diff options
Diffstat (limited to 'regress/cert-hostkey.sh')
| -rw-r--r-- | regress/cert-hostkey.sh | 89 |
1 files changed, 74 insertions, 15 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 1d9e0ed8e..baaa35b2c 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,15 +1,16 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.9 2014/01/26 10:22:10 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.10 2014/12/04 22:31:50 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| 5 | 5 | ||
| 6 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 6 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/host_revoked_* |
| 7 | rm -f $OBJ/cert_host_key* $OBJ/host_krl_* | ||
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 8 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | 9 | ||
| 9 | HOSTS='localhost-with-alias,127.0.0.1,::1' | 10 | HOSTS='localhost-with-alias,127.0.0.1,::1' |
| 10 | 11 | ||
| 11 | # Create a CA key and add it to known hosts | 12 | # Create a CA key and add it to known hosts. Ed25519 chosed for speed. |
| 12 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ | 13 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ |
| 13 | fail "ssh-keygen of host_ca_key failed" | 14 | fail "ssh-keygen of host_ca_key failed" |
| 14 | ( | 15 | ( |
| 15 | printf '@cert-authority ' | 16 | printf '@cert-authority ' |
| @@ -17,6 +18,12 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ | |||
| 17 | cat $OBJ/host_ca_key.pub | 18 | cat $OBJ/host_ca_key.pub |
| 18 | ) > $OBJ/known_hosts-cert | 19 | ) > $OBJ/known_hosts-cert |
| 19 | 20 | ||
| 21 | # Plain text revocation files | ||
| 22 | touch $OBJ/host_revoked_empty | ||
| 23 | touch $OBJ/host_revoked_plain | ||
| 24 | touch $OBJ/host_revoked_cert | ||
| 25 | cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca | ||
| 26 | |||
| 20 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | 27 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` |
| 21 | 28 | ||
| 22 | type_has_legacy() { | 29 | type_has_legacy() { |
| @@ -26,17 +33,33 @@ type_has_legacy() { | |||
| 26 | return 0 | 33 | return 0 |
| 27 | } | 34 | } |
| 28 | 35 | ||
| 36 | # Prepare certificate, plain key and CA KRLs | ||
| 37 | ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" | ||
| 38 | ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" | ||
| 39 | ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" | ||
| 40 | ${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \ | ||
| 41 | || fatal "KRL init failed" | ||
| 42 | |||
| 29 | # Generate and sign host keys | 43 | # Generate and sign host keys |
| 44 | serial=1 | ||
| 30 | for ktype in $PLAIN_TYPES ; do | 45 | for ktype in $PLAIN_TYPES ; do |
| 31 | verbose "$tid: sign host ${ktype} cert" | 46 | verbose "$tid: sign host ${ktype} cert" |
| 32 | # Generate and sign a host key | 47 | # Generate and sign a host key |
| 33 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 48 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 34 | -f $OBJ/cert_host_key_${ktype} || \ | 49 | -f $OBJ/cert_host_key_${ktype} || \ |
| 35 | fail "ssh-keygen of cert_host_key_${ktype} failed" | 50 | fatal "ssh-keygen of cert_host_key_${ktype} failed" |
| 36 | ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ | 51 | ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ |
| 52 | $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" | ||
| 53 | cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain | ||
| 54 | ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \ | ||
| 37 | -I "regress host key for $USER" \ | 55 | -I "regress host key for $USER" \ |
| 38 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 56 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 39 | fail "couldn't sign cert_host_key_${ktype}" | 57 | fatal "couldn't sign cert_host_key_${ktype}" |
| 58 | ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \ | ||
| 59 | $OBJ/cert_host_key_${ktype}-cert.pub || \ | ||
