summaryrefslogtreecommitdiff
path: root/regress/krl.sh
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
commitecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree449614b6c06a2622c74a609b31fcc46c60037c56 /regress/krl.sh
parentc6a2c0334e45419875687d250aed9bea78480f2e (diff)
parentffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'regress/krl.sh')
-rw-r--r--regress/krl.sh161
1 files changed, 161 insertions, 0 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
new file mode 100644
index 000000000..62a239c38
--- /dev/null
+++ b/regress/krl.sh
@@ -0,0 +1,161 @@
1# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain.
3
4tid="key revocation lists"
5
6# If we don't support ecdsa keys then this tell will be much slower.
7ECDSA=ecdsa
8if test "x$TEST_SSH_ECC" != "xyes"; then
9 ECDSA=rsa
10fi
11
12# Do most testing with ssh-keygen; it uses the same verification code as sshd.
13
14# Old keys will interfere with ssh-keygen.
15rm -f $OBJ/revoked-* $OBJ/krl-*
16
17# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
19 fatal "$SSHKEYGEN CA failed"
20
21# A specification that revokes some certificates by serial numbers
22# The serial pattern is chosen to ensure the KRL includes list, range and
23# bitmap sections.
24cat << EOF >> $OBJ/revoked-serials
25serial: 1-4
26serial: 10
27serial: 15
28serial: 30
29serial: 50
30serial: 999
31# The following sum to 500-799
32serial: 500
33serial: 501
34serial: 502
35serial: 503-600
36serial: 700-797
37serial: 798
38serial: 799
39serial: 599-701
40EOF
41
42jot() {
43 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
44}
45
46# A specification that revokes some certificated by key ID.
47touch $OBJ/revoked-keyid
48for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
49 # Fill in by-ID revocation spec.
50 echo "id: revoked $n" >> $OBJ/revoked-keyid
51done
52
53keygen() {
54 N=$1
55 f=$OBJ/revoked-`printf "%04d" $N`
56 # Vary the keytype. We use mostly ECDSA since this is fastest by far.
57 keytype=$ECDSA
58 case $N in
59 2 | 10 | 510 | 1001) keytype=rsa;;
60 4 | 30 | 520 | 1002) keytype=dsa;;
61 esac
62 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
63 || fatal "$SSHKEYGEN failed"
64 # Sign cert
65 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
66 || fatal "$SSHKEYGEN sign failed"
67 echo $f
68}
69
70# Generate some keys.
71verbose "$tid: generating test keys"
72REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
73for n in $REVOKED_SERIALS ; do
74 f=`keygen $n`
75 REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
76 REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
77done
78NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
79NOTREVOKED=""
80for n in $NOTREVOKED_SERIALS ; do
81 NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
82 NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
83done
84
85genkrls() {
86 OPTS=$1
87$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
88 >/dev/null || fatal "$SSHKEYGEN KRL failed"
89$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
90 >/dev/null || fatal "$SSHKEYGEN KRL failed"
91$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
92 >/dev/null || fatal "$SSHKEYGEN KRL failed"
93$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
94 >/dev/null || fatal "$SSHKEYGEN KRL failed"
95$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
96 >/dev/null || fatal "$SSHKEYGEN KRL failed"
97# KRLs from serial/key-id spec need the CA specified.
98$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
99 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
100$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
101 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
102$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
103 >/dev/null || fatal "$SSHKEYGEN KRL failed"
104$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
105 >/dev/null || fatal "$SSHKEYGEN KRL failed"
106}
107
108verbose "$tid: generating KRLs"
109genkrls
110
111check_krl() {
112 KEY=$1
113 KRL=$2
114 EXPECT_REVOKED=$3
115 TAG=$4
116 $SSHKEYGEN -Qf $KRL $KEY >/dev/null
117 result=$?
118 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
119 fatal "key $KEY not revoked by KRL $KRL: $TAG"
120 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
121 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
122 fi
123}
124test_all() {
125 FILES=$1
126 TAG=$2
127 KEYS_RESULT=$3
128 ALL_RESULT=$4
129 SERIAL_RESULT=$5
130 KEYID_RESULT=$6
131 CERTS_RESULT=$7
132 CA_RESULT=$8
133 verbose "$tid: checking revocations for $TAG"
134 for f in $FILES ; do
135 check_krl $f $OBJ/krl-empty no "$TAG"
136 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
137 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
138 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
139 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
140 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
141 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
142 done
143}
144# keys all serial keyid certs CA
145test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
146test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
147test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
148test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
149
150# Check update. Results should be identical.
151verbose "$tid: testing KRL update"
152for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
153 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
154 cp -f $OBJ/krl-empty $f
155 genkrls -u
156done
157# keys all serial keyid certs CA
158test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
159test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
160test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
161test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes