upstream: more sshsig regress tests: check key revocation, the

check-novalidate signature test mode and signing keys in ssh-agent. From Sebastian Kinne (slightly tweaked) OpenBSD-Regress-ID: b39566f5cec70140674658cdcedf38752a52e2e2
author: djm@openbsd.org <djm@openbsd.org> 2019-10-04 03:39:19 +0000
committer: Damien Miller <djm@mindrot.org> 2019-10-04 13:41:03 +1000
commit: 643ab68c79ac1644f4a31e36928c2bfc8a51db3c (patch)
tree: f42426f31cd1966e2124442c3f72458c46b554e4 /regress/sshsig.sh
parent: 714031a10bbe378a395a93cf1040f4ee1451f45f (diff)
1 files changed, 59 insertions, 3 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index 8af06e49e..eb99486ae 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $
+#       $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
 #       Placed in the Public Domain.
 tid="sshsig"
@@ -22,6 +22,13 @@ ${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
 CA_PRIV=$OBJ/sigca-key
 CA_PUB=$OBJ/sigca-key.pub
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+        fatal "could not start ssh-agent: exit code $r"
+fi
 SIGNKEYS="$SSH_KEYTYPES"
 verbose "$tid: make certificates"
 for t in $SSH_KEYTYPES ; do
@@ -35,7 +42,9 @@ done
 for t in $SIGNKEYS; do
        verbose "$tid: check signature for $t"
        keybase=`basename $t .pub`
+        privkey=${OBJ}/`basename $t -cert.pub`
        sigfile=${OBJ}/sshsig-${keybase}.sig
+        sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
        pubkey=${OBJ}/${keybase}.pub
        ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
@@ -97,12 +106,59 @@ for t in $SIGNKEYS; do
                < $DATA >/dev/null 2>&1 && \
                fail "accepted signature for $t key with excluded namespace"
+        # public key in revoked keys file
+        cat $pubkey > $OBJ/revoked_keys
+        (printf "$sig_principal namespaces=\"whatever\" " ;
+         cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                -r $OBJ/revoked_keys \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key, but key is in revoked_keys"
+        # public key not revoked, but other are present in revoked_keysfile
+        cat $WRONG > $OBJ/revoked_keys
+        (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                -r $OBJ/revoked_keys \
+                < $DATA >/dev/null 2>&1 || \
+                fail "couldn't verify signature for $t key, but key not in revoked_keys"
+        # check-novalidate with valid data
+        ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
+                < $DATA >/dev/null 2>&1 || \
+                fail "failed to check valid signature for $t key"
+        # check-novalidate with invalid data
+        ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
+                < $DATA2 >/dev/null 2>&1 && \
+                fail "sucessfully checked signature for $t key with invalid data"
+        # Check signing keys using ssh-agent.
+        ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
+        ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
+        # Move private key to ensure agent key is used
+        mv ${privkey} ${privkey}.tmp
+        ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
+                < $DATA > $sigfile_agent 2>/dev/null || \
+                fail "ssh-agent based sign using $pubkey failed"
+        ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
+                -n $sig_namespace < $DATA >/dev/null 2>&1 || \
+                fail "failed to check valid signature for $t key"
+        # Move private key back
+        mv ${privkey}.tmp ${privkey}
        # Remaining tests are for certificates only.
        case "$keybase" in
                *-cert) ;;
                *) continue ;;
        esac
        # correct CA key
        (printf "$sig_principal cert-authority " ;
         cat $CA_PUB) > $OBJ/allowed_signers
@@ -135,6 +191,6 @@ for t in $SIGNKEYS; do
                fail "accepted signature for $t cert with wrong principal"
 done
-# XXX test keys in agent.
+trace "kill agent"
-# XXX test revocation
+${SSHAGENT} -k > /dev/null
author	djm@openbsd.org <djm@openbsd.org>	2019-10-04 03:39:19 +0000
committer	Damien Miller <djm@mindrot.org>	2019-10-04 13:41:03 +1000
commit	643ab68c79ac1644f4a31e36928c2bfc8a51db3c (patch)
tree	f42426f31cd1966e2124442c3f72458c46b554e4 /regress/sshsig.sh
parent	714031a10bbe378a395a93cf1040f4ee1451f45f (diff)

diff --git a/regress/sshsig.sh b/regress/sshsig.sh index 8af06e49e..eb99486ae 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $	1	# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="sshsig"	4	tid="sshsig"
@@ -22,6 +22,13 @@ ${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22	CA_PRIV=$OBJ/sigca-key	22	CA_PRIV=$OBJ/sigca-key
23	CA_PUB=$OBJ/sigca-key.pub	23	CA_PUB=$OBJ/sigca-key.pub
24		24
		25	trace "start agent"
		26	eval `${SSHAGENT} -s` > /dev/null
		27	r=$?