| 60 | fatal "KRL update failed" | ||
| 61 | cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert | ||
| 62 | serial=`expr $serial + 1` | ||
| 40 | type_has_legacy $ktype || continue | 63 | type_has_legacy $ktype || continue |
| 41 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | 64 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 |
| 42 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | 65 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub |
| @@ -44,10 +67,34 @@ for ktype in $PLAIN_TYPES ; do | |||
| 44 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | 67 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ |
| 45 | -I "regress host key for $USER" \ | 68 | -I "regress host key for $USER" \ |
| 46 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || | 69 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || |
| 47 | fail "couldn't sign cert_host_key_${ktype}_v00" | 70 | fatal "couldn't sign cert_host_key_${ktype}_v00" |
| 71 | ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \ | ||
| 72 | $OBJ/cert_host_key_${ktype}_v00-cert.pub || \ | ||
| 73 | fatal "KRL update failed" | ||
| 74 | cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert | ||
| 48 | done | 75 | done |
| 49 | 76 | ||
| 50 | # Basic connect tests | 77 | attempt_connect() { |
| 78 | _ident="$1" | ||
| 79 | _expect_success="$2" | ||
| 80 | shift; shift | ||
| 81 | verbose "$tid: $_ident expect success $_expect_success" | ||
| 82 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | ||
| 83 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | ||
| 84 | "$@" -F $OBJ/ssh_proxy somehost true | ||
| 85 | _r=$? | ||
| 86 | if [ "x$_expect_success" = "xyes" ] ; then | ||
| 87 | if [ $_r -ne 0 ]; then | ||
| 88 | fail "ssh cert connect $_ident failed" | ||
| 89 | fi | ||
| 90 | else | ||
| 91 | if [ $_r -eq 0 ]; then | ||
| 92 | fail "ssh cert connect $_ident succeeded unexpectedly" | ||
| 93 | fi | ||
| 94 | fi | ||
| 95 | } | ||
| 96 | |||
| 97 | # Basic connect and revocation tests. | ||
| 51 | for privsep in yes no ; do | 98 | for privsep in yes no ; do |
| 52 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do | 99 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
| 53 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 100 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
| @@ -58,12 +105,24 @@ for privsep in yes no ; do | |||
| 58 | echo UsePrivilegeSeparation $privsep | 105 | echo UsePrivilegeSeparation $privsep |
| 59 | ) > $OBJ/sshd_proxy | 106 | ) > $OBJ/sshd_proxy |
| 60 | 107 | ||
| 61 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 108 | # test name expect success |
| 62 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 109 | attempt_connect "$ktype basic connect" "yes" |
| 63 | -F $OBJ/ssh_proxy somehost true | 110 | attempt_connect "$ktype empty KRL" "yes" \ |
| 64 | if [ $? -ne 0 ]; then | 111 | -oRevokedHostKeys=$OBJ/host_krl_empty |
| 65 | fail "ssh cert connect failed" | 112 | attempt_connect "$ktype KRL w/ plain key revoked" "no" \ |
| 66 | fi | 113 | -oRevokedHostKeys=$OBJ/host_krl_plain |
| 114 | attempt_connect "$ktype KRL w/ cert revoked" "no" \ | ||
| 115 | -oRevokedHostKeys=$OBJ/host_krl_cert | ||
| 116 | attempt_connect "$ktype KRL w/ CA revoked" "no" \ | ||
| 117 | -oRevokedHostKeys=$OBJ/host_krl_ca | ||
| 118 | attempt_connect "$ktype empty plaintext revocation" "yes" \ | ||
| 119 | -oRevokedHostKeys=$OBJ/host_revoked_empty | ||
| 120 | attempt_connect "$ktype plain key plaintext revocation" "no" \ | ||
| 121 | -oRevokedHostKeys=$OBJ/host_revoked_plain | ||
| 122 | attempt_connect "$ktype cert plaintext revocation" "no" \ | ||
| 123 | -oRevokedHostKeys=$OBJ/host_revoked_cert | ||
| 124 | attempt_connect "$ktype CA plaintext revocation" "no" \ | ||
| 125 | -oRevokedHostKeys=$OBJ/host_revoked_ca | ||
| 67 | done | 126 | done |
| 68 | done | 127 | done |
| 69 | 128 | ||