summaryrefslogtreecommitdiff
path: root/regress/krl.sh
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2014-11-17 00:21:40 +0000
committerDamien Miller <djm@mindrot.org>2014-11-19 09:20:14 +1100
commit51b64e44121194ae4bf153dee391228dada2abcb (patch)
treecb352d2f03691add43b55b566f3aca434d664bbb /regress/krl.sh
parentd2d51003a623e21fb2b25567c4878d915e90aa2a (diff)
upstream commit
fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org
Diffstat (limited to 'regress/krl.sh')
-rw-r--r--regress/krl.sh10
1 files changed, 8 insertions, 2 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
index 287384b4a..a672e0daf 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $ 1# $OpenBSD: krl.sh,v 1.4 2014/11/17 00:21:40 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key revocation lists" 4tid="key revocation lists"
@@ -17,6 +17,8 @@ rm -f $OBJ/revoked-* $OBJ/krl-*
17# Generate a CA key 17# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
19 fatal "$SSHKEYGEN CA failed" 19 fatal "$SSHKEYGEN CA failed"
20$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
21 fatal "$SSHKEYGEN CA2 failed"
20 22
21# A specification that revokes some certificates by serial numbers 23# A specification that revokes some certificates by serial numbers
22# The serial pattern is chosen to ensure the KRL includes list, range and 24# The serial pattern is chosen to ensure the KRL includes list, range and
@@ -93,13 +95,17 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
93 >/dev/null || fatal "$SSHKEYGEN KRL failed" 95 >/dev/null || fatal "$SSHKEYGEN KRL failed"
94$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 96$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
95 >/dev/null || fatal "$SSHKEYGEN KRL failed" 97 >/dev/null || fatal "$SSHKEYGEN KRL failed"
96# KRLs from serial/key-id spec need the CA specified. 98# This should fail as KRLs from serial/key-id spec need the CA specified.
97$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 99$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
98 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 100 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
99$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ 101$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
100 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 102 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
101$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ 103$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
102 >/dev/null || fatal "$SSHKEYGEN KRL failed" 104 >/dev/null || fatal "$SSHKEYGEN KRL failed"
105# Revoke the same serials with the second CA key to ensure a multi-CA
106# KRL is generated.
107$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
108 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
103$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ 109$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
104 >/dev/null || fatal "$SSHKEYGEN KRL failed" 110 >/dev/null || fatal "$SSHKEYGEN KRL failed"
105} 111}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 16:12:02 +0000