbose "$tid: generating test keys" | ||
| 72 | REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" | ||
| 73 | for n in $REVOKED_SERIALS ; do | ||
| 74 | f=`keygen $n` | ||
| 75 | REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" | ||
| 76 | REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" | ||
| 77 | done | ||
| 78 | NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" | ||
| 79 | NOTREVOKED="" | ||
| 80 | for n in $NOTREVOKED_SERIALS ; do | ||
| 81 | NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" | ||
| 82 | NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" | ||
| 83 | done | ||
| 84 | |||
| 85 | genkrls() { | ||
| 86 | OPTS=$1 | ||
| 87 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ | ||
| 88 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 89 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ | ||
| 90 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 91 | $SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ | ||
| 92 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 93 | $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ | ||
| 94 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 95 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ | ||
| 96 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 97 | # KRLs from serial/key-id spec need the CA specified. | ||
| 98 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ | ||
| 99 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | ||
| 100 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ | ||
| 101 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | ||
| 102 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ | ||
| 103 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 104 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ | ||
| 105 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
| 106 | } | ||
| 107 | |||
| 108 | verbose "$tid: generating KRLs" | ||
| 109 | genkrls | ||
| 110 | |||
| 111 | check_krl() { | ||
| 112 | KEY=$1 | ||
| 113 | KRL=$2 | ||
| 114 | EXPECT_REVOKED=$3 | ||
| 115 | TAG=$4 | ||
| 116 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null | ||
| 117 | result=$? | ||
| 118 | if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then | ||
| 119 | fatal "key $KEY not revoked by KRL $KRL: $TAG" | ||
| 120 | elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then | ||
| 121 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" | ||
| 122 | fi | ||
| 123 | } | ||
| 124 | test_all() { | ||
| 125 | FILES=$1 | ||
| 126 | TAG=$2 | ||
| 127 | KEYS_RESULT=$3 | ||
| 128 | ALL_RESULT=$4 | ||
| 129 | SERIAL_RESULT=$5 | ||
| 130 | KEYID_RESULT=$6 | ||
| 131 | CERTS_RESULT=$7 | ||
| 132 | CA_RESULT=$8 | ||
| 133 | verbose "$tid: checking revocations for $TAG" | ||
| 134 | for f in $FILES ; do | ||
| 135 | check_krl $f $OBJ/krl-empty no "$TAG" | ||
| 136 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" | ||
| 137 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" | ||
| 138 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" | ||
| 139 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" | ||
| 140 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" | ||
| 141 | check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" | ||
| 142 | done | ||
| 143 | } | ||
| 144 | # keys all serial keyid certs CA | ||
| 145 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no | ||
| 146 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no | ||
| 147 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes | ||
| 148 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes | ||
| 149 | |||
| 150 | # Check update. Results should be identical. | ||
| 151 | verbose "$tid: testing KRL update" | ||
| 152 | for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ | ||
| 153 | $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do | ||
| 154 | cp -f $OBJ/krl-empty $f | ||
| 155 | genkrls -u | ||
| 156 | done | ||
| 157 | # keys all serial keyid certs CA | ||
| 158 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no | ||
| 159 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no | ||
| 160 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes | ||
| 161 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes | ||