summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog3
-rw-r--r--regress/Makefile7
-rw-r--r--regress/cert-hostkey.sh122
-rw-r--r--regress/cert-userkey.sh89
4 files changed, 219 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index fec38e028..703c347fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
30 PROTOCOL.certkeys 30 PROTOCOL.certkeys
31 31
32 feedback and ok markus@ 32 feedback and ok markus@
33 - djm@cvs.openbsd.org 2010/02/26 20:33:21
34 [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
35 regression tests for certified keys
33 36
3420100224 3720100224
35 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] 38 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
diff --git a/regress/Makefile b/regress/Makefile
index 42e84d4c5..de8e9fd33 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.51 2010/02/09 06:29:02 djm Exp $ 1# $OpenBSD: Makefile,v 1.52 2010/02/26 20:33:21 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -52,7 +52,9 @@ LTESTS= connect \
52 addrmatch \ 52 addrmatch \
53 localcommand \ 53 localcommand \
54 forcecommand \ 54 forcecommand \
55 portnum 55 portnum \
56 cert-hostkey \
57 cert-userkey
56 58
57INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers 59INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
58#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 60#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -66,6 +68,7 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
66 ls.copy banner.in banner.out empty.in \ 68 ls.copy banner.in banner.out empty.in \
67 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 69 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
68 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 70 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
71 known_hosts-cert host_ca_key* cert_host_key* \
69 putty.rsa2 72 putty.rsa2
70 73
71# Enable all malloc(3) randomisations and checks 74# Enable all malloc(3) randomisations and checks
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
new file mode 100644
index 000000000..14cd2230b
--- /dev/null
+++ b/regress/cert-hostkey.sh
@@ -0,0 +1,122 @@
1# $OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
2# Placed in the Public Domain.
3
4tid="certified host keys"
5
6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9HOSTS='localhost-with-alias,127.0.0.1,::1'
10
11# Create a CA key and add it to known hosts
12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
13 fail "ssh-keygen of host_ca_key failed"
14(
15 echo -n '@cert-authority '
16 echo -n "$HOSTS "
17 cat $OBJ/host_ca_key.pub
18) > $OBJ/known_hosts-cert
19
20# Generate and sign host keys
21for ktype in rsa dsa ; do
22 verbose "$tid: sign host ${ktype} cert"
23 # Generate and sign a host key
24 ${SSHKEYGEN} -q -N '' -t ${ktype} \
25 -f $OBJ/cert_host_key_${ktype} || \
26 fail "ssh-keygen of cert_host_key_${ktype} failed"
27 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
28 -I "regress host key for $USER" \
29 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
30 fail "couldn't sign cert_host_key_${ktype}"
31done
32
33# Basic connect tests
34for privsep in yes no ; do
35 for ktype in rsa dsa ; do
36 verbose "$tid: host ${ktype} cert connect privsep $privsep"
37 (
38 cat $OBJ/sshd_proxy_bak
39 echo HostKey $OBJ/cert_host_key_${ktype}
40 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
41 echo UsePrivilegeSeparation $privsep
42 ) > $OBJ/sshd_proxy
43
44 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
45 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
46 -F $OBJ/ssh_proxy somehost true
47 if [ $? -ne 0 ]; then
48 fail "ssh cert connect failed"
49 fi
50 done
51done
52
53test_one() {
54 ident=$1
55 result=$2
56 sign_opts=$3
57
58 verbose "$tid: test host cert connect $ident expect $result"
59
60 ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
61 $sign_opts \
62 $OBJ/cert_host_key_rsa ||
63 fail "couldn't sign cert_host_key_rsa"
64 (
65 cat $OBJ/sshd_proxy_bak
66 echo HostKey $OBJ/cert_host_key_rsa
67 echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
68 ) > $OBJ/sshd_proxy
69
70 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
71 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
72 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
73 rc=$?
