upstream commit

unit and regress tests for SHA256/512; ok markus Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
author: djm@openbsd.org <djm@openbsd.org> 2016-05-02 09:52:00 +0000
committer: Damien Miller <djm@mindrot.org> 2016-05-02 20:59:50 +1000
commit: 67f1459efd2e85bf03d032539283fa8107218936 (patch)
tree: 8398f9c5d63bb4c5694023f8671a00a5db38c951 /regress
parent: 0e8eeec8e75f6d0eaf33317376f773160018a9c7 (diff)
3 files changed, 102 insertions, 77 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3f53922c8..62261cf8b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 HOSTS='localhost-with-alias,127.0.0.1,::1'
-# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
+kh_ca() {
+        for k in "$@" ; do
+                printf "@cert-authority $HOSTS "
+                cat $OBJ/$k || fatal "couldn't cat $k"
+        done
+}
+kh_revoke() {
+        for k in "$@" ; do
+                printf "@revoked * "
+                cat $OBJ/$k || fatal "couldn't cat $k"
+        done
+}
+# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
+# RSA for testing RSA/SHA2 signatures.
 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/host_ca_key ||\
        fail "ssh-keygen of host_ca_key failed"
-(
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key2 ||\
-        printf '@cert-authority '
+        fail "ssh-keygen of host_ca_key failed"
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 # Plain text revocation files
 touch $OBJ/host_revoked_empty
 touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
-cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
+cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+        PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
-${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
+${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
        || fatal "KRL init failed"
 # Generate and sign host keys
 serial=1
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        verbose "$tid: sign host ${ktype} cert"
        # Generate and sign a host key
        ${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
        ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
            $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
        cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
-        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
+        case $ktype in
+        rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+        *)              tflag=""; ca="$OBJ/host_ca_key" ;;
+        esac
+        ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
                fatal "couldn't sign cert_host_key_${ktype}"
@@ -100,7 +121,7 @@ attempt_connect() {
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES ; do 
+        for ktype in $PLAIN_TYPES ; do
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -131,18 +152,14 @@ for privsep in yes no ; do
 done
 # Revoked certificates with key present
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
+for ktype in $PLAIN_TYPES ; do
-        printf "$HOSTS "
+        test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
-        cat $OBJ/host_ca_key.pub
+        kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
-        for ktype in $PLAIN_TYPES ; do
+done
-                test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
-                printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
-        done
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES ; do 
+        for ktype in $PLAIN_TYPES ; do
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -162,16 +179,10 @@ for privsep in yes no ; do
 done
 # Revoked CA
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
+kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
-        printf '@revoked '
-        printf "* "
-        cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
 done
 # Create a CA key and add it to known hosts
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 test_one() {
@@ -201,16 +208,19 @@ test_one() {
        sign_opts=$3
        for kt in rsa ed25519 ; do
-                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
+                case $ktype in
-                    -I "regress host key for $USER" \
+                rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+                *)              tflag=""; ca="$OBJ/host_ca_key" ;;
+                esac
+                ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
                    $sign_opts $OBJ/cert_host_key_${kt} ||
