diff options
Diffstat (limited to 'regress/cert-file.sh')
-rw-r--r-- | regress/cert-file.sh | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/regress/cert-file.sh b/regress/cert-file.sh new file mode 100644 index 000000000..f172cfd11 --- /dev/null +++ b/regress/cert-file.sh | |||
@@ -0,0 +1,136 @@ | |||
1 | # $OpenBSD: cert-file.sh,v 1.1 2015/09/24 06:16:53 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="ssh with certificates" | ||
5 | |||
6 | rm -f $OBJ/user_ca_key* $OBJ/user_key* | ||
7 | rm -f $OBJ/cert_user_key* | ||
8 | |||
9 | # Create a CA key | ||
10 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ | ||
11 | fatal "ssh-keygen failed" | ||
12 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ | ||
13 | fatal "ssh-keygen failed" | ||
14 | |||
15 | # Make some keys and certificates. | ||
16 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ | ||
17 | fatal "ssh-keygen failed" | ||
18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ | ||
19 | fatal "ssh-keygen failed" | ||
20 | # Move the certificate to a different address to better control | ||
21 | # when it is offered. | ||
22 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ | ||
23 | -z $$ -n ${USER} $OBJ/user_key1 || | ||
24 | fail "couldn't sign user_key1 with user_ca_key1" | ||
25 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub | ||
26 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ | ||
27 | -z $$ -n ${USER} $OBJ/user_key1 || | ||
28 | fail "couldn't sign user_key1 with user_ca_key2" | ||
29 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub | ||
30 | |||
31 | trace 'try with identity files' | ||
32 | opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" | ||
33 | opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" | ||
34 | echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER | ||
35 | |||
36 | for p in ${SSH_PROTOCOLS}; do | ||
37 | # Just keys should fail | ||
38 | ${SSH} $opts2 somehost exit 5$p | ||
39 | r=$? | ||
40 | if [ $r -eq 5$p ]; then | ||
41 | fail "ssh succeeded with no certs in protocol $p" | ||
42 | fi | ||
43 | |||
44 | # Keys with untrusted cert should fail. | ||
45 | opts3="$opts2 -z $OBJ/cert_user_key1_2.pub" | ||
46 | ${SSH} $opts3 somehost exit 5$p | ||
47 | r=$? | ||
48 | if [ $r -eq 5$p ]; then | ||
49 | fail "ssh succeeded with bad cert in protocol $p" | ||
50 | fi | ||
51 | |||
52 | # Good cert with bad key should fail. | ||
53 | opts3="$opts -i $OBJ/user_key2 -z $OBJ/cert_user_key1_1.pub" | ||
54 | ${SSH} $opts3 somehost exit 5$p | ||
55 | r=$? | ||
56 | if [ $r -eq 5$p ]; then | ||
57 | fail "ssh succeeded with no matching key in protocol $p" | ||
58 | fi | ||
59 | |||
60 | # Keys with one trusted cert, should succeed. | ||
61 | opts3="$opts2 -z $OBJ/cert_user_key1_1.pub" | ||
62 | ${SSH} $opts3 somehost exit 5$p | ||
63 | r=$? | ||
64 | if [ $r -ne 5$p ]; then | ||
65 | fail "ssh failed with trusted cert and key in protocol $p" | ||
66 | fi | ||
67 | |||
68 | # Multiple certs and keys, with one trusted cert, should succeed. | ||
69 | opts3="$opts2 -z $OBJ/cert_user_key1_2.pub -z $OBJ/cert_user_key1_1.pub" | ||
70 | ${SSH} $opts3 somehost exit 5$p | ||
71 | r=$? | ||
72 | if [ $r -ne 5$p ]; then | ||
73 | fail "ssh failed with multiple certs in protocol $p" | ||
74 | fi | ||
75 | |||
76 | #Keys with trusted certificate specified in config options, should succeed. | ||
77 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | ||
78 | ${SSH} $opts3 somehost exit 5$p | ||
79 | r=$? | ||
80 | if [ $r -ne 5$p ]; then | ||
81 | fail "ssh failed with trusted cert in config in protocol $p" | ||
82 | fi | ||
83 | done | ||
84 | |||
85 | #next, using an agent in combination with the keys | ||
86 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 | ||
87 | if [ $? -ne 2 ]; then | ||
88 | fatal "ssh-add -l did not fail with exit code 2" | ||
89 | fi | ||
90 | |||
91 | trace "start agent" | ||
92 | eval `${SSHAGENT} -s` > /dev/null | ||
93 | r=$? | ||
94 | if [ $r -ne 0 ]; then | ||
95 | fatal "could not start ssh-agent: exit code $r" | ||
96 | fi | ||
97 | |||
98 | # add private keys to agent | ||
99 | ${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 | ||
100 | if [ $? -ne 0 ]; then | ||
101 | fatal "ssh-add did not succeed with exit code 0" | ||
102 | fi | ||
103 | ${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 | ||
104 | if [ $? -ne 0 ]; then | ||
105 | fatal "ssh-add did not succeed with exit code 0" | ||
106 | fi | ||
107 | |||
108 | # try ssh with the agent and certificates | ||
109 | # note: ssh agent only uses certificates in protocol 2 | ||
110 | opts="-F $OBJ/ssh_proxy" | ||
111 | # with no certificates, shoud fail | ||
112 | ${SSH} -2 $opts somehost exit 52 | ||
113 | if [ $? -eq 52 ]; then | ||
114 | fail "ssh connect with agent in protocol 2 succeeded with no cert" | ||
115 | fi | ||
116 | |||
117 | #with an untrusted certificate, should fail | ||
118 | opts="$opts -z $OBJ/cert_user_key1_2.pub" | ||
119 | ${SSH} -2 $opts somehost exit 52 | ||
120 | if [ $? -eq 52 ]; then | ||
121 | fail "ssh connect with agent in protocol 2 succeeded with bad cert" | ||
122 | fi | ||
123 | |||
124 | #with an additional trusted certificate, should succeed | ||
125 | opts="$opts -z $OBJ/cert_user_key1_1.pub" | ||
126 | ${SSH} -2 $opts somehost exit 52 | ||
127 | if [ $? -ne 52 ]; then | ||
128 | fail "ssh connect with agent in protocol 2 failed with good cert" | ||
129 | fi | ||
130 | |||
131 | trace "kill agent" | ||
132 | ${SSHAGENT} -k > /dev/null | ||
133 | |||
134 | #cleanup | ||
135 | rm -f $OBJ/user_ca_key* $OBJ/user_key* | ||
136 | rm -f $OBJ/cert_user_key* | ||