diff options
Diffstat (limited to 'regress/cert-file.sh')
| -rw-r--r-- | regress/cert-file.sh | 131 |
1 files changed, 64 insertions, 67 deletions
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 43b8e0201..8fd62c773 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
| @@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config | |||
| 54 | # XXX: verify that certificate used was what we expect. Needs exposure of | 54 | # XXX: verify that certificate used was what we expect. Needs exposure of |
| 55 | # keys via enviornment variable or similar. | 55 | # keys via enviornment variable or similar. |
| 56 | 56 | ||
| 57 | for p in ${SSH_PROTOCOLS}; do | ||
| 58 | # Key with no .pub should work - finding the equivalent *-cert.pub. | 57 | # Key with no .pub should work - finding the equivalent *-cert.pub. |
| 59 | verbose "protocol $p: identity cert with no plain public file" | 58 | verbose "identity cert with no plain public file" |
| 60 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | 59 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
| 61 | -i $OBJ/user_key3 somehost exit 5$p | 60 | -i $OBJ/user_key3 somehost exit 52 |
| 62 | [ $? -ne 5$p ] && fail "ssh failed" | 61 | [ $? -ne 52 ] && fail "ssh failed" |
| 63 | 62 | ||
| 64 | # CertificateFile matching private key with no .pub file should work. | 63 | # CertificateFile matching private key with no .pub file should work. |
| 65 | verbose "protocol $p: CertificateFile with no plain public file" | 64 | verbose "CertificateFile with no plain public file" |
| 66 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | 65 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
| 67 | -oCertificateFile=$OBJ/user_key3-cert.pub \ | 66 | -oCertificateFile=$OBJ/user_key3-cert.pub \ |
| 68 | -i $OBJ/user_key3 somehost exit 5$p | 67 | -i $OBJ/user_key3 somehost exit 52 |
| 69 | [ $? -ne 5$p ] && fail "ssh failed" | 68 | [ $? -ne 52 ] && fail "ssh failed" |
| 70 | 69 | ||
| 71 | # Just keys should fail | 70 | # Just keys should fail |
| 72 | verbose "protocol $p: plain keys" | 71 | verbose "plain keys" |
| 73 | ${SSH} $opts2 somehost exit 5$p | 72 | ${SSH} $opts2 somehost exit 52 |
| 74 | r=$? | 73 | r=$? |
| 75 | if [ $r -eq 5$p ]; then | 74 | if [ $r -eq 52 ]; then |
| 76 | fail "ssh succeeded with no certs in protocol $p" | 75 | fail "ssh succeeded with no certs" |
| 77 | fi | 76 | fi |
| 78 | 77 | ||
| 79 | # Keys with untrusted cert should fail. | 78 | # Keys with untrusted cert should fail. |
| 80 | verbose "protocol $p: untrusted cert" | 79 | verbose "untrusted cert" |
| 81 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 80 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 82 | ${SSH} $opts3 somehost exit 5$p | 81 | ${SSH} $opts3 somehost exit 52 |
| 83 | r=$? | 82 | r=$? |
| 84 | if [ $r -eq 5$p ]; then | 83 | if [ $r -eq 52 ]; then |
| 85 | fail "ssh succeeded with bad cert in protocol $p" | 84 | fail "ssh succeeded with bad cert" |
| 86 | fi | 85 | fi |
| 87 | 86 | ||
| 88 | # Good cert with bad key should fail. | 87 | # Good cert with bad key should fail. |
| 89 | verbose "protocol $p: good cert, bad key" | 88 | verbose "good cert, bad key" |
| 90 | opts3="$opts -i $OBJ/user_key2" | 89 | opts3="$opts -i $OBJ/user_key2" |
| 91 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 90 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 92 | ${SSH} $opts3 somehost exit 5$p | 91 | ${SSH} $opts3 somehost exit 52 |
| 93 | r=$? | 92 | r=$? |
| 94 | if [ $r -eq 5$p ]; then | 93 | if [ $r -eq 52 ]; then |
| 95 | fail "ssh succeeded with no matching key in protocol $p" | 94 | fail "ssh succeeded with no matching key" |
