diff options
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r-- | regress/cert-hostkey.sh | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 0265e8f6b..3b147b9f7 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,8 +1,14 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
5 | 5 | ||
6 | # used to disable ECC based tests on platforms without ECC | ||
7 | ecdsa="" | ||
8 | if test "x$TEST_SSH_ECC" = "xyes"; then | ||
9 | ecdsa=ecdsa | ||
10 | fi | ||
11 | |||
6 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 12 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* |
7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 13 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
8 | 14 | ||
@@ -18,7 +24,7 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ | |||
18 | ) > $OBJ/known_hosts-cert | 24 | ) > $OBJ/known_hosts-cert |
19 | 25 | ||
20 | # Generate and sign host keys | 26 | # Generate and sign host keys |
21 | for ktype in rsa dsa ; do | 27 | for ktype in rsa dsa $ecdsa ; do |
22 | verbose "$tid: sign host ${ktype} cert" | 28 | verbose "$tid: sign host ${ktype} cert" |
23 | # Generate and sign a host key | 29 | # Generate and sign a host key |
24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 30 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
@@ -28,6 +34,8 @@ for ktype in rsa dsa ; do | |||
28 | -I "regress host key for $USER" \ | 34 | -I "regress host key for $USER" \ |
29 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 35 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
30 | fail "couldn't sign cert_host_key_${ktype}" | 36 | fail "couldn't sign cert_host_key_${ktype}" |
37 | # v00 ecdsa certs do not exist | ||
38 | test "${ktype}" = "ecdsa" && continue | ||
31 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | 39 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 |
32 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | 40 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub |
33 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | 41 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ |
@@ -38,7 +46,7 @@ done | |||
38 | 46 | ||
39 | # Basic connect tests | 47 | # Basic connect tests |
40 | for privsep in yes no ; do | 48 | for privsep in yes no ; do |
41 | for ktype in rsa dsa rsa_v00 dsa_v00; do | 49 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do |
42 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 50 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
43 | ( | 51 | ( |
44 | cat $OBJ/sshd_proxy_bak | 52 | cat $OBJ/sshd_proxy_bak |
@@ -64,6 +72,11 @@ done | |||
64 | echon '@revoked ' | 72 | echon '@revoked ' |
65 | echon "* " | 73 | echon "* " |
66 | cat $OBJ/cert_host_key_rsa.pub | 74 | cat $OBJ/cert_host_key_rsa.pub |
75 | if test "x$TEST_SSH_ECC" = "xyes"; then | ||
76 | echon '@revoked ' | ||
77 | echon "* " | ||
78 | cat $OBJ/cert_host_key_ecdsa.pub | ||
79 | fi | ||
67 | echon '@revoked ' | 80 | echon '@revoked ' |
68 | echon "* " | 81 | echon "* " |
69 | cat $OBJ/cert_host_key_dsa.pub | 82 | cat $OBJ/cert_host_key_dsa.pub |
@@ -75,7 +88,7 @@ done | |||
75 | cat $OBJ/cert_host_key_dsa_v00.pub | 88 | cat $OBJ/cert_host_key_dsa_v00.pub |
76 | ) > $OBJ/known_hosts-cert | 89 | ) > $OBJ/known_hosts-cert |
77 | for privsep in yes no ; do | 90 | for privsep in yes no ; do |
78 | for ktype in rsa dsa rsa_v00 dsa_v00; do | 91 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do |
79 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 92 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
80 | ( | 93 | ( |
81 | cat $OBJ/sshd_proxy_bak | 94 | cat $OBJ/sshd_proxy_bak |
@@ -102,7 +115,7 @@ done | |||
102 | echon "* " | 115 | echon "* " |
103 | cat $OBJ/host_ca_key.pub | 116 | cat $OBJ/host_ca_key.pub |
104 | ) > $OBJ/known_hosts-cert | 117 | ) > $OBJ/known_hosts-cert |
105 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | 118 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do |
106 | verbose "$tid: host ${ktype} revoked cert" | 119 | verbose "$tid: host ${ktype} revoked cert" |
107 | ( | 120 | ( |
108 | cat $OBJ/sshd_proxy_bak | 121 | cat $OBJ/sshd_proxy_bak |
@@ -173,7 +186,9 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" | |||
173 | 186 | ||
174 | # Check downgrade of cert to raw key when no CA found | 187 | # Check downgrade of cert to raw key when no CA found |
175 | for v in v01 v00 ; do | 188 | for v in v01 v00 ; do |
176 | for ktype in rsa dsa ; do | 189 | for ktype in rsa dsa $ecdsa ; do |
190 | # v00 ecdsa certs do not exist. | ||
191 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
177 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 192 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
178 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 193 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
179 | # Generate and sign a host key | 194 | # Generate and sign a host key |
@@ -210,7 +225,9 @@ done | |||
210 | cat $OBJ/host_ca_key.pub | 225 | cat $OBJ/host_ca_key.pub |
211 | ) > $OBJ/known_hosts-cert | 226 | ) > $OBJ/known_hosts-cert |
212 | for v in v01 v00 ; do | 227 | for v in v01 v00 ; do |
213 | for kt in rsa dsa ; do | 228 | for kt in rsa dsa $ecdsa ; do |
229 | # v00 ecdsa certs do not exist. | ||
230 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
214 | rm -f $OBJ/cert_host_key* | 231 | rm -f $OBJ/cert_host_key* |
215 | # Self-sign key | 232 | # Self-sign key |
216 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 233 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |