diff options
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r-- | regress/cert-hostkey.sh | 169 |
1 files changed, 79 insertions, 90 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 51685dc2b..3f53922c8 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,11 +1,32 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
5 | 5 | ||
6 | rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* | 6 | rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* |
7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* | 7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* |
8 | |||
9 | # Allow all hostkey/pubkey types, prefer certs for the client | ||
10 | types="" | ||
11 | for i in `$SSH -Q key`; do | ||
12 | if [ -z "$types" ]; then | ||
13 | types="$i" | ||
14 | continue | ||
15 | fi | ||
16 | case "$i" in | ||
17 | *cert*) types="$i,$types";; | ||
18 | *) types="$types,$i";; | ||
19 | esac | ||
20 | done | ||
21 | ( | ||
22 | echo "HostKeyAlgorithms ${types}" | ||
23 | echo "PubkeyAcceptedKeyTypes *" | ||
24 | ) >> $OBJ/ssh_proxy | ||
8 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 25 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
26 | ( | ||
27 | echo "HostKeyAlgorithms *" | ||
28 | echo "PubkeyAcceptedKeyTypes *" | ||
29 | ) >> $OBJ/sshd_proxy_bak | ||
9 | 30 | ||
10 | HOSTS='localhost-with-alias,127.0.0.1,::1' | 31 | HOSTS='localhost-with-alias,127.0.0.1,::1' |
11 | 32 | ||
@@ -27,13 +48,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca | |||
27 | 48 | ||
28 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | 49 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` |
29 | 50 | ||
30 | type_has_legacy() { | ||
31 | case $1 in | ||
32 | ed25519*|ecdsa*) return 1 ;; | ||
33 | esac | ||
34 | return 0 | ||
35 | } | ||
36 | |||
37 | # Prepare certificate, plain key and CA KRLs | 51 | # Prepare certificate, plain key and CA KRLs |
38 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" | 52 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" |
39 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" | 53 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" |
@@ -61,18 +75,6 @@ for ktype in $PLAIN_TYPES ; do | |||
61 | fatal "KRL update failed" | 75 | fatal "KRL update failed" |
62 | cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert | 76 | cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert |
63 | serial=`expr $serial + 1` | 77 | serial=`expr $serial + 1` |
64 | type_has_legacy $ktype || continue | ||
65 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | ||
66 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | ||
67 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
68 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | ||
69 | -I "regress host key for $USER" \ | ||
70 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || | ||
71 | fatal "couldn't sign cert_host_key_${ktype}_v00" | ||
72 | ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \ | ||
73 | $OBJ/cert_host_key_${ktype}_v00-cert.pub || \ | ||
74 | fatal "KRL update failed" | ||
75 | cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert | ||
76 | done | 78 | done |
77 | 79 | ||
78 | attempt_connect() { | 80 | attempt_connect() { |
@@ -98,7 +100,7 @@ attempt_connect() { | |||
98 | 100 | ||
99 | # Basic connect and revocation tests. | 101 | # Basic connect and revocation tests. |
100 | for privsep in yes no ; do | 102 | for privsep in yes no ; do |
101 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do | 103 | for ktype in $PLAIN_TYPES ; do |
102 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 104 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
103 | ( | 105 | ( |
104 | cat $OBJ/sshd_proxy_bak | 106 | cat $OBJ/sshd_proxy_bak |
@@ -133,14 +135,14 @@ done | |||
133 | printf '@cert-authority ' | 135 | printf '@cert-authority ' |
134 | printf "$HOSTS " | 136 | printf "$HOSTS " |
135 | cat $OBJ/host_ca_key.pub | 137 | cat $OBJ/host_ca_key.pub |
136 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do | 138 | for ktype in $PLAIN_TYPES ; do |
137 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" | 139 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" |
138 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" | 140 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" |
139 | done | 141 | done |
140 | ) > $OBJ/known_hosts-cert.orig | 142 | ) > $OBJ/known_hosts-cert.orig |
141 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 143 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
142 | for privsep in yes no ; do | 144 | for privsep in yes no ; do |
143 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do | 145 | for ktype in $PLAIN_TYPES ; do |
144 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 146 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
145 | ( | 147 | ( |
146 | cat $OBJ/sshd_proxy_bak | 148 | cat $OBJ/sshd_proxy_bak |
@@ -169,7 +171,7 @@ done | |||
169 | cat $OBJ/host_ca_key.pub | 171 | cat $OBJ/host_ca_key.pub |
170 | ) > $OBJ/known_hosts-cert.orig | 172 | ) > $OBJ/known_hosts-cert.orig |
171 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 173 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
172 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 174 | for ktype in $PLAIN_TYPES ; do |
173 | verbose "$tid: host ${ktype} revoked cert" | 175 | verbose "$tid: host ${ktype} revoked cert" |
174 | ( | 176 | ( |
175 | cat $OBJ/sshd_proxy_bak | 177 | cat $OBJ/sshd_proxy_bak |
@@ -198,17 +200,10 @@ test_one() { | |||
198 | result=$2 | 200 | result=$2 |
199 | sign_opts=$3 | 201 | sign_opts=$3 |
200 | 202 | ||
201 | for kt in rsa rsa_v00 ; do | 203 | for kt in rsa ed25519 ; do |
202 | case $kt in | ||
203 | *_v00) args="-t v00" ;; | ||
204 | *) args="" ;; | ||
205 | esac | ||
206 | |||
207 | verbose "$tid: host cert connect $ident $kt expect $result" | ||
