summaryrefslogtreecommitdiff
path: root/regress/cert-hostkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r--regress/cert-hostkey.sh169
1 files changed, 79 insertions, 90 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2b..3f53922c8 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,11 +1,32 @@
1# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
5 5
6rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* 6rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_* 7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
8
9# Allow all hostkey/pubkey types, prefer certs for the client
10types=""
11for i in `$SSH -Q key`; do
12 if [ -z "$types" ]; then
13 types="$i"
14 continue
15 fi
16 case "$i" in
17 *cert*) types="$i,$types";;
18 *) types="$types,$i";;
19 esac
20done
21(
22 echo "HostKeyAlgorithms ${types}"
23 echo "PubkeyAcceptedKeyTypes *"
24) >> $OBJ/ssh_proxy
8cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 25cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
26(
27 echo "HostKeyAlgorithms *"
28 echo "PubkeyAcceptedKeyTypes *"
29) >> $OBJ/sshd_proxy_bak
9 30
10HOSTS='localhost-with-alias,127.0.0.1,::1' 31HOSTS='localhost-with-alias,127.0.0.1,::1'
11 32
@@ -27,13 +48,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
27 48
28PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 49PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
29 50
30type_has_legacy() {
31 case $1 in
32 ed25519*|ecdsa*) return 1 ;;
33 esac
34 return 0
35}
36
37# Prepare certificate, plain key and CA KRLs 51# Prepare certificate, plain key and CA KRLs
38${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" 52${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
39${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" 53${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +75,6 @@ for ktype in $PLAIN_TYPES ; do
61 fatal "KRL update failed" 75 fatal "KRL update failed"
62 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert 76 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63 serial=`expr $serial + 1` 77 serial=`expr $serial + 1`
64 type_has_legacy $ktype || continue
65 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
66 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
67 verbose "$tid: sign host ${ktype}_v00 cert"
68 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
69 -I "regress host key for $USER" \
70 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
71 fatal "couldn't sign cert_host_key_${ktype}_v00"
72 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73 $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
74 fatal "KRL update failed"
75 cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
76done 78done
77 79
78attempt_connect() { 80attempt_connect() {
@@ -98,7 +100,7 @@ attempt_connect() {
98 100
99# Basic connect and revocation tests. 101# Basic connect and revocation tests.
100for privsep in yes no ; do 102for privsep in yes no ; do
101 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 103 for ktype in $PLAIN_TYPES ; do
102 verbose "$tid: host ${ktype} cert connect privsep $privsep" 104 verbose "$tid: host ${ktype} cert connect privsep $privsep"
103 ( 105 (
104 cat $OBJ/sshd_proxy_bak 106 cat $OBJ/sshd_proxy_bak
@@ -133,14 +135,14 @@ done
133 printf '@cert-authority ' 135 printf '@cert-authority '
134 printf "$HOSTS " 136 printf "$HOSTS "
135 cat $OBJ/host_ca_key.pub 137 cat $OBJ/host_ca_key.pub
136 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 138 for ktype in $PLAIN_TYPES ; do
137 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" 139 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
138 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" 140 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
139 done 141 done
140) > $OBJ/known_hosts-cert.orig 142) > $OBJ/known_hosts-cert.orig
141cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 143cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
142for privsep in yes no ; do 144for privsep in yes no ; do
143 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 145 for ktype in $PLAIN_TYPES ; do
144 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 146 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
145 ( 147 (
146 cat $OBJ/sshd_proxy_bak 148 cat $OBJ/sshd_proxy_bak
@@ -169,7 +171,7 @@ done
169 cat $OBJ/host_ca_key.pub 171 cat $OBJ/host_ca_key.pub
170) > $OBJ/known_hosts-cert.orig 172) > $OBJ/known_hosts-cert.orig
171cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 173cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 174for ktype in $PLAIN_TYPES ; do
173 verbose "$tid: host ${ktype} revoked cert" 175 verbose "$tid: host ${ktype} revoked cert"
174 ( 176 (
175 cat $OBJ/sshd_proxy_bak 177 cat $OBJ/sshd_proxy_bak
@@ -198,17 +200,10 @@ test_one() {
198 result=$2 200 result=$2
199 sign_opts=$3 201 sign_opts=$3
200 202
201 for kt in rsa rsa_v00 ; do 203 for kt in rsa ed25519 ; do
202 case $kt in
203 *_v00) args="-t v00" ;;
204 *) args="" ;;
205 esac
206
207 verbose "$tid: host cert connect $ident $kt expect $result"
208 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 204 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
