diff options
author | Damien Miller <djm@mindrot.org> | 2013-01-18 11:51:56 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-01-18 11:51:56 +1100 |
commit | ebafebda8570b2b013327cdc6627f9c5fb9733c1 (patch) | |
tree | e08b1095cb132f11d9921427dd94ee0ed053b090 /regress/krl.sh | |
parent | f3747bf4014a450c9aaf1d88b010f6e579d10072 (diff) |
- djm@cvs.openbsd.org 2013/01/18 00:45:29
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
Tests for Key Revocation Lists (KRLs)
Diffstat (limited to 'regress/krl.sh')
-rw-r--r-- | regress/krl.sh | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/regress/krl.sh b/regress/krl.sh new file mode 100644 index 000000000..3ee5a9060 --- /dev/null +++ b/regress/krl.sh | |||
@@ -0,0 +1,151 @@ | |||
1 | # $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="key revocation lists" | ||
5 | |||
6 | # Do most testing with ssh-keygen; it uses the same verification code as sshd. | ||
7 | |||
8 | # Old keys will interfere with ssh-keygen. | ||
9 | rm -f $OBJ/revoked-* $OBJ/krl-* | ||
10 | |||
11 | # Generate a CA key | ||
12 | $SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null || | ||
13 | fatal "$SSHKEYGEN CA failed" | ||
14 | |||
15 | # A specification that revokes some certificates by serial numbers | ||
16 | # The serial pattern is chosen to ensure the KRL includes list, range and | ||
17 | # bitmap sections. | ||
18 | cat << EOF >> $OBJ/revoked-serials | ||
19 | serial: 1-4 | ||
20 | serial: 10 | ||
21 | serial: 15 | ||
22 | serial: 30 | ||
23 | serial: 50 | ||
24 | serial: 999 | ||
25 | # The following sum to 500-799 | ||
26 | serial: 500 | ||
27 | serial: 501 | ||
28 | serial: 502 | ||
29 | serial: 503-600 | ||
30 | serial: 700-797 | ||
31 | serial: 798 | ||
32 | serial: 799 | ||
33 | serial: 599-701 | ||
34 | EOF | ||
35 | |||
36 | # A specification that revokes some certificated by key ID. | ||
37 | touch $OBJ/revoked-keyid | ||
38 | for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do | ||
39 | # Fill in by-ID revocation spec. | ||
40 | echo "id: revoked $n" >> $OBJ/revoked-keyid | ||
41 | done | ||
42 | |||
43 | keygen() { | ||
44 | N=$1 | ||
45 | f=$OBJ/revoked-`printf "%04d" $N` | ||
46 | # Vary the keytype. We use mostly ECDSA since this is fastest by far. | ||
47 | keytype=ecdsa | ||
48 | case $N in | ||
49 | 2 | 10 | 510 | 1001) keytype=rsa;; | ||
50 | 4 | 30 | 520 | 1002) keytype=dsa;; | ||
51 | esac | ||
52 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ | ||
53 | || fatal "$SSHKEYGEN failed" | ||
54 | # Sign cert | ||
55 | $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ | ||
56 | || fatal "$SSHKEYGEN sign failed" | ||
57 | echo $f | ||
58 | } | ||
59 | |||
60 | # Generate some keys. | ||
61 | verbose "$tid: generating test keys" | ||
62 | REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" | ||
63 | for n in $REVOKED_SERIALS ; do | ||
64 | f=`keygen $n` | ||
65 | REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" | ||
66 | REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" | ||
67 | done | ||
68 | NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" | ||
69 | NOTREVOKED="" | ||
70 | for n in $NOTREVOKED_SERIALS ; do | ||
71 | NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" | ||
72 | NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" | ||
73 | done | ||
74 | |||
75 | genkrls() { | ||
76 | OPTS=$1 | ||
77 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ | ||
78 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
79 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ | ||
80 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
81 | $SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ | ||
82 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
83 | $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ | ||
84 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
85 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ | ||
86 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
87 | # KRLs from serial/key-id spec need the CA specified. | ||
88 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ | ||
89 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | ||
90 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ | ||
91 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | ||
92 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ | ||
93 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
94 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ | ||
95 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
96 | } | ||
97 | |||
98 | verbose "$tid: generating KRLs" | ||
99 | genkrls | ||
100 | |||
101 | check_krl() { | ||
102 | KEY=$1 | ||
103 | KRL=$2 | ||
104 | EXPECT_REVOKED=$3 | ||
105 | TAG=$4 | ||
106 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null | ||
107 | result=$? | ||
108 | if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then | ||
109 | fatal "key $KEY not revoked by KRL $KRL: $TAG" | ||
110 | elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then | ||
111 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" | ||
112 | fi | ||
113 | } | ||
114 | test_all() { | ||
115 | FILES=$1 | ||
116 | TAG=$2 | ||
117 | KEYS_RESULT=$3 | ||
118 | ALL_RESULT=$4 | ||
119 | SERIAL_RESULT=$5 | ||
120 | KEYID_RESULT=$6 | ||
121 | CERTS_RESULT=$7 | ||
122 | CA_RESULT=$8 | ||
123 | verbose "$tid: checking revocations for $TAG" | ||
124 | for f in $FILES ; do | ||
125 | check_krl $f $OBJ/krl-empty no "$TAG" | ||
126 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" | ||
127 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" | ||
128 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" | ||
129 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" | ||
130 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" | ||
131 | check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" | ||
132 | done | ||
133 | } | ||
134 | # keys all serial keyid certs CA | ||
135 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no | ||
136 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no | ||
137 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes | ||
138 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes | ||
139 | |||
140 | # Check update. Results should be identical. | ||
141 | verbose "$tid: testing KRL update" | ||
142 | for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ | ||
143 | $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do | ||
144 | cp -f $OBJ/krl-empty $f | ||
145 | genkrls -u | ||
146 | done | ||
147 | # keys all serial keyid certs CA | ||
148 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no | ||
149 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no | ||
150 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes | ||
151 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes | ||