diff options
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r-- | regress/cert-userkey.sh | 80 |
1 files changed, 46 insertions, 34 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7a58e7b75..88d6d70a4 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do | |||
20 | "regress user key for $USER" \ | 20 | "regress user key for $USER" \ |
21 | -n $USER $OBJ/cert_user_key_${ktype} || | 21 | -n $USER $OBJ/cert_user_key_${ktype} || |
22 | fail "couldn't sign cert_user_key_${ktype}" | 22 | fail "couldn't sign cert_user_key_${ktype}" |
23 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | ||
24 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | ||
25 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | ||
26 | "regress user key for $USER" \ | ||
27 | -n $USER $OBJ/cert_user_key_${ktype}_v00 || | ||
28 | fail "couldn't sign cert_user_key_${ktype}_v00" | ||
23 | done | 29 | done |
24 | 30 | ||
25 | basic_tests() { | 31 | basic_tests() { |
@@ -35,7 +41,7 @@ basic_tests() { | |||
35 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 41 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
36 | fi | 42 | fi |
37 | 43 | ||
38 | for ktype in rsa dsa ; do | 44 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do |
39 | for privsep in yes no ; do | 45 | for privsep in yes no ; do |
40 | _prefix="${ktype} privsep $privsep $auth" | 46 | _prefix="${ktype} privsep $privsep $auth" |
41 | # Simple connect | 47 | # Simple connect |
@@ -108,39 +114,41 @@ test_one() { | |||
108 | fi | 114 | fi |
109 | 115 | ||
110 | for auth in $auth_choice ; do | 116 | for auth in $auth_choice ; do |
111 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 117 | for ktype in rsa rsa_v00 ; do |
112 | if test "x$auth" = "xauthorized_keys" ; then | 118 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
113 | # Add CA to authorized_keys | 119 | if test "x$auth" = "xauthorized_keys" ; then |
114 | ( | 120 | # Add CA to authorized_keys |
115 | echon 'cert-authority ' | 121 | ( |
116 | cat $OBJ/user_ca_key.pub | 122 | echon 'cert-authority ' |
117 | ) > $OBJ/authorized_keys_$USER | 123 | cat $OBJ/user_ca_key.pub |
118 | else | 124 | ) > $OBJ/authorized_keys_$USER |
119 | echo > $OBJ/authorized_keys_$USER | 125 | else |
120 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ | 126 | echo > $OBJ/authorized_keys_$USER |
121 | $OBJ/sshd_proxy | 127 | echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ |
122 | 128 | >> $OBJ/sshd_proxy | |
123 | fi | ||
124 | |||
125 | verbose "$tid: $ident auth $auth expect $result" | ||
126 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | ||
127 | -I "regress user key for $USER" \ | ||
128 | $sign_opts \ | ||
129 | $OBJ/cert_user_key_rsa || | ||
130 | fail "couldn't sign cert_user_key_rsa" | ||
131 | 129 | ||
132 | ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ | ||
133 | somehost true >/dev/null 2>&1 | ||
134 | rc=$? | ||
135 | if [ "x$result" = "xsuccess" ] ; then | ||
136 | if [ $rc -ne 0 ]; then | ||
137 | fail "$ident failed unexpectedly" | ||
138 | fi | 130 | fi |
139 | else | 131 | |
140 | if [ $rc -eq 0 ]; then | 132 | verbose "$tid: $ident auth $auth expect $result $ktype" |
141 | fail "$ident succeeded unexpectedly" | 133 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
134 | -I "regress user key for $USER" \ | ||
135 | $sign_opts \ | ||
136 | $OBJ/cert_user_key_${ktype} || | ||
137 | fail "couldn't sign cert_user_key_${ktype}" | ||
138 | |||
139 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
140 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
141 | rc=$? | ||
142 | if [ "x$result" = "xsuccess" ] ; then | ||
143 | if [ $rc -ne 0 ]; then | ||
144 | fail "$ident failed unexpectedly" | ||
145 | fi | ||
146 | else | ||
147 | if [ $rc -eq 0 ]; then | ||
148 | fail "$ident succeeded unexpectedly" | ||
149 | fi | ||
142 | fi | 150 | fi |
143 | fi | 151 | done |
144 | done | 152 | done |
145 | } | 153 | } |
146 | 154 | ||
@@ -158,9 +166,13 @@ test_one "empty principals" success "" authorized_keys | |||
158 | test_one "empty principals" failure "" TrustedUserCAKeys | 166 | test_one "empty principals" failure "" TrustedUserCAKeys |
159 | 167 | ||
160 | # Wrong certificate | 168 | # Wrong certificate |
161 | for ktype in rsa dsa ; do | 169 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do |
170 | case $ktype in | ||
171 | *_v00) args="-t v00" ;; | ||
172 | *) args="" ;; | ||
173 | esac | ||
162 | # Self-sign | 174 | # Self-sign |
163 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 175 | ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ |
164 | "regress user key for $USER" \ | 176 | "regress user key for $USER" \ |
165 | -n $USER $OBJ/cert_user_key_${ktype} || | 177 | -n $USER $OBJ/cert_user_key_${ktype} || |
166 | fail "couldn't sign cert_user_key_${ktype}" | 178 | fail "couldn't sign cert_user_key_${ktype}" |