summaryrefslogtreecommitdiff
path: root/regress/cert-hostkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r--regress/cert-hostkey.sh148
1 files changed, 58 insertions, 90 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2b..c99c2b1c3 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
27 27
28PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 28PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
29 29
30type_has_legacy() {
31 case $1 in
32 ed25519*|ecdsa*) return 1 ;;
33 esac
34 return 0
35}
36
37# Prepare certificate, plain key and CA KRLs 30# Prepare certificate, plain key and CA KRLs
38${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" 31${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
39${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" 32${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
61 fatal "KRL update failed" 54 fatal "KRL update failed"
62 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert 55 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63 serial=`expr $serial + 1` 56 serial=`expr $serial + 1`
64 type_has_legacy $ktype || continue
65 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
66 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
67 verbose "$tid: sign host ${ktype}_v00 cert"
68 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
69 -I "regress host key for $USER" \
70 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
71 fatal "couldn't sign cert_host_key_${ktype}_v00"
72 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73 $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
74 fatal "KRL update failed"
75 cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
76done 57done
77 58
78attempt_connect() { 59attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
98 79
99# Basic connect and revocation tests. 80# Basic connect and revocation tests.
100for privsep in yes no ; do 81for privsep in yes no ; do
101 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 82 for ktype in $PLAIN_TYPES ; do
102 verbose "$tid: host ${ktype} cert connect privsep $privsep" 83 verbose "$tid: host ${ktype} cert connect privsep $privsep"
103 ( 84 (
104 cat $OBJ/sshd_proxy_bak 85 cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
133 printf '@cert-authority ' 114 printf '@cert-authority '
134 printf "$HOSTS " 115 printf "$HOSTS "
135 cat $OBJ/host_ca_key.pub 116 cat $OBJ/host_ca_key.pub
136 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 117 for ktype in $PLAIN_TYPES ; do
137 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" 118 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
138 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" 119 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
139 done 120 done
140) > $OBJ/known_hosts-cert.orig 121) > $OBJ/known_hosts-cert.orig
141cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 122cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
142for privsep in yes no ; do 123for privsep in yes no ; do
143 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 124 for ktype in $PLAIN_TYPES ; do
144 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 125 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
145 ( 126 (
146 cat $OBJ/sshd_proxy_bak 127 cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
169 cat $OBJ/host_ca_key.pub 150 cat $OBJ/host_ca_key.pub
170) > $OBJ/known_hosts-cert.orig 151) > $OBJ/known_hosts-cert.orig
171cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 152cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 153for ktype in $PLAIN_TYPES ; do
173 verbose "$tid: host ${ktype} revoked cert" 154 verbose "$tid: host ${ktype} revoked cert"
174 ( 155 (
175 cat $OBJ/sshd_proxy_bak 156 cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
198 result=$2 179 result=$2
199 sign_opts=$3 180 sign_opts=$3
200 181
201 for kt in rsa rsa_v00 ; do 182 for kt in rsa ed25519 ; do
202 case $kt in
203 *_v00) args="-t v00" ;;
204 *) args="" ;;
205 esac
206
207 verbose "$tid: host cert connect $ident $kt expect $result"
208 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 183 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
209 -I "regress host key for $USER" \ 184 -I "regress host key for $USER" \
210 $sign_opts $args \ 185 $sign_opts $OBJ/cert_host_key_${kt} ||
211 $OBJ/cert_host_key_${kt} ||
212 fail "couldn't sign cert_host_key_${kt}" 186 fail "couldn't sign cert_host_key_${kt}"
213 ( 187 (
214 cat $OBJ/sshd_proxy_bak 188 cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
242test_one "cert has constraints" failure "-h -Oforce-command=false" 216test_one "cert has constraints" failure "-h -Oforce-command=false"
