1 files changed, 101 insertions, 73 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3fda667cb..0265e8f6b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
                fail "couldn't sign cert_host_key_${ktype}"
+        cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
+        cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+        ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
+                fail "couldn't sign cert_host_key_${ktype}_v00"
 done
 # Basic connect tests
 for privsep in yes no ; do
-        for ktype in rsa dsa ; do 
+        for ktype in rsa dsa rsa_v00 dsa_v00; do 
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
        echon '@revoked '
        echon "* "
        cat $OBJ/cert_host_key_dsa.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_rsa_v00.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_dsa_v00.pub
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in rsa dsa ; do 
+        for ktype in rsa dsa rsa_v00 dsa_v00; do 
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
        echon "* "
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
        ident=$1
        result=$2
        sign_opts=$3
-        
-        verbose "$tid: test host cert connect $ident expect $result"
-        ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
-            $sign_opts \
-            $OBJ/cert_host_key_rsa ||
-                fail "couldn't sign cert_host_key_rsa"
-        (
-                cat $OBJ/sshd_proxy_bak
-                echo HostKey $OBJ/cert_host_key_rsa
-                echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
-        ) > $OBJ/sshd_proxy
-        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+        for kt in rsa rsa_v00 ; do
-            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                case $kt in
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                *_v00) args="-t v00" ;;
-        rc=$?
+                *) args="" ;;
-        if [ "x$result" = "xsuccess" ] ; then
+                esac
-                if [ $rc -ne 0 ]; then
-                        fail "ssh cert connect $ident failed unexpectedly"
+                verbose "$tid: host cert connect $ident $kt expect $result"
-                fi
+                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-        else
+                    -I "regress host key for $USER" \
-                if [ $rc -eq 0 ]; then
+                    $sign_opts $args \
-                        fail "ssh cert connect $ident succeeded unexpectedly"
+                    $OBJ/cert_host_key_${kt} ||
+                        fail "couldn't sign cert_host_key_${kt}"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${kt}
+                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+                ) > $OBJ/sshd_proxy
+        
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                rc=$?
+                if [ "x$result" = "xsuccess" ] ; then
+                        if [ $rc -ne 0 ]; then
+                                fail "ssh cert connect $ident failed unexpectedly"
+                        fi
+                else
+                        if [ $rc -eq 0 ]; then
+                                fail "ssh cert connect $ident succeeded unexpectedly"
+                        fi
                fi
-        fi
+        done
 }
 test_one "user-certificate"     failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+for v in v01 v00 ;  do 
-for ktype in rsa dsa ; do 
+        for ktype in rsa dsa ; do 
-        verbose "$tid: host ${ktype} cert downgrade to raw key"
+                rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-        # Generate and sign a host key
+                verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+                # Generate and sign a host key
-            -f $OBJ/cert_host_key_${ktype} || \
+                ${SSHKEYGEN} -q -N '' -t ${ktype} \
-                fail "ssh-keygen of cert_host_key_${ktype} failed"
+                    -f $OBJ/cert_host_key_${ktype} || \
-        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+                        fail "ssh-keygen of cert_host_key_${ktype} failed"
-            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-                fail "couldn't sign cert_host_key_${ktype}"
+                    -I "regress host key for $USER" \
-        (
+                    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                echon "$HOSTS "
+                        fail "couldn't sign cert_host_key_${ktype}"
-                cat $OBJ/cert_host_key_${ktype}.pub
+                (
-        ) > $OBJ/known_hosts-cert
+                        echon "$HOSTS "
-        (
+                        cat $OBJ/cert_host_key_${ktype}.pub
-                cat $OBJ/sshd_proxy_bak
+                ) > $OBJ/known_hosts-cert
-                echo HostKey $OBJ/cert_host_key_${ktype}
+                (
-                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        cat $OBJ/sshd_proxy_bak
-        ) > $OBJ/sshd_proxy
+                        echo HostKey $OBJ/cert_host_key_${ktype}
-        
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                ) > $OBJ/sshd_proxy
-            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                
-                -F $OBJ/ssh_proxy somehost true
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-        if [ $? -ne 0 ]; then
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                fail "ssh cert connect failed"
+                        -F $OBJ/ssh_proxy somehost true
