diff options
| -rw-r--r-- | regress/cert-hostkey.sh | 12 | ||||
| -rw-r--r-- | regress/cert-userkey.sh | 19 |
2 files changed, 23 insertions, 8 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3ce777967..86ea62504 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -7,6 +7,7 @@ rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* | |||
| 7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* | 7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* |
| 8 | 8 | ||
| 9 | # Allow all hostkey/pubkey types, prefer certs for the client | 9 | # Allow all hostkey/pubkey types, prefer certs for the client |
| 10 | rsa=0 | ||
| 10 | types="" | 11 | types="" |
| 11 | for i in `$SSH -Q key`; do | 12 | for i in `$SSH -Q key`; do |
| 12 | if [ -z "$types" ]; then | 13 | if [ -z "$types" ]; then |
| @@ -19,6 +20,7 @@ for i in `$SSH -Q key`; do | |||
| 19 | types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" | 20 | types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" |
| 20 | types="rsa-sha2-512-cert-v01@openssh.com,$types";; | 21 | types="rsa-sha2-512-cert-v01@openssh.com,$types";; |
| 21 | *rsa*) | 22 | *rsa*) |
| 23 | rsa=1 | ||
| 22 | types="$types,rsa-sha2-512,rsa-sha2-256,$i";; | 24 | types="$types,rsa-sha2-512,rsa-sha2-256,$i";; |
| 23 | # Prefer certificate to plain keys. | 25 | # Prefer certificate to plain keys. |
| 24 | *cert*) types="$i,$types";; | 26 | *cert*) types="$i,$types";; |
| @@ -51,10 +53,12 @@ kh_revoke() { | |||
| 51 | } | 53 | } |
| 52 | 54 | ||
| 53 | # Create a CA key and add it to known hosts. Ed25519 chosen for speed. | 55 | # Create a CA key and add it to known hosts. Ed25519 chosen for speed. |
| 54 | # RSA for testing RSA/SHA2 signatures. | 56 | # RSA for testing RSA/SHA2 signatures if supported. |
| 57 | ktype2=ed25519 | ||
| 58 | [ "x$rsa" = "x1" ] && ktype2=rsa | ||
| 55 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ | 59 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ |
| 56 | fail "ssh-keygen of host_ca_key failed" | 60 | fail "ssh-keygen of host_ca_key failed" |
| 57 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\ | 61 | ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/host_ca_key2 ||\ |
| 58 | fail "ssh-keygen of host_ca_key failed" | 62 | fail "ssh-keygen of host_ca_key failed" |
| 59 | 63 | ||
| 60 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig | 64 | kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig |
| @@ -214,7 +218,7 @@ test_one() { | |||
| 214 | result=$2 | 218 | result=$2 |
| 215 | sign_opts=$3 | 219 | sign_opts=$3 |
| 216 | 220 | ||
| 217 | for kt in rsa ed25519 ; do | 221 | for kt in $PLAIN_TYPES; do |
| 218 | case $ktype in | 222 | case $ktype in |
| 219 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; | 223 | rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; |
| 220 | *) tflag=""; ca="$OBJ/host_ca_key" ;; | 224 | *) tflag=""; ca="$OBJ/host_ca_key" ;; |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6849e9922..38c14a698 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -9,8 +9,10 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | |||
| 9 | 9 | ||
| 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 11 | EXTRA_TYPES="" | 11 | EXTRA_TYPES="" |
| 12 | rsa="" | ||
| 12 | 13 | ||
| 13 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | 14 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then |
| 15 | rsa=rsa | ||
| 14 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | 16 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" |
| 15 | fi | 17 | fi |
| 16 | 18 | ||
| @@ -20,11 +22,20 @@ kname() { | |||
| 20 | # subshell because some seds will add a newline | 22 | # subshell because some seds will add a newline |
| 21 | *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; | 23 | *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; |
| 22 | esac | 24 | esac |
| 23 | echo "$n*,ssh-rsa*,ssh-ed25519*" | 25 | if [ -z "$rsa" ]; then |
| 26 | echo "$n*,ssh-ed25519*" | ||
| 27 | else | ||
| 28 | echo "$n*,ssh-rsa*,ssh-ed25519*" | ||
| 29 | fi | ||
| 24 | } | 30 | } |
| 25 | 31 | ||
| 26 | # Create a CA key | 32 | # Create a CA key |
| 27 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | 33 | if [ ! -z "$rsa" ]; then |
| 34 | catype=rsa | ||
| 35 | else | ||
| 36 | catype=ed25519 | ||
| 37 | fi | ||
| 38 | ${SSHKEYGEN} -q -N '' -t $catype -f $OBJ/user_ca_key ||\ | ||
| 28 | fail "ssh-keygen of user_ca_key failed" | 39 | fail "ssh-keygen of user_ca_key failed" |
| 29 | 40 | ||
| 30 | # Generate and sign user keys | 41 | # Generate and sign user keys |
| @@ -283,7 +294,7 @@ test_one() { | |||
| 283 | fi | 294 | fi |
| 284 | 295 | ||
| 285 | for auth in $auth_choice ; do | 296 | for auth in $auth_choice ; do |
| 286 | for ktype in rsa ed25519 ; do | 297 | for ktype in $rsa ed25519 ; do |
| 287 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 298 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 288 | if test "x$auth" = "xauthorized_keys" ; then | 299 | if test "x$auth" = "xauthorized_keys" ; then |
| 289 | # Add CA to authorized_keys | 300 | # Add CA to authorized_keys |