209 -I "regress host key for $USER" \ 205 -I "regress host key for $USER" \
210 $sign_opts $args \ 206 $sign_opts $OBJ/cert_host_key_${kt} ||
211 $OBJ/cert_host_key_${kt} ||
212 fail "couldn't sign cert_host_key_${kt}" 207 fail "couldn't sign cert_host_key_${kt}"
213 ( 208 (
214 cat $OBJ/sshd_proxy_bak 209 cat $OBJ/sshd_proxy_bak
@@ -242,36 +237,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
242test_one "cert has constraints" failure "-h -Oforce-command=false" 237test_one "cert has constraints" failure "-h -Oforce-command=false"
243 238
244# Check downgrade of cert to raw key when no CA found 239# Check downgrade of cert to raw key when no CA found
245for v in v01 v00 ; do 240for ktype in $PLAIN_TYPES ; do
246 for ktype in $PLAIN_TYPES ; do 241 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
247 type_has_legacy $ktype || continue 242 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
248 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 243 # Generate and sign a host key
249 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 244 ${SSHKEYGEN} -q -N '' -t ${ktype} \
250 # Generate and sign a host key 245 -f $OBJ/cert_host_key_${ktype} || \
251 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 246 fail "ssh-keygen of cert_host_key_${ktype} failed"
252 -f $OBJ/cert_host_key_${ktype} || \ 247 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
253 fail "ssh-keygen of cert_host_key_${ktype} failed" 248 -I "regress host key for $USER" \
254 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 249 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
255 -I "regress host key for $USER" \ 250 fail "couldn't sign cert_host_key_${ktype}"
256 -n $HOSTS $OBJ/cert_host_key_${ktype} || 251 (
257 fail "couldn't sign cert_host_key_${ktype}" 252 printf "$HOSTS "
258 ( 253 cat $OBJ/cert_host_key_${ktype}.pub
259 printf "$HOSTS " 254 ) > $OBJ/known_hosts-cert
260 cat $OBJ/cert_host_key_${ktype}.pub 255 (
261 ) > $OBJ/known_hosts-cert 256 cat $OBJ/sshd_proxy_bak
262 ( 257 echo HostKey $OBJ/cert_host_key_${ktype}
263 cat $OBJ/sshd_proxy_bak 258 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
264 echo HostKey $OBJ/cert_host_key_${ktype} 259 ) > $OBJ/sshd_proxy
265 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 260
266 ) > $OBJ/sshd_proxy 261 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
267 262 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
268 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 263 -F $OBJ/ssh_proxy somehost true
269 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 264 if [ $? -ne 0 ]; then
270 -F $OBJ/ssh_proxy somehost true 265 fail "ssh cert connect failed"
271 if [ $? -ne 0 ]; then 266 fi
272 fail "ssh cert connect failed"
273 fi
274 done
275done 267done
276 268
277# Wrong certificate 269# Wrong certificate
@@ -281,33 +273,30 @@ done
281 cat $OBJ/host_ca_key.pub 273 cat $OBJ/host_ca_key.pub
282) > $OBJ/known_hosts-cert.orig 274) > $OBJ/known_hosts-cert.orig
283cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 275cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
284for v in v01 v00 ; do 276for kt in $PLAIN_TYPES ; do
285 for kt in $PLAIN_TYPES ; do 277 rm -f $OBJ/cert_host_key*
286 type_has_legacy $kt || continue 278 # Self-sign key
287 rm -f $OBJ/cert_host_key* 279 ${SSHKEYGEN} -q -N '' -t ${kt} \
288 # Self-sign key 280 -f $OBJ/cert_host_key_${kt} || \
289 ${SSHKEYGEN} -q -N '' -t ${kt} \ 281 fail "ssh-keygen of cert_host_key_${kt} failed"
290 -f $OBJ/cert_host_key_${kt} || \ 282 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
291 fail "ssh-keygen of cert_host_key_${kt} failed" 283 -I "regress host key for $USER" \
292 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 284 -n $HOSTS $OBJ/cert_host_key_${kt} ||
293 -I "regress host key for $USER" \ 285 fail "couldn't sign cert_host_key_${kt}"
294 -n $HOSTS $OBJ/cert_host_key_${kt} || 286 verbose "$tid: host ${kt} connect wrong cert"
295 fail "couldn't sign cert_host_key_${kt}" 287 (
296 verbose "$tid: host ${kt} connect wrong cert" 288 cat $OBJ/sshd_proxy_bak
297 ( 289 echo HostKey $OBJ/cert_host_key_${kt}
298 cat $OBJ/sshd_proxy_bak 290 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
299 echo HostKey $OBJ/cert_host_key_${kt} 291 ) > $OBJ/sshd_proxy
300 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 292
301 ) > $OBJ/sshd_proxy 293 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
302 294 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
303 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 295 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
304 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 296 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
305 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 297 if [ $? -eq 0 ]; then
306 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 298 fail "ssh cert connect $ident succeeded unexpectedly"
307 if [ $? -eq 0 ]; then 299 fi
308 fail "ssh cert connect $ident succeeded unexpectedly"
309 fi
310 done
311done 300done
312 301
313rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* 302rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*