-                        fail "couldn't sign cert_host_key_${kt}"
+                        fatal "couldn't sign cert_host_key_${kt}"
                (
                        cat $OBJ/sshd_proxy_bak
                        echo HostKey $OBJ/cert_host_key_${kt}
                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
                ) > $OBJ/sshd_proxy
-        
                cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@@ -237,17 +247,20 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
        verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
        # Generate and sign a host key
-        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+        ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \
-            -f $OBJ/cert_host_key_${ktype} || \
                fail "ssh-keygen of cert_host_key_${ktype} failed"
-        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+        case $ktype in
+        rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+        *)              tflag=""; ca="$OBJ/host_ca_key" ;;
+        esac
+        ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                fail "couldn't sign cert_host_key_${ktype}"
+                fatal "couldn't sign cert_host_key_${ktype}"
        (
                printf "$HOSTS "
                cat $OBJ/cert_host_key_${ktype}.pub
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
                echo HostKey $OBJ/cert_host_key_${ktype}
                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
        ) > $OBJ/sshd_proxy
-        
        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
                -F $OBJ/ssh_proxy somehost true
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
 done
 # Wrong certificate
-(
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
-        printf '@cert-authority '
-        printf "$HOSTS "
-        cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for kt in $PLAIN_TYPES ; do 
+for kt in $PLAIN_TYPES ; do
+        verbose "$tid: host ${kt} connect wrong cert"
        rm -f $OBJ/cert_host_key*
        # Self-sign key
-        ${SSHKEYGEN} -q -N '' -t ${kt} \
+        ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \
-            -f $OBJ/cert_host_key_${kt} || \
                fail "ssh-keygen of cert_host_key_${kt} failed"
-        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+        case $kt in
+        rsa-sha2-*)     tflag="-t $kt" ;;
+        *)              tflag="" ;;
+        esac
+        ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                fail "couldn't sign cert_host_key_${kt}"
+                fatal "couldn't sign cert_host_key_${kt}"
-        verbose "$tid: host ${kt} connect wrong cert"
        (
                cat $OBJ/sshd_proxy_bak
                echo HostKey $OBJ/cert_host_key_${kt}
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index c38c00a02..096d9e47a 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.15 2016/05/02 09:52:00 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -9,9 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+        PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
 kname() {
-        n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
+        case $ktype in
-        echo "$n*,ssh-rsa*,ssh-ed25519*"
+        rsa-sha2-*) ;;
+        *) printf $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' ;;
+        esac
+        echo "*,ssh-rsa*,ssh-ed25519*"
 }
 # Create a CA key
@@ -19,18 +26,24 @@ ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
        fail "ssh-keygen of user_ca_key failed"
 # Generate and sign user keys
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
        verbose "$tid: sign user ${ktype} cert"
        ${SSHKEYGEN} -q -N '' -t ${ktype} \
            -f $OBJ/cert_user_key_${ktype} || \
-                fail "ssh-keygen of cert_user_key_${ktype} failed"
+                fatal "ssh-keygen of cert_user_key_${ktype} failed"
-        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
+        # Generate RSA/SHA2 certs for rsa-sha2* keys.
-            -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
+        case $ktype in
-                fail "couldn't sign cert_user_key_${ktype}"
+        rsa-sha2-*)     tflag="-t $ktype" ;;
+        *)              tflag="" ;;
+        esac
+        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
+            -I "regress user key for $USER" \
+            -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \
+                fatal "couldn't sign cert_user_key_${ktype}"
