summaryrefslogtreecommitdiff
path: root/regress/cert-hostkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r--regress/cert-hostkey.sh111
1 files changed, 90 insertions, 21 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 1d9e0ed8e..51685dc2b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,21 +1,29 @@
1# $OpenBSD: cert-hostkey.sh,v 1.9 2014/01/26 10:22:10 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
5 5
6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 6rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 9
9HOSTS='localhost-with-alias,127.0.0.1,::1' 10HOSTS='localhost-with-alias,127.0.0.1,::1'
10 11
11# Create a CA key and add it to known hosts 12# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 13${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
13 fail "ssh-keygen of host_ca_key failed" 14 fail "ssh-keygen of host_ca_key failed"
14( 15(
15 printf '@cert-authority ' 16 printf '@cert-authority '
16 printf "$HOSTS " 17 printf "$HOSTS "
17 cat $OBJ/host_ca_key.pub 18 cat $OBJ/host_ca_key.pub
18) > $OBJ/known_hosts-cert 19) > $OBJ/known_hosts-cert.orig
20cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
21
22# Plain text revocation files
23touch $OBJ/host_revoked_empty
24touch $OBJ/host_revoked_plain
25touch $OBJ/host_revoked_cert
26cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
19 27
20PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 28PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
21 29
@@ -26,17 +34,33 @@ type_has_legacy() {
26 return 0 34 return 0
27} 35}
28 36
37# Prepare certificate, plain key and CA KRLs
38${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
39${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
40${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
41${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
42 || fatal "KRL init failed"
43
29# Generate and sign host keys 44# Generate and sign host keys
45serial=1
30for ktype in $PLAIN_TYPES ; do 46for ktype in $PLAIN_TYPES ; do
31 verbose "$tid: sign host ${ktype} cert" 47 verbose "$tid: sign host ${ktype} cert"
32 # Generate and sign a host key 48 # Generate and sign a host key
33 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 49 ${SSHKEYGEN} -q -N '' -t ${ktype} \
34 -f $OBJ/cert_host_key_${ktype} || \ 50 -f $OBJ/cert_host_key_${ktype} || \
35 fail "ssh-keygen of cert_host_key_${ktype} failed" 51 fatal "ssh-keygen of cert_host_key_${ktype} failed"
36 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 52 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
53 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
54 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
55 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
37 -I "regress host key for $USER" \ 56 -I "regress host key for $USER" \
38 -n $HOSTS $OBJ/cert_host_key_${ktype} || 57 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
39 fail "couldn't sign cert_host_key_${ktype}" 58 fatal "couldn't sign cert_host_key_${ktype}"
59 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
60 $OBJ/cert_host_key_${ktype}-cert.pub || \
61 fatal "KRL update failed"
62 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63 serial=`expr $serial + 1`
40 type_has_legacy $ktype || continue 64 type_has_legacy $ktype || continue
41 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 65 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
42 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 66 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
@@ -44,10 +68,35 @@ for ktype in $PLAIN_TYPES ; do
44 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 68 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
45 -I "regress host key for $USER" \ 69 -I "regress host key for $USER" \
46 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 70 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
47 fail "couldn't sign cert_host_key_${ktype}_v00" 71 fatal "couldn't sign cert_host_key_${ktype}_v00"
72 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73 $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
74 fatal "KRL update failed"
75 cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
48done 76done
49 77
50# Basic connect tests 78attempt_connect() {
79 _ident="$1"
80 _expect_success="$2"
81 shift; shift
82 verbose "$tid: $_ident expect success $_expect_success"
83 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
84 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
85 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
86 "$@" -F $OBJ/ssh_proxy somehost true
87 _r=$?
88 if [ "x$_expect_success" = "xyes" ] ; then
89 if [ $_r -ne 0 ]; then
90 fail "ssh cert connect $_ident failed"
91 fi
92 else
93 if [ $_r -eq 0 ]; then
94 fail "ssh cert connect $_ident succeeded unexpectedly"
95 fi
96 fi
97}
98
99# Basic connect and revocation tests.
