diff options
| -rw-r--r-- | regress/krl.sh | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/regress/krl.sh b/regress/krl.sh index 1077358ff..a70c79c66 100644 --- a/regress/krl.sh +++ b/regress/krl.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ | 1 | # $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="key revocation lists" | 4 | tid="key revocation lists" |
| @@ -85,6 +85,15 @@ for n in $UNREVOKED_SERIALS ; do | |||
| 85 | UCERTS="$UCERTS ${f}-cert.pub" | 85 | UCERTS="$UCERTS ${f}-cert.pub" |
| 86 | done | 86 | done |
| 87 | 87 | ||
| 88 | # Specifications that revoke keys by hash. | ||
| 89 | touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash | ||
| 90 | for rkey in $RKEYS; do | ||
| 91 | (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1 | ||
| 92 | (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256 | ||
| 93 | (printf "hash: "; $SSHKEYGEN -lf $rkey | \ | ||
| 94 | awk '{ print $2 }') >> $OBJ/revoked-hash | ||
| 95 | done | ||
| 96 | |||
| 88 | genkrls() { | 97 | genkrls() { |
| 89 | OPTS=$1 | 98 | OPTS=$1 |
| 90 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ | 99 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ |
| @@ -97,6 +106,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ | |||
| 97 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | 106 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 98 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ | 107 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ |
| 99 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | 108 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 109 | $SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \ | ||
| 110 | >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" | ||
| 111 | $SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \ | ||
| 112 | >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" | ||
| 113 | $SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \ | ||
| 114 | >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" | ||
| 100 | # This should fail as KRLs from serial/key-id spec need the CA specified. | 115 | # This should fail as KRLs from serial/key-id spec need the CA specified. |
| 101 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ | 116 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ |
| 102 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | 117 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" |
| @@ -131,9 +146,9 @@ check_krl() { | |||
| 131 | TAG=$4 | 146 | TAG=$4 |
| 132 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null | 147 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null |
| 133 | result=$? | 148 | result=$? |
| 134 | if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then | 149 | if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then |
| 135 | fatal "key $KEY not revoked by KRL $KRL: $TAG" | 150 | fatal "key $KEY not revoked by KRL $KRL: $TAG" |
| 136 | elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then | 151 | elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then |
| 137 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" | 152 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" |
| 138 | fi | 153 | fi |
| 139 | } | 154 | } |
| @@ -142,17 +157,21 @@ test_rev() { | |||
| 142 | TAG=$2 | 157 | TAG=$2 |
| 143 | KEYS_RESULT=$3 | 158 | KEYS_RESULT=$3 |
| 144 | ALL_RESULT=$4 | 159 | ALL_RESULT=$4 |
| 145 | SERIAL_RESULT=$5 | 160 | HASH_RESULT=$5 |
| 146 | KEYID_RESULT=$6 | 161 | SERIAL_RESULT=$6 |
| 147 | CERTS_RESULT=$7 | 162 | KEYID_RESULT=$7 |
| 148 | CA_RESULT=$8 | 163 | CERTS_RESULT=$8 |
| 149 | SERIAL_WRESULT=$9 | 164 | CA_RESULT=$9 |
| 150 | KEYID_WRESULT=$10 | 165 | SERIAL_WRESULT=$10 |
| 166 | KEYID_WRESULT=$11 | ||
| 151 | verbose "$tid: checking revocations for $TAG" | 167 | verbose "$tid: checking revocations for $TAG" |
| 152 | for f in $FILES ; do | 168 | for f in $FILES ; do |
| 153 | check_krl $f $OBJ/krl-empty no "$TAG" | 169 | check_krl $f $OBJ/krl-empty no "$TAG" |
| 154 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" | 170 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" |
| 155 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" | 171 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" |
| 172 | check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" | ||
| 173 | check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" | ||
| 174 | check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" | ||
| 156 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" | 175 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" |
| 157 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" | 176 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" |
| 158 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" | 177 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" |
| @@ -163,12 +182,12 @@ test_rev() { | |||
| 163 | } | 182 | } |
| 164 | 183 | ||
| 165 | test_all() { | 184 | test_all() { |
| 166 | # wildcard | 185 | # wildcard |
| 167 | # keys all sr# k.ID cert CA sr.# k.ID | 186 | # keys all hash sr# ID cert CA srl ID |
| 168 | test_rev "$RKEYS" "revoked keys" yes yes no no no no no no | 187 | test_rev "$RKEYS" "revoked keys" y y y n n n n n n |
| 169 | test_rev "$UKEYS" "unrevoked keys" no no no no no no no no | 188 | test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n |
| 170 | test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes | 189 | test_rev "$RCERTS" "revoked certs" y y y y y y y y y |
| 171 | test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no | 190 | test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n |
| 172 | } | 191 | } |
| 173 | 192 | ||
| 174 | test_all | 193 | test_all |