diff options
Diffstat (limited to 'regress/cert-hostkey.sh')
-rw-r--r-- | regress/cert-hostkey.sh | 60 |
1 files changed, 24 insertions, 36 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 35cd39293..a1318cd53 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,14 +1,8 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
5 | 5 | ||
6 | # used to disable ECC based tests on platforms without ECC | ||
7 | ecdsa="" | ||
8 | if test "x$TEST_SSH_ECC" = "xyes"; then | ||
9 | ecdsa=ecdsa | ||
10 | fi | ||
11 | |||
12 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 6 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* |
13 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
14 | 8 | ||
@@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ | |||
23 | cat $OBJ/host_ca_key.pub | 17 | cat $OBJ/host_ca_key.pub |
24 | ) > $OBJ/known_hosts-cert | 18 | ) > $OBJ/known_hosts-cert |
25 | 19 | ||
20 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | ||
21 | |||
22 | type_has_legacy() { | ||
23 | case $1 in | ||
24 | ed25519*|ecdsa*) return 1 ;; | ||
25 | esac | ||
26 | return 0 | ||
27 | } | ||
28 | |||
26 | # Generate and sign host keys | 29 | # Generate and sign host keys |
27 | for ktype in rsa dsa $ecdsa ; do | 30 | for ktype in $PLAIN_TYPES ; do |
28 | verbose "$tid: sign host ${ktype} cert" | 31 | verbose "$tid: sign host ${ktype} cert" |
29 | # Generate and sign a host key | 32 | # Generate and sign a host key |
30 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 33 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
@@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do | |||
34 | -I "regress host key for $USER" \ | 37 | -I "regress host key for $USER" \ |
35 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 38 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
36 | fail "couldn't sign cert_host_key_${ktype}" | 39 | fail "couldn't sign cert_host_key_${ktype}" |
37 | # v00 ecdsa certs do not exist | 40 | type_has_legacy $ktype || continue |
38 | test "${ktype}" = "ecdsa" && continue | ||
39 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | 41 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 |
40 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | 42 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub |
43 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
41 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | 44 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ |
42 | -I "regress host key for $USER" \ | 45 | -I "regress host key for $USER" \ |
43 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || | 46 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || |
@@ -46,7 +49,7 @@ done | |||
46 | 49 | ||
47 | # Basic connect tests | 50 | # Basic connect tests |
48 | for privsep in yes no ; do | 51 | for privsep in yes no ; do |
49 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do | 52 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
50 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 53 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
51 | ( | 54 | ( |
52 | cat $OBJ/sshd_proxy_bak | 55 | cat $OBJ/sshd_proxy_bak |
@@ -69,26 +72,13 @@ done | |||
69 | printf '@cert-authority ' | 72 | printf '@cert-authority ' |
70 | printf "$HOSTS " | 73 | printf "$HOSTS " |
71 | cat $OBJ/host_ca_key.pub | 74 | cat $OBJ/host_ca_key.pub |
72 | printf '@revoked ' | 75 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
73 | printf "* " | 76 | test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" |
74 | cat $OBJ/cert_host_key_rsa.pub | 77 | printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" |
75 | if test "x$TEST_SSH_ECC" = "xyes"; then | 78 | done |
76 | printf '@revoked ' | ||
77 | printf "* " | ||
78 | cat $OBJ/cert_host_key_ecdsa.pub | ||
79 | fi | ||
80 | printf '@revoked ' | ||
81 | printf "* " | ||
82 | cat $OBJ/cert_host_key_dsa.pub | ||
83 | printf '@revoked ' | ||
84 | printf "* " | ||
85 | cat $OBJ/cert_host_key_rsa_v00.pub | ||
86 | printf '@revoked ' | ||
87 | printf "* " | ||
88 | cat $OBJ/cert_host_key_dsa_v00.pub | ||
89 | ) > $OBJ/known_hosts-cert | 79 | ) > $OBJ/known_hosts-cert |
90 | for privsep in yes no ; do | 80 | for privsep in yes no ; do |
91 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do | 81 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
92 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 82 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
93 | ( | 83 | ( |
94 | cat $OBJ/sshd_proxy_bak | 84 | cat $OBJ/sshd_proxy_bak |
@@ -115,7 +105,7 @@ done | |||
115 | printf "* " | 105 | printf "* " |
116 | cat $OBJ/host_ca_key.pub | 106 | cat $OBJ/host_ca_key.pub |
117 | ) > $OBJ/known_hosts-cert | 107 | ) > $OBJ/known_hosts-cert |
118 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do | 108 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do |
119 | verbose "$tid: host ${ktype} revoked cert" | 109 | verbose "$tid: host ${ktype} revoked cert" |
120 | ( | 110 | ( |
121 | cat $OBJ/sshd_proxy_bak | 111 | cat $OBJ/sshd_proxy_bak |
@@ -186,9 +176,8 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" | |||
186 | 176 | ||
187 | # Check downgrade of cert to raw key when no CA found | 177 | # Check downgrade of cert to raw key when no CA found |
188 | for v in v01 v00 ; do | 178 | for v in v01 v00 ; do |
189 | for ktype in rsa dsa $ecdsa ; do | 179 | for ktype in $PLAIN_TYPES ; do |
190 | # v00 ecdsa certs do not exist. | 180 | type_has_legacy $ktype || continue |
191 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
192 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 181 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
193 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 182 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
194 | # Generate and sign a host key | 183 | # Generate and sign a host key |
@@ -225,9 +214,8 @@ done | |||
225 | cat $OBJ/host_ca_key.pub | 214 | cat $OBJ/host_ca_key.pub |
226 | ) > $OBJ/known_hosts-cert | 215 | ) > $OBJ/known_hosts-cert |
227 | for v in v01 v00 ; do | 216 | for v in v01 v00 ; do |
228 | for kt in rsa dsa $ecdsa ; do | 217 | for kt in $PLAIN_TYPES ; do |
229 | # v00 ecdsa certs do not exist. | 218 | type_has_legacy $kt || continue |
230 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
231 | rm -f $OBJ/cert_host_key* | 219 | rm -f $OBJ/cert_host_key* |
232 | # Self-sign key | 220 | # Self-sign key |
233 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 221 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |