summaryrefslogtreecommitdiff
path: root/regress/cert-hostkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r--regress/cert-hostkey.sh89
1 files changed, 74 insertions, 15 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 1d9e0ed8e..baaa35b2c 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,15 +1,16 @@
1# $OpenBSD: cert-hostkey.sh,v 1.9 2014/01/26 10:22:10 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.10 2014/12/04 22:31:50 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
5 5
6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 9
9HOSTS='localhost-with-alias,127.0.0.1,::1' 10HOSTS='localhost-with-alias,127.0.0.1,::1'
10 11
11# Create a CA key and add it to known hosts 12# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 13${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
13 fail "ssh-keygen of host_ca_key failed" 14 fail "ssh-keygen of host_ca_key failed"
14( 15(
15 printf '@cert-authority ' 16 printf '@cert-authority '
@@ -17,6 +18,12 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
17 cat $OBJ/host_ca_key.pub 18 cat $OBJ/host_ca_key.pub
18) > $OBJ/known_hosts-cert 19) > $OBJ/known_hosts-cert
19 20
21# Plain text revocation files
22touch $OBJ/host_revoked_empty
23touch $OBJ/host_revoked_plain
24touch $OBJ/host_revoked_cert
25cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
26
20PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 27PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
21 28
22type_has_legacy() { 29type_has_legacy() {
@@ -26,17 +33,33 @@ type_has_legacy() {
26 return 0 33 return 0
27} 34}
28 35
36# Prepare certificate, plain key and CA KRLs
37${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
38${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
39${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
40${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
41 || fatal "KRL init failed"
42
29# Generate and sign host keys 43# Generate and sign host keys
44serial=1
30for ktype in $PLAIN_TYPES ; do 45for ktype in $PLAIN_TYPES ; do
31 verbose "$tid: sign host ${ktype} cert" 46 verbose "$tid: sign host ${ktype} cert"
32 # Generate and sign a host key 47 # Generate and sign a host key
33 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 48 ${SSHKEYGEN} -q -N '' -t ${ktype} \
34 -f $OBJ/cert_host_key_${ktype} || \ 49 -f $OBJ/cert_host_key_${ktype} || \
35 fail "ssh-keygen of cert_host_key_${ktype} failed" 50 fatal "ssh-keygen of cert_host_key_${ktype} failed"
36 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 51 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
52 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
53 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
54 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
37 -I "regress host key for $USER" \ 55 -I "regress host key for $USER" \
38 -n $HOSTS $OBJ/cert_host_key_${ktype} || 56 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
39 fail "couldn't sign cert_host_key_${ktype}" 57 fatal "couldn't sign cert_host_key_${ktype}"
58 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
59 $OBJ/cert_host_key_${ktype}-cert.pub || \
60 fatal "KRL update failed"
61 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
62 serial=`expr $serial + 1`
40 type_has_legacy $ktype || continue 63 type_has_legacy $ktype || continue
41 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 64 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
42 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 65 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
@@ -44,10 +67,34 @@ for ktype in $PLAIN_TYPES ; do
44 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 67 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
45 -I "regress host key for $USER" \ 68 -I "regress host key for $USER" \
46 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 69 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
47 fail "couldn't sign cert_host_key_${ktype}_v00" 70 fatal "couldn't sign cert_host_key_${ktype}_v00"
71 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
72 $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
73 fatal "KRL update failed"
74 cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
48done 75done
49 76
50# Basic connect tests 77attempt_connect() {
78 _ident="$1"
79 _expect_success="$2"
80 shift; shift
81 verbose "$tid: $_ident expect success $_expect_success"
82 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
83 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
84 "$@" -F $OBJ/ssh_proxy somehost true
85 _r=$?
86 if [ "x$_expect_success" = "xyes" ] ; then
87 if [ $_r -ne 0 ]; then
88 fail "ssh cert connect $_ident failed"
89 fi
90 else
91 if [ $_r -eq 0 ]; then
92 fail "ssh cert connect $_ident succeeded unexpectedly"
93 fi
94 fi
95}
96
97# Basic connect and revocation tests.
51for privsep in yes no ; do 98for privsep in yes no ; do
52 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 99 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
53 verbose "$tid: host ${ktype} cert connect privsep $privsep" 100 verbose "$tid: host ${ktype} cert connect privsep $privsep"
@@ -58,12 +105,24 @@ for privsep in yes no ; do
58 echo UsePrivilegeSeparation $privsep 105 echo UsePrivilegeSeparation $privsep
59 ) > $OBJ/sshd_proxy 106 ) > $OBJ/sshd_proxy
60 107
61 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 108 # test name expect success
62 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 109 attempt_connect "$ktype basic connect" "yes"
63 -F $OBJ/ssh_proxy somehost true 110 attempt_connect "$ktype empty KRL" "yes" \
64 if [ $? -ne 0 ]; then 111 -oRevokedHostKeys=$OBJ/host_krl_empty
65 fail "ssh cert connect failed" 112 attempt_connect "$ktype KRL w/ plain key revoked" "no" \
66 fi 113 -oRevokedHostKeys=$OBJ/host_krl_plain
114 attempt_connect "$ktype KRL w/ cert revoked" "no" \
115 -oRevokedHostKeys=$OBJ/host_krl_cert
116 attempt_connect "$ktype KRL w/ CA revoked" "no" \
117 -oRevokedHostKeys=$OBJ/host_krl_ca
118 attempt_connect "$ktype empty plaintext revocation" "yes" \
119 -oRevokedHostKeys=$OBJ/host_revoked_empty
120 attempt_connect "$ktype plain key plaintext revocation" "no" \
121 -oRevokedHostKeys=$OBJ/host_revoked_plain
122 attempt_connect "$ktype cert plaintext revocation" "no" \
123 -oRevokedHostKeys=$OBJ/host_revoked_cert
124 attempt_connect "$ktype CA plaintext revocation" "no" \
125 -oRevokedHostKeys=$OBJ/host_revoked_ca
67 done 126 done
68done 127done
69 128