 done
 # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
        t=$(kname $ktype)
        for privsep in yes no ; do
                _prefix="${ktype} privsep $privsep"
@@ -67,7 +80,7 @@ for ktype in $PLAIN_TYPES ; do
                if [ $? -eq 0 ]; then
                        fail "ssh cert connect succeeded unexpectedly"
                fi
-        
                # Wrong authorized_principals
                verbose "$tid: ${_prefix} wrong authorized_principals"
                echo gregorsamsa > $OBJ/authorized_principals_$USER
@@ -166,8 +179,8 @@ basic_tests() {
                echo > $OBJ/authorized_keys_$USER
                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
        fi
-        
-        for ktype in $PLAIN_TYPES ; do 
+        for ktype in $PLAIN_TYPES ; do
                t=$(kname $ktype)
                for privsep in yes no ; do
                        _prefix="${ktype} privsep $privsep $auth"
@@ -183,7 +196,7 @@ basic_tests() {
                                cat $OBJ/ssh_proxy_bak
                                echo "PubkeyAcceptedKeyTypes ${t}"
                        ) > $OBJ/ssh_proxy
-        
                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
                            -F $OBJ/ssh_proxy somehost true
                        if [ $? -ne 0 ]; then
@@ -223,7 +236,7 @@ basic_tests() {
                                fail "ssh cert connect failed"
                        fi
                done
-        
                # Revoked CA
                verbose "$tid: ${ktype} $auth revoked CA key"
                (
@@ -238,7 +251,7 @@ basic_tests() {
                        fail "ssh cert connect succeeded unexpecedly"
                fi
        done
-        
        verbose "$tid: $auth CA does not authenticate"
        (
                cat $OBJ/sshd_proxy_bak
@@ -286,7 +299,7 @@ test_one() {
                                        echo $auth_opt >> $OBJ/sshd_proxy
                                fi
                        fi
-                        
                        verbose "$tid: $ident auth $auth expect $result $ktype"
                        ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
                            -I "regress user key for $USER" \
@@ -342,13 +355,13 @@ test_one "principals key option no principals" failure "" \
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
        t=$(kname $ktype)
        # Self-sign
        ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
-                fail "couldn't sign cert_user_key_${ktype}"
+                fatal "couldn't sign cert_user_key_${ktype}"
        verbose "$tid: user ${ktype} connect wrong cert"
        ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
            somehost true >/dev/null 2>&1
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 1f160d1a7..1476dc2e3 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */
+/*      $OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */
 /*
 * Regress test for sshkey.h key management API
 *
@@ -455,7 +455,7 @@ sshkey_tests(void)
        put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);
        put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);
        ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);
-        ASSERT_INT_EQ(sshkey_certify(k1, k2), 0);
+        ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL), 0);
        b = sshbuf_new();
        ASSERT_PTR_NE(b, NULL);
        ASSERT_INT_EQ(sshkey_putb(k1, b), 0);
author	djm@openbsd.org <djm@openbsd.org>	2016-05-02 09:52:00 +0000
committer	Damien Miller <djm@mindrot.org>	2016-05-02 20:59:50 +1000
commit	67f1459efd2e85bf03d032539283fa8107218936 (patch)
tree	8398f9c5d63bb4c5694023f8671a00a5db38c951 /regress
parent	0e8eeec8e75f6d0eaf33317376f773160018a9c7 (diff)

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3f53922c8..62261cf8b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
30		30
31	HOSTS='localhost-with-alias,127.0.0.1,::1'	31	HOSTS='localhost-with-alias,127.0.0.1,::1'
32		32
33	# Create a CA key and add it to known hosts. Ed25519 chosed for speed.	33	kh_ca() {
		34	for k in "$@" ; do
		35	printf "@cert-authority $HOSTS "
		36	cat $OBJ/$k \|\| fatal "couldn't cat $k"
		37	done
		38	}
		39	kh_revoke() {
		40	for k in "$@" ; do
		41	printf "@revoked * "
		42	cat $OBJ/$k \|\| fatal "couldn't cat $k"
		43	done
		44	}
		45
		46	# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
		47	# RSA for testing RSA/SHA2 signatures.