		28	if [ $r -ne 0 ]; then
		29	fatal "could not start ssh-agent: exit code $r"
		30	fi
		31
25	SIGNKEYS="$SSH_KEYTYPES"	32	SIGNKEYS="$SSH_KEYTYPES"
26	verbose "$tid: make certificates"	33	verbose "$tid: make certificates"
27	for t in $SSH_KEYTYPES ; do	34	for t in $SSH_KEYTYPES ; do
@@ -35,7 +42,9 @@ done
35	for t in $SIGNKEYS; do	42	for t in $SIGNKEYS; do
36	verbose "$tid: check signature for $t"	43	verbose "$tid: check signature for $t"
37	keybase=`basename $t .pub`	44	keybase=`basename $t .pub`
		45	privkey=${OBJ}/`basename $t -cert.pub`
38	sigfile=${OBJ}/sshsig-${keybase}.sig	46	sigfile=${OBJ}/sshsig-${keybase}.sig
		47	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
39	pubkey=${OBJ}/${keybase}.pub	48	pubkey=${OBJ}/${keybase}.pub
40		49
41	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \	50	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
@@ -97,12 +106,59 @@ for t in $SIGNKEYS; do
97	< $DATA >/dev/null 2>&1 && \	106	< $DATA >/dev/null 2>&1 && \
98	fail "accepted signature for $t key with excluded namespace"	107	fail "accepted signature for $t key with excluded namespace"
99		108
		109	# public key in revoked keys file
		110	cat $pubkey > $OBJ/revoked_keys
		111	(printf "$sig_principal namespaces=\"whatever\" " ;
		112	cat $pubkey) > $OBJ/allowed_signers
		113	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
		114	-I $sig_principal -f $OBJ/allowed_signers \
		115	-r $OBJ/revoked_keys \
		116	< $DATA >/dev/null 2>&1 && \
		117	fail "accepted signature for $t key, but key is in revoked_keys"
		118
		119	# public key not revoked, but other are present in revoked_keysfile
		120	cat $WRONG > $OBJ/revoked_keys
		121	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
		122	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
		123	-I $sig_principal -f $OBJ/allowed_signers \
		124	-r $OBJ/revoked_keys \
		125	< $DATA >/dev/null 2>&1 \|\| \
		126	fail "couldn't verify signature for $t key, but key not in revoked_keys"
		127
		128	# check-novalidate with valid data
		129	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
		130	< $DATA >/dev/null 2>&1 \|\| \
		131	fail "failed to check valid signature for $t key"
		132
		133	# check-novalidate with invalid data
		134	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
		135	< $DATA2 >/dev/null 2>&1 && \
		136	fail "sucessfully checked signature for $t key with invalid data"
		137
		138	# Check signing keys using ssh-agent.
		139	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
		140	${SSHADD} ${privkey} > /dev/null 2>&1 \|\| fail "ssh-add failed"
		141
		142	# Move private key to ensure agent key is used
		143	mv ${privkey} ${privkey}.tmp
		144
		145	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
		146	< $DATA > $sigfile_agent 2>/dev/null \|\| \
		147	fail "ssh-agent based sign using $pubkey failed"
		148	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
		149	-n $sig_namespace < $DATA >/dev/null 2>&1 \|\| \
		150	fail "failed to check valid signature for $t key"
		151
		152	# Move private key back
		153	mv ${privkey}.tmp ${privkey}
		154
100	# Remaining tests are for certificates only.	155	# Remaining tests are for certificates only.
101	case "$keybase" in	156	case "$keybase" in
102	*-cert) ;;	157	*-cert) ;;
103	*) continue ;;	158	*) continue ;;
104	esac	159	esac
105		160
		161
106	# correct CA key	162	# correct CA key
107	(printf "$sig_principal cert-authority " ;	163	(printf "$sig_principal cert-authority " ;
108	cat $CA_PUB) > $OBJ/allowed_signers	164	cat $CA_PUB) > $OBJ/allowed_signers
@@ -135,6 +191,6 @@ for t in $SIGNKEYS; do
135	fail "accepted signature for $t cert with wrong principal"	191	fail "accepted signature for $t cert with wrong principal"
136	done	192	done
137		193
138	# XXX test keys in agent.	194	trace "kill agent"
139	# XXX test revocation	195	${SSHAGENT} -k > /dev/null
140		196