diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-10-04 03:39:19 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-10-04 13:41:03 +1000 |
commit | 643ab68c79ac1644f4a31e36928c2bfc8a51db3c (patch) | |
tree | f42426f31cd1966e2124442c3f72458c46b554e4 /regress/sshsig.sh | |
parent | 714031a10bbe378a395a93cf1040f4ee1451f45f (diff) |
upstream: more sshsig regress tests: check key revocation, the
check-novalidate signature test mode and signing keys in ssh-agent.
From Sebastian Kinne (slightly tweaked)
OpenBSD-Regress-ID: b39566f5cec70140674658cdcedf38752a52e2e2
Diffstat (limited to 'regress/sshsig.sh')
-rw-r--r-- | regress/sshsig.sh | 62 |
1 files changed, 59 insertions, 3 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh index 8af06e49e..eb99486ae 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $ | 1 | # $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshsig" | 4 | tid="sshsig" |
@@ -22,6 +22,13 @@ ${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \ | |||
22 | CA_PRIV=$OBJ/sigca-key | 22 | CA_PRIV=$OBJ/sigca-key |
23 | CA_PUB=$OBJ/sigca-key.pub | 23 | CA_PUB=$OBJ/sigca-key.pub |
24 | 24 | ||
25 | trace "start agent" | ||
26 | eval `${SSHAGENT} -s` > /dev/null | ||
27 | r=$? | ||
28 | if [ $r -ne 0 ]; then | ||
29 | fatal "could not start ssh-agent: exit code $r" | ||
30 | fi | ||
31 | |||
25 | SIGNKEYS="$SSH_KEYTYPES" | 32 | SIGNKEYS="$SSH_KEYTYPES" |
26 | verbose "$tid: make certificates" | 33 | verbose "$tid: make certificates" |
27 | for t in $SSH_KEYTYPES ; do | 34 | for t in $SSH_KEYTYPES ; do |
@@ -35,7 +42,9 @@ done | |||
35 | for t in $SIGNKEYS; do | 42 | for t in $SIGNKEYS; do |
36 | verbose "$tid: check signature for $t" | 43 | verbose "$tid: check signature for $t" |
37 | keybase=`basename $t .pub` | 44 | keybase=`basename $t .pub` |
45 | privkey=${OBJ}/`basename $t -cert.pub` | ||
38 | sigfile=${OBJ}/sshsig-${keybase}.sig | 46 | sigfile=${OBJ}/sshsig-${keybase}.sig |
47 | sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig | ||
39 | pubkey=${OBJ}/${keybase}.pub | 48 | pubkey=${OBJ}/${keybase}.pub |
40 | 49 | ||
41 | ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ | 50 | ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ |
@@ -97,12 +106,59 @@ for t in $SIGNKEYS; do | |||
97 | < $DATA >/dev/null 2>&1 && \ | 106 | < $DATA >/dev/null 2>&1 && \ |
98 | fail "accepted signature for $t key with excluded namespace" | 107 | fail "accepted signature for $t key with excluded namespace" |
99 | 108 | ||
109 | # public key in revoked keys file | ||
110 | cat $pubkey > $OBJ/revoked_keys | ||
111 | (printf "$sig_principal namespaces=\"whatever\" " ; | ||
112 | cat $pubkey) > $OBJ/allowed_signers | ||
113 | ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ | ||
114 | -I $sig_principal -f $OBJ/allowed_signers \ | ||
115 | -r $OBJ/revoked_keys \ | ||
116 | < $DATA >/dev/null 2>&1 && \ | ||
117 | fail "accepted signature for $t key, but key is in revoked_keys" | ||
118 | |||
119 | # public key not revoked, but other are present in revoked_keysfile | ||
120 | cat $WRONG > $OBJ/revoked_keys | ||
121 | (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers | ||
122 | ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ | ||
123 | -I $sig_principal -f $OBJ/allowed_signers \ | ||
124 | -r $OBJ/revoked_keys \ | ||
125 | < $DATA >/dev/null 2>&1 || \ | ||
126 | fail "couldn't verify signature for $t key, but key not in revoked_keys" | ||
127 | |||
128 | # check-novalidate with valid data | ||
129 | ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ | ||
130 | < $DATA >/dev/null 2>&1 || \ | ||
131 | fail "failed to check valid signature for $t key" | ||
132 | |||
133 | # check-novalidate with invalid data | ||
134 | ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ | ||
135 | < $DATA2 >/dev/null 2>&1 && \ | ||
136 | fail "sucessfully checked signature for $t key with invalid data" | ||
137 | |||
138 | # Check signing keys using ssh-agent. | ||
139 | ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys. | ||
140 | ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed" | ||
141 | |||
142 | # Move private key to ensure agent key is used | ||
143 | mv ${privkey} ${privkey}.tmp | ||
144 | |||
145 | ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \ | ||
146 | < $DATA > $sigfile_agent 2>/dev/null || \ | ||
147 | fail "ssh-agent based sign using $pubkey failed" | ||
148 | ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \ | ||
149 | -n $sig_namespace < $DATA >/dev/null 2>&1 || \ | ||
150 | fail "failed to check valid signature for $t key" | ||
151 | |||
152 | # Move private key back | ||
153 | mv ${privkey}.tmp ${privkey} | ||
154 | |||
100 | # Remaining tests are for certificates only. | 155 | # Remaining tests are for certificates only. |
101 | case "$keybase" in | 156 | case "$keybase" in |
102 | *-cert) ;; | 157 | *-cert) ;; |
103 | *) continue ;; | 158 | *) continue ;; |
104 | esac | 159 | esac |
105 | 160 | ||
161 | |||
106 | # correct CA key | 162 | # correct CA key |
107 | (printf "$sig_principal cert-authority " ; | 163 | (printf "$sig_principal cert-authority " ; |
108 | cat $CA_PUB) > $OBJ/allowed_signers | 164 | cat $CA_PUB) > $OBJ/allowed_signers |
@@ -135,6 +191,6 @@ for t in $SIGNKEYS; do | |||
135 | fail "accepted signature for $t cert with wrong principal" | 191 | fail "accepted signature for $t cert with wrong principal" |
136 | done | 192 | done |
137 | 193 | ||
138 | # XXX test keys in agent. | 194 | trace "kill agent" |
139 | # XXX test revocation | 195 | ${SSHAGENT} -k > /dev/null |
140 | 196 | ||