34	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key \|\|\	48	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key \|\|\
35	fail "ssh-keygen of host_ca_key failed"	49	fail "ssh-keygen of host_ca_key failed"
36	(	50	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 \|\|\
37	printf '@cert-authority '	51	fail "ssh-keygen of host_ca_key failed"
38	printf "$HOSTS "	52
39	cat $OBJ/host_ca_key.pub	53	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
40	) > $OBJ/known_hosts-cert.orig
41	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	54	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
42		55
43	# Plain text revocation files	56	# Plain text revocation files
44	touch $OBJ/host_revoked_empty	57	touch $OBJ/host_revoked_empty
45	touch $OBJ/host_revoked_plain	58	touch $OBJ/host_revoked_plain
46	touch $OBJ/host_revoked_cert	59	touch $OBJ/host_revoked_cert
47	cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca	60	cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
48		61
49	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`	62	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
50		63
		64	if echo "$PLAIN_TYPES" \| grep '^rsa$' >/dev/null 2>&1 ; then
		65	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
		66	fi
		67
51	# Prepare certificate, plain key and CA KRLs	68	# Prepare certificate, plain key and CA KRLs
52	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"	69	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"
53	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"	70	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"
54	${SSHKEYGEN} -kf $OBJ/host_krl_cert \|\| fatal "KRL init failed"	71	${SSHKEYGEN} -kf $OBJ/host_krl_cert \|\| fatal "KRL init failed"
55	${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \	72	${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
56	\|\| fatal "KRL init failed"	73	\|\| fatal "KRL init failed"
57		74
58	# Generate and sign host keys	75	# Generate and sign host keys
59	serial=1	76	serial=1
60	for ktype in $PLAIN_TYPES ; do	77	for ktype in $PLAIN_TYPES ; do
61	verbose "$tid: sign host ${ktype} cert"	78	verbose "$tid: sign host ${ktype} cert"
62	# Generate and sign a host key	79	# Generate and sign a host key
63	${SSHKEYGEN} -q -N '' -t ${ktype} \	80	${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
66	${SSHKEYGEN} -ukf $OBJ/host_krl_plain \	83	${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
67	$OBJ/cert_host_key_${ktype}.pub \|\| fatal "KRL update failed"	84	$OBJ/cert_host_key_${ktype}.pub \|\| fatal "KRL update failed"
68	cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain	85	cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
69	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \	86	case $ktype in
		87	rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
		88	*) tflag=""; ca="$OBJ/host_ca_key" ;;
		89	esac
		90	${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
70	-I "regress host key for $USER" \	91	-I "regress host key for $USER" \
71	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	92	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
72	fatal "couldn't sign cert_host_key_${ktype}"	93	fatal "couldn't sign cert_host_key_${ktype}"
@@ -100,7 +121,7 @@ attempt_connect() {
100		121
101	# Basic connect and revocation tests.	122	# Basic connect and revocation tests.
102	for privsep in yes no ; do	123	for privsep in yes no ; do
103	for ktype in $PLAIN_TYPES ; do	124	for ktype in $PLAIN_TYPES ; do
104	verbose "$tid: host ${ktype} cert connect privsep $privsep"	125	verbose "$tid: host ${ktype} cert connect privsep $privsep"
105	(	126	(
106	cat $OBJ/sshd_proxy_bak	127	cat $OBJ/sshd_proxy_bak
@@ -131,18 +152,14 @@ for privsep in yes no ; do
131	done	152	done
132		153
133	# Revoked certificates with key present	154	# Revoked certificates with key present
134	(	155	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
135	printf '@cert-authority '	156	for ktype in $PLAIN_TYPES ; do
136	printf "$HOSTS "	157	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
137	cat $OBJ/host_ca_key.pub	158	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
138	for ktype in $PLAIN_TYPES ; do	159	done
139	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
140	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
141	done
142	) > $OBJ/known_hosts-cert.orig
143	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	160	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
144	for privsep in yes no ; do	161	for privsep in yes no ; do
145	for ktype in $PLAIN_TYPES ; do	162	for ktype in $PLAIN_TYPES ; do
