summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2019-09-03 18:45:42 +1000
committerDamien Miller <djm@mindrot.org>2019-09-03 18:45:42 +1000
commitb08a6bc1cc7750c6f8a425d1cdbd86552fffc637 (patch)
treefb3781d51422f0fd2af8dc195e4f8c79c6503427 /regress
parent1a72c0dd89f09754df443c9576dde624a17d7dd0 (diff)
oops; missed including the actual file
Diffstat (limited to 'regress')
-rw-r--r--regress/sshsig.sh140
1 files changed, 140 insertions, 0 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
new file mode 100644
index 000000000..8af06e49e
--- /dev/null
+++ b/regress/sshsig.sh
@@ -0,0 +1,140 @@
1# $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $
2# Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
16 || fatal "couldn't generate key"
17WRONG=$OBJ/wrong-key.pub
18
19# Make a CA key.
20${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
21 || fatal "couldn't generate key"
22CA_PRIV=$OBJ/sigca-key
23CA_PUB=$OBJ/sigca-key.pub
24
25SIGNKEYS="$SSH_KEYTYPES"
26verbose "$tid: make certificates"
27for t in $SSH_KEYTYPES ; do
28 ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
29 -I "regress signature key for $USER" \
30 -n $sig_principal $OBJ/${t} || \
31 fatal "couldn't sign ${t}"
32 SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
33done
34
35for t in $SIGNKEYS; do
36 verbose "$tid: check signature for $t"
37 keybase=`basename $t .pub`
38 sigfile=${OBJ}/sshsig-${keybase}.sig
39 pubkey=${OBJ}/${keybase}.pub
40
41 ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
42 < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
43
44 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
45 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
46 -I $sig_principal -f $OBJ/allowed_signers \
47 < $DATA >/dev/null 2>&1 || \
48 fail "failed signature for $t key"
49
50 (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
51 cat $pubkey) > $OBJ/allowed_signers
52 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
53 -I $sig_principal -f $OBJ/allowed_signers \
54 < $DATA >/dev/null 2>&1 || \
55 fail "failed signature for $t key w/ limited namespace"
56
57 # Invalid option
58 (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
59 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
60 -I $sig_principal -f $OBJ/allowed_signers \
61 < $DATA >/dev/null 2>&1 && \
62 fail "accepted signature for $t key with bad signers option"
63
64 # Wrong key trusted.
65 (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
66 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
67 -I $sig_principal -f $OBJ/allowed_signers \
68 < $DATA >/dev/null 2>&1 && \
69 fail "accepted signature for $t key with wrong key trusted"
70
71 # incorrect data
72 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
73 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
74 -I $sig_principal -f $OBJ/allowed_signers \
75 < $DATA2 >/dev/null 2>&1 && \
76 fail "passed signature for wrong data with $t key"
77
78 # wrong principal in signers
79 (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
80 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
81 -I $sig_principal -f $OBJ/allowed_signers \
82 < $DATA >/dev/null 2>&1 && \
83 fail "accepted signature for $t key with wrong principal"
84
85 # wrong namespace
86 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
87 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
88 -I $sig_principal -f $OBJ/allowed_signers \
89 < $DATA >/dev/null 2>&1 && \
90 fail "accepted signature for $t key with wrong namespace"
91
92 # namespace excluded by option
93 (printf "$sig_principal namespaces=\"whatever\" " ;
94 cat $pubkey) > $OBJ/allowed_signers
95 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
96 -I $sig_principal -f $OBJ/allowed_signers \
97 < $DATA >/dev/null 2>&1 && \
98 fail "accepted signature for $t key with excluded namespace"
99
100 # Remaining tests are for certificates only.
101 case "$keybase" in
102 *-cert) ;;
103 *) continue ;;
104 esac
105
106 # correct CA key
107 (printf "$sig_principal cert-authority " ;
108 cat $CA_PUB) > $OBJ/allowed_signers
109 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
110 -I $sig_principal -f $OBJ/allowed_signers \
111 < $DATA >/dev/null 2>&1 || \
112 fail "failed signature for $t cert"
113
114 # signing key listed as cert-authority
115 (printf "$sig_principal cert-authority" ;
116 cat $pubkey) > $OBJ/allowed_signers
117 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
118 -I $sig_principal -f $OBJ/allowed_signers \
119 < $DATA >/dev/null 2>&1 && \
120 fail "accepted signature with $t key listed as CA"
121
122 # CA key not flagged cert-authority
123 (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
124 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
125 -I $sig_principal -f $OBJ/allowed_signers \
126 < $DATA >/dev/null 2>&1 && \
127 fail "accepted signature for $t cert with CA not marked"
128
129 # mismatch between cert principal and file
130 (printf "josef.k@example.com cert-authority" ;
131 cat $CA_PUB) > $OBJ/allowed_signers
132 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
133 -I $sig_principal -f $OBJ/allowed_signers \
134 < $DATA >/dev/null 2>&1 && \
135 fail "accepted signature for $t cert with wrong principal"
136done
137
138# XXX test keys in agent.
139# XXX test revocation
140
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-28 20:42:07 +0000