diff options
Diffstat (limited to 'regress/cert-file.sh')
| -rw-r--r-- | regress/cert-file.sh | 53 |
1 files changed, 42 insertions, 11 deletions
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index b184e7fea..43b8e0201 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-file.sh,v 1.4 2016/12/16 02:48:55 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
| @@ -17,24 +17,59 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ | |||
| 17 | fatal "ssh-keygen failed" | 17 | fatal "ssh-keygen failed" |
| 18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ | 18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ |
| 19 | fatal "ssh-keygen failed" | 19 | fatal "ssh-keygen failed" |
| 20 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ | ||
| 21 | fatal "ssh-keygen failed" | ||
| 22 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ | ||
| 23 | fatal "ssh-keygen failed" | ||
| 24 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ | ||
| 25 | fatal "ssh-keygen failed" | ||
| 26 | |||
| 20 | # Move the certificate to a different address to better control | 27 | # Move the certificate to a different address to better control |
| 21 | # when it is offered. | 28 | # when it is offered. |
| 22 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | 29 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 23 | -z $$ -n ${USER} $OBJ/user_key1 || | 30 | -z $$ -n ${USER} $OBJ/user_key1 || |
| 24 | fail "couldn't sign user_key1 with user_ca_key1" | 31 | fatal "couldn't sign user_key1 with user_ca_key1" |
| 25 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub | 32 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub |
| 26 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ | 33 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ |
| 27 | -z $$ -n ${USER} $OBJ/user_key1 || | 34 | -z $$ -n ${USER} $OBJ/user_key1 || |
| 28 | fail "couldn't sign user_key1 with user_ca_key2" | 35 | fatal "couldn't sign user_key1 with user_ca_key2" |
| 29 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub | 36 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub |
| 37 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | ||
| 38 | -z $$ -n ${USER} $OBJ/user_key3 || | ||
| 39 | fatal "couldn't sign user_key3 with user_ca_key1" | ||
| 40 | rm $OBJ/user_key3.pub # to test use of private key w/o public half. | ||
| 41 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | ||
| 42 | -z $$ -n ${USER} $OBJ/user_key4 || | ||
| 43 | fatal "couldn't sign user_key4 with user_ca_key1" | ||
| 44 | rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. | ||
| 30 | 45 | ||
| 31 | trace 'try with identity files' | 46 | trace 'try with identity files' |
| 32 | opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" | 47 | opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" |
| 33 | opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" | 48 | opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" |
| 34 | echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER | 49 | echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER |
| 35 | 50 | ||
| 51 | # Make a clean config that doesn't have any pre-added identities. | ||
| 52 | cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config | ||
| 53 | |||
| 54 | # XXX: verify that certificate used was what we expect. Needs exposure of | ||
| 55 | # keys via enviornment variable or similar. | ||
| 56 | |||
| 36 | for p in ${SSH_PROTOCOLS}; do | 57 | for p in ${SSH_PROTOCOLS}; do |
| 58 | # Key with no .pub should work - finding the equivalent *-cert.pub. | ||
| 59 | verbose "protocol $p: identity cert with no plain public file" | ||
| 60 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | ||
| 61 | -i $OBJ/user_key3 somehost exit 5$p | ||
| 62 | [ $? -ne 5$p ] && fail "ssh failed" | ||
| 63 | |||
| 64 | # CertificateFile matching private key with no .pub file should work. | ||
| 65 | verbose "protocol $p: CertificateFile with no plain public file" | ||
| 66 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | ||
| 67 | -oCertificateFile=$OBJ/user_key3-cert.pub \ | ||
| 68 | -i $OBJ/user_key3 somehost exit 5$p | ||
| 69 | [ $? -ne 5$p ] && fail "ssh failed" | ||
| 70 | |||
| 37 | # Just keys should fail | 71 | # Just keys should fail |
| 72 | verbose "protocol $p: plain keys" | ||
| 38 | ${SSH} $opts2 somehost exit 5$p | 73 | ${SSH} $opts2 somehost exit 5$p |
| 39 | r=$? | 74 | r=$? |
| 40 | if [ $r -eq 5$p ]; then | 75 | if [ $r -eq 5$p ]; then |
| @@ -42,6 +77,7 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 42 | fi | 77 | fi |
| 43 | 78 | ||
| 44 | # Keys with untrusted cert should fail. | 79 | # Keys with untrusted cert should fail. |
| 80 | verbose "protocol $p: untrusted cert" | ||
| 45 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 81 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 46 | ${SSH} $opts3 somehost exit 5$p | 82 | ${SSH} $opts3 somehost exit 5$p |
| 47 | r=$? | 83 | r=$? |
| @@ -50,6 +86,7 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 50 | fi | 86 | fi |
| 51 | 87 | ||
| 52 | # Good cert with bad key should fail. | 88 | # Good cert with bad key should fail. |
| 89 | verbose "protocol $p: good cert, bad key" | ||
| 53 | opts3="$opts -i $OBJ/user_key2" | 90 | opts3="$opts -i $OBJ/user_key2" |
| 54 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 91 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 55 | ${SSH} $opts3 somehost exit 5$p | 92 | ${SSH} $opts3 somehost exit 5$p |
| @@ -59,6 +96,7 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 59 | fi | 96 | fi |
| 60 | 97 | ||
| 61 | # Keys with one trusted cert, should succeed. | 98 | # Keys with one trusted cert, should succeed. |
| 99 | verbose "protocol $p: single trusted" | ||
| 62 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 100 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 63 | ${SSH} $opts3 somehost exit 5$p | 101 | ${SSH} $opts3 somehost exit 5$p |
| 64 | r=$? | 102 | r=$? |
| @@ -67,6 +105,7 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 67 | fi | 105 | fi |
| 68 | 106 | ||
| 69 | # Multiple certs and keys, with one trusted cert, should succeed. | 107 | # Multiple certs and keys, with one trusted cert, should succeed. |
| 108 | verbose "protocol $p: multiple trusted" | ||
| 70 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 109 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 71 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 110 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 72 | ${SSH} $opts3 somehost exit 5$p | 111 | ${SSH} $opts3 somehost exit 5$p |
| @@ -74,14 +113,6 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 74 | if [ $r -ne 5$p ]; then | 113 | if [ $r -ne 5$p ]; then |
| 75 | fail "ssh failed with multiple certs in protocol $p" | 114 | fail "ssh failed with multiple certs in protocol $p" |
| 76 | fi | 115 | fi |
| 77 | |||
| 78 | #Keys with trusted certificate specified in config options, should succeed. | ||
| 79 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | ||
| 80 | ${SSH} $opts3 somehost exit 5$p | ||
| 81 | r=$? | ||
| 82 | if [ $r -ne 5$p ]; then | ||
| 83 | fail "ssh failed with trusted cert in config in protocol $p" | ||
| 84 | fi | ||
| 85 | done | 116 | done |
| 86 | 117 | ||
| 87 | #next, using an agent in combination with the keys | 118 | #next, using an agent in combination with the keys |