208 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ | 204 | ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ |
209 | -I "regress host key for $USER" \ | 205 | -I "regress host key for $USER" \ |
210 | $sign_opts $args \ | 206 | $sign_opts $OBJ/cert_host_key_${kt} || |
211 | $OBJ/cert_host_key_${kt} || | ||
212 | fail "couldn't sign cert_host_key_${kt}" | 207 | fail "couldn't sign cert_host_key_${kt}" |
213 | ( | 208 | ( |
214 | cat $OBJ/sshd_proxy_bak | 209 | cat $OBJ/sshd_proxy_bak |
@@ -242,36 +237,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w" | |||
242 | test_one "cert has constraints" failure "-h -Oforce-command=false" | 237 | test_one "cert has constraints" failure "-h -Oforce-command=false" |
243 | 238 | ||
244 | # Check downgrade of cert to raw key when no CA found | 239 | # Check downgrade of cert to raw key when no CA found |
245 | for v in v01 v00 ; do | 240 | for ktype in $PLAIN_TYPES ; do |
246 | for ktype in $PLAIN_TYPES ; do | 241 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
247 | type_has_legacy $ktype || continue | 242 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
248 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 243 | # Generate and sign a host key |
249 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 244 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
250 | # Generate and sign a host key | 245 | -f $OBJ/cert_host_key_${ktype} || \ |
251 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 246 | fail "ssh-keygen of cert_host_key_${ktype} failed" |
252 | -f $OBJ/cert_host_key_${ktype} || \ | 247 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ |
253 | fail "ssh-keygen of cert_host_key_${ktype} failed" | 248 | -I "regress host key for $USER" \ |
254 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ | 249 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
255 | -I "regress host key for $USER" \ | 250 | fail "couldn't sign cert_host_key_${ktype}" |
256 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 251 | ( |
257 | fail "couldn't sign cert_host_key_${ktype}" | 252 | printf "$HOSTS " |
258 | ( | 253 | cat $OBJ/cert_host_key_${ktype}.pub |
259 | printf "$HOSTS " | 254 | ) > $OBJ/known_hosts-cert |
260 | cat $OBJ/cert_host_key_${ktype}.pub | 255 | ( |
261 | ) > $OBJ/known_hosts-cert | 256 | cat $OBJ/sshd_proxy_bak |
262 | ( | 257 | echo HostKey $OBJ/cert_host_key_${ktype} |
263 | cat $OBJ/sshd_proxy_bak | 258 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
264 | echo HostKey $OBJ/cert_host_key_${ktype} | 259 | ) > $OBJ/sshd_proxy |
265 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 260 | |
266 | ) > $OBJ/sshd_proxy | 261 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
267 | 262 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | |
268 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 263 | -F $OBJ/ssh_proxy somehost true |
269 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 264 | if [ $? -ne 0 ]; then |
270 | -F $OBJ/ssh_proxy somehost true | 265 | fail "ssh cert connect failed" |
271 | if [ $? -ne 0 ]; then | 266 | fi |
272 | fail "ssh cert connect failed" | ||
273 | fi | ||
274 | done | ||
275 | done | 267 | done |
276 | 268 | ||
277 | # Wrong certificate | 269 | # Wrong certificate |
@@ -281,33 +273,30 @@ done | |||
281 | cat $OBJ/host_ca_key.pub | 273 | cat $OBJ/host_ca_key.pub |
282 | ) > $OBJ/known_hosts-cert.orig | 274 | ) > $OBJ/known_hosts-cert.orig |
283 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 275 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
284 | for v in v01 v00 ; do | 276 | for kt in $PLAIN_TYPES ; do |
285 | for kt in $PLAIN_TYPES ; do | 277 | rm -f $OBJ/cert_host_key* |
286 | type_has_legacy $kt || continue | 278 | # Self-sign key |
287 | rm -f $OBJ/cert_host_key* | 279 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |
288 | # Self-sign key | 280 | -f $OBJ/cert_host_key_${kt} || \ |
289 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 281 | fail "ssh-keygen of cert_host_key_${kt} failed" |
290 | -f $OBJ/cert_host_key_${kt} || \ | 282 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ |
291 | fail "ssh-keygen of cert_host_key_${kt} failed" | 283 | -I "regress host key for $USER" \ |
292 | ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ | 284 | -n $HOSTS $OBJ/cert_host_key_${kt} || |
293 | -I "regress host key for $USER" \ | 285 | fail "couldn't sign cert_host_key_${kt}" |
294 | -n $HOSTS $OBJ/cert_host_key_${kt} || | 286 | verbose "$tid: host ${kt} connect wrong cert" |
295 | fail "couldn't sign cert_host_key_${kt}" | 287 | ( |
296 | verbose "$tid: host ${kt} connect wrong cert" | 288 | cat $OBJ/sshd_proxy_bak |
297 | ( | 289 | echo HostKey $OBJ/cert_host_key_${kt} |
298 | cat $OBJ/sshd_proxy_bak | 290 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub |
299 | echo HostKey $OBJ/cert_host_key_${kt} | 291 | ) > $OBJ/sshd_proxy |
300 | echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub | 292 | |
301 | ) > $OBJ/sshd_proxy | 293 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
302 | 294 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | |
303 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 295 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
304 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 296 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 |
305 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 297 | if [ $? -eq 0 ]; then |
306 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | 298 | fail "ssh cert connect $ident succeeded unexpectedly" |
307 | if [ $? -eq 0 ]; then | 299 | fi |
308 | fail "ssh cert connect $ident succeeded unexpectedly" | ||
309 | fi | ||
310 | done | ||
311 | done | 300 | done |
312 | 301 | ||
313 | rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* | 302 | rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* |