146	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	163	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
147	(	164	(
148	cat $OBJ/sshd_proxy_bak	165	cat $OBJ/sshd_proxy_bak
@@ -162,16 +179,10 @@ for privsep in yes no ; do
162	done	179	done
163		180
164	# Revoked CA	181	# Revoked CA
165	(	182	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
166	printf '@cert-authority '	183	kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
167	printf "$HOSTS "
168	cat $OBJ/host_ca_key.pub
169	printf '@revoked '
170	printf "* "
171	cat $OBJ/host_ca_key.pub
172	) > $OBJ/known_hosts-cert.orig
173	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	184	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
174	for ktype in $PLAIN_TYPES ; do	185	for ktype in $PLAIN_TYPES ; do
175	verbose "$tid: host ${ktype} revoked cert"	186	verbose "$tid: host ${ktype} revoked cert"
176	(	187	(
177	cat $OBJ/sshd_proxy_bak	188	cat $OBJ/sshd_proxy_bak
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
188	done	199	done
189		200
190	# Create a CA key and add it to known hosts	201	# Create a CA key and add it to known hosts
191	(	202	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
192	printf '@cert-authority '
193	printf "$HOSTS "
194	cat $OBJ/host_ca_key.pub
195	) > $OBJ/known_hosts-cert.orig
196	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	203	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
197		204
198	test_one() {	205	test_one() {
@@ -201,16 +208,19 @@ test_one() {
201	sign_opts=$3	208	sign_opts=$3
202		209
203	for kt in rsa ed25519 ; do	210	for kt in rsa ed25519 ; do
204	${SSHKEYGEN} -q -s $OBJ/host_ca_key \	211	case $ktype in
205	-I "regress host key for $USER" \	212	rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
		213	*) tflag=""; ca="$OBJ/host_ca_key" ;;
		214	esac
		215	${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
206	$sign_opts $OBJ/cert_host_key_${kt} \|\|	216	$sign_opts $OBJ/cert_host_key_${kt} \|\|
207	fail "couldn't sign cert_host_key_${kt}"	217	fatal "couldn't sign cert_host_key_${kt}"
208	(	218	(
209	cat $OBJ/sshd_proxy_bak	219	cat $OBJ/sshd_proxy_bak
210	echo HostKey $OBJ/cert_host_key_${kt}	220	echo HostKey $OBJ/cert_host_key_${kt}
211	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub	221	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
212	) > $OBJ/sshd_proxy	222	) > $OBJ/sshd_proxy
213		223
214	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	224	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
215	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	225	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
216	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	226	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@@ -237,17 +247,20 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
237	test_one "cert has constraints" failure "-h -Oforce-command=false"	247	test_one "cert has constraints" failure "-h -Oforce-command=false"
238		248
239	# Check downgrade of cert to raw key when no CA found	249	# Check downgrade of cert to raw key when no CA found
240	for ktype in $PLAIN_TYPES ; do	250	for ktype in $PLAIN_TYPES ; do
241	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	251	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
242	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"	252	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
243	# Generate and sign a host key	253	# Generate and sign a host key
244	${SSHKEYGEN} -q -N '' -t ${ktype} \	254	${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} \|\| \
245	-f $OBJ/cert_host_key_${ktype} \|\| \
246	fail "ssh-keygen of cert_host_key_${ktype} failed"	255	fail "ssh-keygen of cert_host_key_${ktype} failed"
247	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \	256	case $ktype in
		257	rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
		258	*) tflag=""; ca="$OBJ/host_ca_key" ;;
		259	esac
		260	${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
248	-I "regress host key for $USER" \	261	-I "regress host key for $USER" \
249	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	262	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
250	fail "couldn't sign cert_host_key_${ktype}"	263	fatal "couldn't sign cert_host_key_${ktype}"
251	(	264	(
252	printf "$HOSTS "	265	printf "$HOSTS "
253	cat $OBJ/cert_host_key_${ktype}.pub	266	cat $OBJ/cert_host_key_${ktype}.pub
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
257	echo HostKey $OBJ/cert_host_key_${ktype}	270	echo HostKey $OBJ/cert_host_key_${ktype}