-        fi
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
 done
 # Wrong certificate
@@ -187,25 +209,31 @@ done
        echon "$HOSTS "
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for v in v01 v00 ;  do 
-        # Self-sign key
+        for kt in rsa dsa ; do 
-        ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+                rm -f $OBJ/cert_host_key*
-            -I "regress host key for $USER" \
+                # Self-sign key
-            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                ${SSHKEYGEN} -q -N '' -t ${kt} \
-                fail "couldn't sign cert_host_key_${ktype}"
+                    -f $OBJ/cert_host_key_${kt} || \
-        verbose "$tid: host ${ktype} connect wrong cert"
+                        fail "ssh-keygen of cert_host_key_${kt} failed"
-        (
+                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-                cat $OBJ/sshd_proxy_bak
+                    -I "regress host key for $USER" \
-                echo HostKey $OBJ/cert_host_key_${ktype}
+                    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        fail "couldn't sign cert_host_key_${kt}"
-        ) > $OBJ/sshd_proxy
+                verbose "$tid: host ${kt} connect wrong cert"
+                (
-        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                        cat $OBJ/sshd_proxy_bak
-            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        echo HostKey $OBJ/cert_host_key_${kt}
-                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-        if [ $? -eq 0 ]; then
+                ) > $OBJ/sshd_proxy
-                fail "ssh cert connect $ident succeeded unexpectedly"
+        
-        fi
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        done
 done
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3fda667cb..0265e8f6b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
28	-I "regress host key for $USER" \	28	-I "regress host key for $USER" \
29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
30	fail "couldn't sign cert_host_key_${ktype}"	30	fail "couldn't sign cert_host_key_${ktype}"
		31	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
		32	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
		33	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
		34	-I "regress host key for $USER" \
		35	-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 \|\|
		36	fail "couldn't sign cert_host_key_${ktype}_v00"
31	done	37	done
32		38
33	# Basic connect tests	39	# Basic connect tests
34	for privsep in yes no ; do	40	for privsep in yes no ; do
35	for ktype in rsa dsa ; do	41	for ktype in rsa dsa rsa_v00 dsa_v00; do
36	verbose "$tid: host ${ktype} cert connect privsep $privsep"	42	verbose "$tid: host ${ktype} cert connect privsep $privsep"
37	(	43	(
38	cat $OBJ/sshd_proxy_bak	44	cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
61	echon '@revoked '	67	echon '@revoked '
62	echon "* "	68	echon "* "
63	cat $OBJ/cert_host_key_dsa.pub	69	cat $OBJ/cert_host_key_dsa.pub
		70	echon '@revoked '
		71	echon "* "
		72	cat $OBJ/cert_host_key_rsa_v00.pub
		73	echon '@revoked '
		74	echon "* "
		75	cat $OBJ/cert_host_key_dsa_v00.pub
64	) > $OBJ/known_hosts-cert	76	) > $OBJ/known_hosts-cert
65	for privsep in yes no ; do	77	for privsep in yes no ; do
66	for ktype in rsa dsa ; do	78	for ktype in rsa dsa rsa_v00 dsa_v00; do
67	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	79	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
68	(	80	(
69	cat $OBJ/sshd_proxy_bak	81	cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
90	echon "* "	102	echon "* "
91	cat $OBJ/host_ca_key.pub	103	cat $OBJ/host_ca_key.pub
92	) > $OBJ/known_hosts-cert	104	) > $OBJ/known_hosts-cert
93	for ktype in rsa dsa ; do	105	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
94	verbose "$tid: host ${ktype} revoked cert"	106	verbose "$tid: host ${ktype} revoked cert"
95	(	107	(
96	cat $OBJ/sshd_proxy_bak	108	cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
116	ident=$1	128	ident=$1
117	result=$2	129	result=$2
118	sign_opts=$3	130	sign_opts=$3
119
120	verbose "$tid: test host cert connect $ident expect $result"
121
122	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
123	$sign_opts \
124	$OBJ/cert_host_key_rsa \|\|
125	fail "couldn't sign cert_host_key_rsa"
126	(
127	cat $OBJ/sshd_proxy_bak
128	echo HostKey $OBJ/cert_host_key_rsa
129	echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
130	) > $OBJ/sshd_proxy
131		131
132	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	132	for kt in rsa rsa_v00 ; do
133	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	133	case $kt in
134	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1	134	*_v00) args="-t v00" ;;
135	rc=$?	135	*) args="" ;;
136	if [ "x$result" = "xsuccess" ] ; then	136	esac
137	if [ $rc -ne 0 ]; then	137
138	fail "ssh cert connect $ident failed unexpectedly"	138	verbose "$tid: host cert connect $ident $kt expect $result"
139	fi	139	${SSHKEYGEN} -q -s $OBJ/host_ca_key \
140	else	140	-I "regress host key for $USER" \
141	if [ $rc -eq 0 ]; then	141	$sign_opts $args \
142	fail "ssh cert connect $ident succeeded unexpectedly"	142	$OBJ/cert_host_key_${kt} \|\|
		143	fail "couldn't sign cert_host_key_${kt}"
		144	(
		145	cat $OBJ/sshd_proxy_bak
		146	echo HostKey $OBJ/cert_host_key_${kt}
		147	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
		148	) > $OBJ/sshd_proxy
		149
		150	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		151	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		152	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		153	rc=$?