74 if [ "x$result" = "xsuccess" ] ; then
75 if [ $rc -ne 0 ]; then
76 fail "ssh cert connect $ident failed unexpectedly"
77 fi
78 else
79 if [ $rc -eq 0 ]; then
80 fail "ssh cert connect $ident succeeded unexpectedly"
81 fi
82 fi
83}
84
85test_one "user-certificate" failure "-n $HOSTS"
86test_one "empty principals" success "-h"
87test_one "wrong principals" failure "-h -n foo"
88test_one "cert not yet valid" failure "-h -V20200101:20300101"
89test_one "cert expired" failure "-h -V19800101:19900101"
90test_one "cert valid interval" success "-h -V-1w:+2w"
91test_one "cert has constraints" failure "-h -Oforce-command=false"
92
93# Check downgrade of cert to raw key when no CA found
94rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
95for ktype in rsa dsa ; do
96 verbose "$tid: host ${ktype} cert downgrade to raw key"
97 # Generate and sign a host key
98 ${SSHKEYGEN} -q -N '' -t ${ktype} \
99 -f $OBJ/cert_host_key_${ktype} || \
100 fail "ssh-keygen of cert_host_key_${ktype} failed"
101 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
102 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
103 fail "couldn't sign cert_host_key_${ktype}"
104 (
105 echo -n "$HOSTS "
106 cat $OBJ/cert_host_key_${ktype}.pub
107 ) > $OBJ/known_hosts-cert
108 (
109 cat $OBJ/sshd_proxy_bak
110 echo HostKey $OBJ/cert_host_key_${ktype}
111 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
112 ) > $OBJ/sshd_proxy
113
114 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
115 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
116 -F $OBJ/ssh_proxy somehost true
117 if [ $? -ne 0 ]; then
118 fail "ssh cert connect failed"
119 fi
120done
121
122rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
new file mode 100644
index 000000000..307e7236f
--- /dev/null
+++ b/regress/cert-userkey.sh
@@ -0,0 +1,89 @@
1# $OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
2# Placed in the Public Domain.
3
4tid="certified user keys"
5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9# Create a CA key and add it to authorized_keys
10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
11 fail "ssh-keygen of user_ca_key failed"
12(
13 echo -n 'cert-authority '
14 cat $OBJ/user_ca_key.pub
15) > $OBJ/authorized_keys_$USER
16
17# Generate and sign user keys
18for ktype in rsa dsa ; do
19 verbose "$tid: sign user ${ktype} cert"
20 ${SSHKEYGEN} -q -N '' -t ${ktype} \
21 -f $OBJ/cert_user_key_${ktype} || \
22 fail "ssh-keygen of cert_user_key_${ktype} failed"
23 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
24 "regress user key for $USER" \
25 -n $USER $OBJ/cert_user_key_${ktype} ||
26 fail "couldn't sign cert_user_key_${ktype}"
27
28done
29
30# Basic connect tests
31for privsep in yes no ; do
32 for ktype in rsa dsa ; do
33 verbose "$tid: user ${ktype} cert connect privsep $privsep"
34 (
35 cat $OBJ/sshd_proxy_bak
36 echo "UsePrivilegeSeparation $privsep"
37 ) > $OBJ/sshd_proxy
38
39 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
40 somehost true
41 if [ $? -ne 0 ]; then
42 fail "ssh cert connect failed"
43 fi
44 done
45done
46
47verbose "$tid: ensure CA key does not authenticate user"
48${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
49if [ $? -eq 0 ]; then
50 fail "ssh cert connect with CA key succeeded unexpectedly"
51fi
52
53test_one() {
54 ident=$1
55 result=$2
56 sign_opts=$3
57
58 verbose "$tid: test user cert connect $ident expect $result"
59
60 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
61 $sign_opts \
62 $OBJ/cert_user_key_rsa ||
63 fail "couldn't sign cert_user_key_rsa"
64
65 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
66 somehost true >/dev/null 2>&1
67 rc=$?
68 if [ "x$result" = "xsuccess" ] ; then
69 if [ $rc -ne 0 ]; then
70 fail "ssh cert connect $ident failed unexpectedly"
71 fi
72 else
73 if [ $rc -eq 0 ]; then
74 fail "ssh cert connect $ident succeeded unexpectedly"
75 fi
76 fi
77 cleanup
78}
79
80test_one "host-certificate" failure "-h"
81test_one "empty principals" success ""
82test_one "wrong principals" failure "-n foo"
83test_one "cert not yet valid" failure "-V20200101:20300101"
84test_one "cert expired" failure "-V19800101:19900101"
85test_one "cert valid interval" success "-V-1w:+2w"
86test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
87test_one "force-command" failure "-Oforce-command=false"
88
89rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*