258	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	271	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
259	) > $OBJ/sshd_proxy	272	) > $OBJ/sshd_proxy
260		273
261	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	274	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
262	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	275	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
263	-F $OBJ/ssh_proxy somehost true	276	-F $OBJ/ssh_proxy somehost true
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
267	done	280	done
268		281
269	# Wrong certificate	282	# Wrong certificate
270	(	283	kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
271	printf '@cert-authority '
272	printf "$HOSTS "
273	cat $OBJ/host_ca_key.pub
274	) > $OBJ/known_hosts-cert.orig
275	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	284	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
276	for kt in $PLAIN_TYPES ; do	285	for kt in $PLAIN_TYPES ; do
		286	verbose "$tid: host ${kt} connect wrong cert"
277	rm -f $OBJ/cert_host_key*	287	rm -f $OBJ/cert_host_key*
278	# Self-sign key	288	# Self-sign key
279	${SSHKEYGEN} -q -N '' -t ${kt} \	289	${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} \|\| \
280	-f $OBJ/cert_host_key_${kt} \|\| \
281	fail "ssh-keygen of cert_host_key_${kt} failed"	290	fail "ssh-keygen of cert_host_key_${kt} failed"
282	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \	291	case $kt in
		292	rsa-sha2-*) tflag="-t $kt" ;;
		293	*) tflag="" ;;
		294	esac
		295	${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
283	-I "regress host key for $USER" \	296	-I "regress host key for $USER" \
284	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|	297	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
285	fail "couldn't sign cert_host_key_${kt}"	298	fatal "couldn't sign cert_host_key_${kt}"
286	verbose "$tid: host ${kt} connect wrong cert"
287	(	299	(
288	cat $OBJ/sshd_proxy_bak	300	cat $OBJ/sshd_proxy_bak
289	echo HostKey $OBJ/cert_host_key_${kt}	301	echo HostKey $OBJ/cert_host_key_${kt}


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index c38c00a02..096d9e47a 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.15 2016/05/02 09:52:00 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -9,9 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9		9
10	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`	10	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11		11
		12	if echo "$PLAIN_TYPES" \| grep '^rsa$' >/dev/null 2>&1 ; then
		13	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
		14	fi
		15
12	kname() {	16	kname() {
13	n=`echo "$1" \| sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`	17	case $ktype in
14	echo "$n,ssh-rsa,ssh-ed25519*"	18	rsa-sha2-*) ;;
		19	*) printf $1 \| sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' ;;
		20	esac
		21	echo ",ssh-rsa,ssh-ed25519*"
15	}	22	}
16		23
17	# Create a CA key	24	# Create a CA key
@@ -19,18 +26,24 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
19	fail "ssh-keygen of user_ca_key failed"	26	fail "ssh-keygen of user_ca_key failed"
20		27
21	# Generate and sign user keys	28	# Generate and sign user keys
22	for ktype in $PLAIN_TYPES ; do	29	for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
23	verbose "$tid: sign user ${ktype} cert"	30	verbose "$tid: sign user ${ktype} cert"
24	${SSHKEYGEN} -q -N '' -t ${ktype} \	31	${SSHKEYGEN} -q -N '' -t ${ktype} \
25	-f $OBJ/cert_user_key_${ktype} \|\| \	32	-f $OBJ/cert_user_key_${ktype} \|\| \
26	fail "ssh-keygen of cert_user_key_${ktype} failed"	33	fatal "ssh-keygen of cert_user_key_${ktype} failed"
27	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \	34	# Generate RSA/SHA2 certs for rsa-sha2* keys.
28	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|	35	case $ktype in
29	fail "couldn't sign cert_user_key_${ktype}"	36	rsa-sha2-*) tflag="-t $ktype" ;;
		37	*) tflag="" ;;
		38	esac
		39	${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
		40	-I "regress user key for $USER" \
		41	-n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} \|\| \
		42	fatal "couldn't sign cert_user_key_${ktype}"
30	done	43	done
31		44
32	# Test explicitly-specified principals	45	# Test explicitly-specified principals
33	for ktype in $PLAIN_TYPES ; do	46	for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
34	t=$(kname $ktype)	47	t=$(kname $ktype)
35	for privsep in yes no ; do	48	for privsep in yes no ; do
36	_prefix="${ktype} privsep $privsep"	49	_prefix="${ktype} privsep $privsep"
@@ -67,7 +80,7 @@ for ktype in $PLAIN_TYPES ; do
67	if [ $? -eq 0 ]; then	80	if [ $? -eq 0 ]; then