		154	if [ "x$result" = "xsuccess" ] ; then
		155	if [ $rc -ne 0 ]; then
		156	fail "ssh cert connect $ident failed unexpectedly"
		157	fi
		158	else
		159	if [ $rc -eq 0 ]; then
		160	fail "ssh cert connect $ident succeeded unexpectedly"
		161	fi
143	fi	162	fi
144	fi	163	done
145	}	164	}
146		165
147	test_one "user-certificate" failure "-n $HOSTS"	166	test_one "user-certificate" failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
153	test_one "cert has constraints" failure "-h -Oforce-command=false"	172	test_one "cert has constraints" failure "-h -Oforce-command=false"
154		173
155	# Check downgrade of cert to raw key when no CA found	174	# Check downgrade of cert to raw key when no CA found
156	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	175	for v in v01 v00 ; do
157	for ktype in rsa dsa ; do	176	for ktype in rsa dsa ; do
158	verbose "$tid: host ${ktype} cert downgrade to raw key"	177	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
159	# Generate and sign a host key	178	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
160	${SSHKEYGEN} -q -N '' -t ${ktype} \	179	# Generate and sign a host key
161	-f $OBJ/cert_host_key_${ktype} \|\| \	180	${SSHKEYGEN} -q -N '' -t ${ktype} \
162	fail "ssh-keygen of cert_host_key_${ktype} failed"	181	-f $OBJ/cert_host_key_${ktype} \|\| \
163	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \	182	fail "ssh-keygen of cert_host_key_${ktype} failed"
164	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	183	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
165	fail "couldn't sign cert_host_key_${ktype}"	184	-I "regress host key for $USER" \
166	(	185	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
167	echon "$HOSTS "	186	fail "couldn't sign cert_host_key_${ktype}"
168	cat $OBJ/cert_host_key_${ktype}.pub	187	(
169	) > $OBJ/known_hosts-cert	188	echon "$HOSTS "
170	(	189	cat $OBJ/cert_host_key_${ktype}.pub
171	cat $OBJ/sshd_proxy_bak	190	) > $OBJ/known_hosts-cert
172	echo HostKey $OBJ/cert_host_key_${ktype}	191	(
173	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	192	cat $OBJ/sshd_proxy_bak
174	) > $OBJ/sshd_proxy	193	echo HostKey $OBJ/cert_host_key_${ktype}
175		194	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
176	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	195	) > $OBJ/sshd_proxy
177	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	196
178	-F $OBJ/ssh_proxy somehost true	197	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
179	if [ $? -ne 0 ]; then	198	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
180	fail "ssh cert connect failed"	199	-F $OBJ/ssh_proxy somehost true
181	fi	200	if [ $? -ne 0 ]; then
		201	fail "ssh cert connect failed"
		202	fi
		203	done
182	done	204	done
183		205
184	# Wrong certificate	206	# Wrong certificate
@@ -187,25 +209,31 @@ done
187	echon "$HOSTS "	209	echon "$HOSTS "
188	cat $OBJ/host_ca_key.pub	210	cat $OBJ/host_ca_key.pub
189	) > $OBJ/known_hosts-cert	211	) > $OBJ/known_hosts-cert
190	for ktype in rsa dsa ; do	212	for v in v01 v00 ; do
191	# Self-sign key	213	for kt in rsa dsa ; do
192	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \	214	rm -f $OBJ/cert_host_key*
193	-I "regress host key for $USER" \	215	# Self-sign key
194	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	216	${SSHKEYGEN} -q -N '' -t ${kt} \
195	fail "couldn't sign cert_host_key_${ktype}"	217	-f $OBJ/cert_host_key_${kt} \|\| \
196	verbose "$tid: host ${ktype} connect wrong cert"	218	fail "ssh-keygen of cert_host_key_${kt} failed"
197	(	219	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
198	cat $OBJ/sshd_proxy_bak	220	-I "regress host key for $USER" \
199	echo HostKey $OBJ/cert_host_key_${ktype}	221	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
200	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	222	fail "couldn't sign cert_host_key_${kt}"
201	) > $OBJ/sshd_proxy	223	verbose "$tid: host ${kt} connect wrong cert"
202		224	(
203	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	225	cat $OBJ/sshd_proxy_bak
204	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	226	echo HostKey $OBJ/cert_host_key_${kt}
205	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1	227	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
206	if [ $? -eq 0 ]; then	228	) > $OBJ/sshd_proxy
207	fail "ssh cert connect $ident succeeded unexpectedly"	229
208	fi	230	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		231	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		232	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
		233	if [ $? -eq 0 ]; then
		234	fail "ssh cert connect $ident succeeded unexpectedly"
		235	fi
		236	done
209	done	237	done
210		238
211	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*	239	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*