243 217
244# Check downgrade of cert to raw key when no CA found 218# Check downgrade of cert to raw key when no CA found
245for v in v01 v00 ; do 219for ktype in $PLAIN_TYPES ; do
246 for ktype in $PLAIN_TYPES ; do 220 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
247 type_has_legacy $ktype || continue 221 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
248 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 222 # Generate and sign a host key
249 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 223 ${SSHKEYGEN} -q -N '' -t ${ktype} \
250 # Generate and sign a host key 224 -f $OBJ/cert_host_key_${ktype} || \
251 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 225 fail "ssh-keygen of cert_host_key_${ktype} failed"
252 -f $OBJ/cert_host_key_${ktype} || \ 226 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
253 fail "ssh-keygen of cert_host_key_${ktype} failed" 227 -I "regress host key for $USER" \
254 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 228 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
255 -I "regress host key for $USER" \ 229 fail "couldn't sign cert_host_key_${ktype}"
256 -n $HOSTS $OBJ/cert_host_key_${ktype} || 230 (
257 fail "couldn't sign cert_host_key_${ktype}" 231 printf "$HOSTS "
258 ( 232 cat $OBJ/cert_host_key_${ktype}.pub
259 printf "$HOSTS " 233 ) > $OBJ/known_hosts-cert
260 cat $OBJ/cert_host_key_${ktype}.pub 234 (
261 ) > $OBJ/known_hosts-cert 235 cat $OBJ/sshd_proxy_bak
262 ( 236 echo HostKey $OBJ/cert_host_key_${ktype}
263 cat $OBJ/sshd_proxy_bak 237 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
264 echo HostKey $OBJ/cert_host_key_${ktype} 238 ) > $OBJ/sshd_proxy
265 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 239
266 ) > $OBJ/sshd_proxy 240 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
267 241 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
268 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 242 -F $OBJ/ssh_proxy somehost true
269 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 243 if [ $? -ne 0 ]; then
270 -F $OBJ/ssh_proxy somehost true 244 fail "ssh cert connect failed"
271 if [ $? -ne 0 ]; then 245 fi
272 fail "ssh cert connect failed"
273 fi
274 done
275done 246done
276 247
277# Wrong certificate 248# Wrong certificate
@@ -281,33 +252,30 @@ done
281 cat $OBJ/host_ca_key.pub 252 cat $OBJ/host_ca_key.pub
282) > $OBJ/known_hosts-cert.orig 253) > $OBJ/known_hosts-cert.orig
283cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 254cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
284for v in v01 v00 ; do 255for kt in $PLAIN_TYPES ; do
285 for kt in $PLAIN_TYPES ; do 256 rm -f $OBJ/cert_host_key*
286 type_has_legacy $kt || continue 257 # Self-sign key
287 rm -f $OBJ/cert_host_key* 258 ${SSHKEYGEN} -q -N '' -t ${kt} \
288 # Self-sign key 259 -f $OBJ/cert_host_key_${kt} || \
289 ${SSHKEYGEN} -q -N '' -t ${kt} \ 260 fail "ssh-keygen of cert_host_key_${kt} failed"
290 -f $OBJ/cert_host_key_${kt} || \ 261 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
291 fail "ssh-keygen of cert_host_key_${kt} failed" 262 -I "regress host key for $USER" \
292 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 263 -n $HOSTS $OBJ/cert_host_key_${kt} ||
293 -I "regress host key for $USER" \ 264 fail "couldn't sign cert_host_key_${kt}"
294 -n $HOSTS $OBJ/cert_host_key_${kt} || 265 verbose "$tid: host ${kt} connect wrong cert"
295 fail "couldn't sign cert_host_key_${kt}" 266 (
296 verbose "$tid: host ${kt} connect wrong cert" 267 cat $OBJ/sshd_proxy_bak
297 ( 268 echo HostKey $OBJ/cert_host_key_${kt}
298 cat $OBJ/sshd_proxy_bak 269 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
299 echo HostKey $OBJ/cert_host_key_${kt} 270 ) > $OBJ/sshd_proxy
300 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 271
301 ) > $OBJ/sshd_proxy 272 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
302 273 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
303 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 274 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
304 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 275 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
305 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 276 if [ $? -eq 0 ]; then
306 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 277 fail "ssh cert connect $ident succeeded unexpectedly"
307 if [ $? -eq 0 ]; then 278 fi
308 fail "ssh cert connect $ident succeeded unexpectedly"
309 fi
310 done
311done 279done
312 280
313rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* 281rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*