68	fail "ssh cert connect succeeded unexpectedly"	81	fail "ssh cert connect succeeded unexpectedly"
69	fi	82	fi
70		83
71	# Wrong authorized_principals	84	# Wrong authorized_principals
72	verbose "$tid: ${_prefix} wrong authorized_principals"	85	verbose "$tid: ${_prefix} wrong authorized_principals"
73	echo gregorsamsa > $OBJ/authorized_principals_$USER	86	echo gregorsamsa > $OBJ/authorized_principals_$USER
@@ -166,8 +179,8 @@ basic_tests() {
166	echo > $OBJ/authorized_keys_$USER	179	echo > $OBJ/authorized_keys_$USER
167	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"	180	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
168	fi	181	fi
169		182
170	for ktype in $PLAIN_TYPES ; do	183	for ktype in $PLAIN_TYPES ; do
171	t=$(kname $ktype)	184	t=$(kname $ktype)
172	for privsep in yes no ; do	185	for privsep in yes no ; do
173	_prefix="${ktype} privsep $privsep $auth"	186	_prefix="${ktype} privsep $privsep $auth"
@@ -183,7 +196,7 @@ basic_tests() {
183	cat $OBJ/ssh_proxy_bak	196	cat $OBJ/ssh_proxy_bak
184	echo "PubkeyAcceptedKeyTypes ${t}"	197	echo "PubkeyAcceptedKeyTypes ${t}"
185	) > $OBJ/ssh_proxy	198	) > $OBJ/ssh_proxy
186		199
187	${SSH} -2i $OBJ/cert_user_key_${ktype} \	200	${SSH} -2i $OBJ/cert_user_key_${ktype} \
188	-F $OBJ/ssh_proxy somehost true	201	-F $OBJ/ssh_proxy somehost true
189	if [ $? -ne 0 ]; then	202	if [ $? -ne 0 ]; then
@@ -223,7 +236,7 @@ basic_tests() {
223	fail "ssh cert connect failed"	236	fail "ssh cert connect failed"
224	fi	237	fi
225	done	238	done
226		239
227	# Revoked CA	240	# Revoked CA
228	verbose "$tid: ${ktype} $auth revoked CA key"	241	verbose "$tid: ${ktype} $auth revoked CA key"
229	(	242	(
@@ -238,7 +251,7 @@ basic_tests() {
238	fail "ssh cert connect succeeded unexpecedly"	251	fail "ssh cert connect succeeded unexpecedly"
239	fi	252	fi
240	done	253	done
241		254
242	verbose "$tid: $auth CA does not authenticate"	255	verbose "$tid: $auth CA does not authenticate"
243	(	256	(
244	cat $OBJ/sshd_proxy_bak	257	cat $OBJ/sshd_proxy_bak
@@ -286,7 +299,7 @@ test_one() {
286	echo $auth_opt >> $OBJ/sshd_proxy	299	echo $auth_opt >> $OBJ/sshd_proxy
287	fi	300	fi
288	fi	301	fi
289		302
290	verbose "$tid: $ident auth $auth expect $result $ktype"	303	verbose "$tid: $ident auth $auth expect $result $ktype"
291	${SSHKEYGEN} -q -s $OBJ/user_ca_key \	304	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
292	-I "regress user key for $USER" \	305	-I "regress user key for $USER" \
@@ -342,13 +355,13 @@ test_one "principals key option no principals" failure "" \
342		355
343	# Wrong certificate	356	# Wrong certificate
344	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy	357	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
345	for ktype in $PLAIN_TYPES ; do	358	for ktype in $PLAIN_TYPES ; do
346	t=$(kname $ktype)	359	t=$(kname $ktype)
347	# Self-sign	360	# Self-sign
348	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \	361	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
349	"regress user key for $USER" \	362	"regress user key for $USER" \
350	-n $USER $OBJ/cert_user_key_${ktype} \|\|	363	-n $USER $OBJ/cert_user_key_${ktype} \|\|
351	fail "couldn't sign cert_user_key_${ktype}"	364	fatal "couldn't sign cert_user_key_${ktype}"
352	verbose "$tid: user ${ktype} connect wrong cert"	365	verbose "$tid: user ${ktype} connect wrong cert"
353	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \	366	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
354	somehost true >/dev/null 2>&1	367	somehost true >/dev/null 2>&1


diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 1f160d1a7..1476dc2e3 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */	1	/* $OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */
2	/*	2	/*
3	* Regress test for sshkey.h key management API	3	* Regress test for sshkey.h key management API
4	*	4	*
@@ -455,7 +455,7 @@ sshkey_tests(void)
455	put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);	455	put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);
456	put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);	456	put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);
457	ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);	457	ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);
458	ASSERT_INT_EQ(sshkey_certify(k1, k2), 0);	458	ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL), 0);
459	b = sshbuf_new();	459	b = sshbuf_new();
460	ASSERT_PTR_NE(b, NULL);	460	ASSERT_PTR_NE(b, NULL);
461	ASSERT_INT_EQ(sshkey_putb(k1, b), 0);	461	ASSERT_INT_EQ(sshkey_putb(k1, b), 0);