| 96 | fi | 95 | fi |
| 97 | 96 | ||
| 98 | # Keys with one trusted cert, should succeed. | 97 | # Keys with one trusted cert, should succeed. |
| 99 | verbose "protocol $p: single trusted" | 98 | verbose "single trusted" |
| 100 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 99 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 101 | ${SSH} $opts3 somehost exit 5$p | 100 | ${SSH} $opts3 somehost exit 52 |
| 102 | r=$? | 101 | r=$? |
| 103 | if [ $r -ne 5$p ]; then | 102 | if [ $r -ne 52 ]; then |
| 104 | fail "ssh failed with trusted cert and key in protocol $p" | 103 | fail "ssh failed with trusted cert and key" |
| 105 | fi | 104 | fi |
| 106 | 105 | ||
| 107 | # Multiple certs and keys, with one trusted cert, should succeed. | 106 | # Multiple certs and keys, with one trusted cert, should succeed. |
| 108 | verbose "protocol $p: multiple trusted" | 107 | verbose "multiple trusted" |
| 109 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 108 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 110 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 109 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 111 | ${SSH} $opts3 somehost exit 5$p | 110 | ${SSH} $opts3 somehost exit 52 |
| 112 | r=$? | 111 | r=$? |
| 113 | if [ $r -ne 5$p ]; then | 112 | if [ $r -ne 52 ]; then |
| 114 | fail "ssh failed with multiple certs in protocol $p" | 113 | fail "ssh failed with multiple certs" |
| 115 | fi | 114 | fi |
| 116 | done | ||
| 117 | 115 | ||
| 118 | #next, using an agent in combination with the keys | 116 | #next, using an agent in combination with the keys |
| 119 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 | 117 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 |
| @@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then | |||
| 139 | fi | 137 | fi |
| 140 | 138 | ||
| 141 | # try ssh with the agent and certificates | 139 | # try ssh with the agent and certificates |
| 142 | # note: ssh agent only uses certificates in protocol 2 | ||
| 143 | opts="-F $OBJ/ssh_proxy" | 140 | opts="-F $OBJ/ssh_proxy" |
| 144 | # with no certificates, shoud fail | 141 | # with no certificates, shoud fail |
| 145 | ${SSH} -2 $opts somehost exit 52 | 142 | ${SSH} $opts somehost exit 52 |
| 146 | if [ $? -eq 52 ]; then | 143 | if [ $? -eq 52 ]; then |
| 147 | fail "ssh connect with agent in protocol 2 succeeded with no cert" | 144 | fail "ssh connect with agent in succeeded with no cert" |
| 148 | fi | 145 | fi |
| 149 | 146 | ||
| 150 | #with an untrusted certificate, should fail | 147 | #with an untrusted certificate, should fail |
| 151 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 148 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 152 | ${SSH} -2 $opts somehost exit 52 | 149 | ${SSH} $opts somehost exit 52 |
| 153 | if [ $? -eq 52 ]; then | 150 | if [ $? -eq 52 ]; then |
| 154 | fail "ssh connect with agent in protocol 2 succeeded with bad cert" | 151 | fail "ssh connect with agent in succeeded with bad cert" |
| 155 | fi | 152 | fi |
| 156 | 153 | ||
| 157 | #with an additional trusted certificate, should succeed | 154 | #with an additional trusted certificate, should succeed |
| 158 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 155 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 159 | ${SSH} -2 $opts somehost exit 52 | 156 | ${SSH} $opts somehost exit 52 |
| 160 | if [ $? -ne 52 ]; then | 157 | if [ $? -ne 52 ]; then |
| 161 | fail "ssh connect with agent in protocol 2 failed with good cert" | 158 | fail "ssh connect with agent in failed with good cert" |
| 162 | fi | 159 | fi |
| 163 | 160 | ||
| 164 | trace "kill agent" | 161 | trace "kill agent" |