51for privsep in yes no ; do 100for privsep in yes no ; do
52 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 101 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
53 verbose "$tid: host ${ktype} cert connect privsep $privsep" 102 verbose "$tid: host ${ktype} cert connect privsep $privsep"
@@ -58,12 +107,24 @@ for privsep in yes no ; do
58 echo UsePrivilegeSeparation $privsep 107 echo UsePrivilegeSeparation $privsep
59 ) > $OBJ/sshd_proxy 108 ) > $OBJ/sshd_proxy
60 109
61 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 110 # test name expect success
62 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 111 attempt_connect "$ktype basic connect" "yes"
63 -F $OBJ/ssh_proxy somehost true 112 attempt_connect "$ktype empty KRL" "yes" \
64 if [ $? -ne 0 ]; then 113 -oRevokedHostKeys=$OBJ/host_krl_empty
65 fail "ssh cert connect failed" 114 attempt_connect "$ktype KRL w/ plain key revoked" "no" \
66 fi 115 -oRevokedHostKeys=$OBJ/host_krl_plain
116 attempt_connect "$ktype KRL w/ cert revoked" "no" \
117 -oRevokedHostKeys=$OBJ/host_krl_cert
118 attempt_connect "$ktype KRL w/ CA revoked" "no" \
119 -oRevokedHostKeys=$OBJ/host_krl_ca
120 attempt_connect "$ktype empty plaintext revocation" "yes" \
121 -oRevokedHostKeys=$OBJ/host_revoked_empty
122 attempt_connect "$ktype plain key plaintext revocation" "no" \
123 -oRevokedHostKeys=$OBJ/host_revoked_plain
124 attempt_connect "$ktype cert plaintext revocation" "no" \
125 -oRevokedHostKeys=$OBJ/host_revoked_cert
126 attempt_connect "$ktype CA plaintext revocation" "no" \
127 -oRevokedHostKeys=$OBJ/host_revoked_ca
67 done 128 done
68done 129done
69 130
@@ -76,7 +137,8 @@ done
76 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" 137 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
77 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" 138 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
78 done 139 done
79) > $OBJ/known_hosts-cert 140) > $OBJ/known_hosts-cert.orig
141cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
80for privsep in yes no ; do 142for privsep in yes no ; do
81 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 143 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
82 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 144 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
@@ -87,6 +149,7 @@ for privsep in yes no ; do
87 echo UsePrivilegeSeparation $privsep 149 echo UsePrivilegeSeparation $privsep
88 ) > $OBJ/sshd_proxy 150 ) > $OBJ/sshd_proxy
89 151
152 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
90 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 153 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
91 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 154 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
92 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 155 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@@ -104,7 +167,8 @@ done
104 printf '@revoked ' 167 printf '@revoked '
105 printf "* " 168 printf "* "
106 cat $OBJ/host_ca_key.pub 169 cat $OBJ/host_ca_key.pub
107) > $OBJ/known_hosts-cert 170) > $OBJ/known_hosts-cert.orig
171cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
108for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 172for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
109 verbose "$tid: host ${ktype} revoked cert" 173 verbose "$tid: host ${ktype} revoked cert"
110 ( 174 (
@@ -112,6 +176,7 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
112 echo HostKey $OBJ/cert_host_key_${ktype} 176 echo HostKey $OBJ/cert_host_key_${ktype}
113 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 177 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
114 ) > $OBJ/sshd_proxy 178 ) > $OBJ/sshd_proxy
179 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
115 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 180 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
116 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 181 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
117 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 182 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@@ -125,7 +190,8 @@ done
125 printf '@cert-authority ' 190 printf '@cert-authority '
126 printf "$HOSTS " 191 printf "$HOSTS "
127 cat $OBJ/host_ca_key.pub 192 cat $OBJ/host_ca_key.pub
128) > $OBJ/known_hosts-cert 193) > $OBJ/known_hosts-cert.orig
194cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
129 195
130test_one() { 196test_one() {
131 ident=$1 197 ident=$1
@@ -150,6 +216,7 @@ test_one() {
150 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 216 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
151 ) > $OBJ/sshd_proxy 217 ) > $OBJ/sshd_proxy
152 218
219 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
153 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 220 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
154 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 221 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
155 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 222 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
@@ -212,7 +279,8 @@ done
212 printf '@cert-authority ' 279 printf '@cert-authority '
213 printf "$HOSTS " 280 printf "$HOSTS "
214 cat $OBJ/host_ca_key.pub 281 cat $OBJ/host_ca_key.pub
215) > $OBJ/known_hosts-cert 282) > $OBJ/known_hosts-cert.orig
283cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
216for v in v01 v00 ; do 284for v in v01 v00 ; do
217 for kt in $PLAIN_TYPES ; do 285 for kt in $PLAIN_TYPES ; do
218 type_has_legacy $kt || continue 286 type_has_legacy $kt || continue
@@ -232,6 +300,7 @@ for v in v01 v00 ; do
232 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 300 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
233 ) > $OBJ/sshd_proxy 301 ) > $OBJ/sshd_proxy
234 302
303 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
235 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 304 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
236 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 305 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
237 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 306 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
@@ -241,4 +310,4 @@ for v in v01 v00 ; do
241 done 310 done
242done 311done
243 312
244rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 313rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-22 01:59:13 +0000