summaryrefslogtreecommitdiff
path: root/regress/cert-userkey.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r--regress/cert-userkey.sh176
1 files changed, 176 insertions, 0 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
new file mode 100644
index 000000000..7a58e7b75
--- /dev/null
+++ b/regress/cert-userkey.sh
@@ -0,0 +1,176 @@
1# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
2# Placed in the Public Domain.
3
4tid="certified user keys"
5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9# Create a CA key
10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
11 fail "ssh-keygen of user_ca_key failed"
12
13# Generate and sign user keys
14for ktype in rsa dsa ; do
15 verbose "$tid: sign user ${ktype} cert"
16 ${SSHKEYGEN} -q -N '' -t ${ktype} \
17 -f $OBJ/cert_user_key_${ktype} || \
18 fail "ssh-keygen of cert_user_key_${ktype} failed"
19 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20 "regress user key for $USER" \
21 -n $USER $OBJ/cert_user_key_${ktype} ||
22 fail "couldn't sign cert_user_key_${ktype}"
23done
24
25basic_tests() {
26 auth=$1
27 if test "x$auth" = "xauthorized_keys" ; then
28 # Add CA to authorized_keys
29 (
30 echon 'cert-authority '
31 cat $OBJ/user_ca_key.pub
32 ) > $OBJ/authorized_keys_$USER
33 else
34 echo > $OBJ/authorized_keys_$USER
35 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36 fi
37
38 for ktype in rsa dsa ; do
39 for privsep in yes no ; do
40 _prefix="${ktype} privsep $privsep $auth"
41 # Simple connect
42 verbose "$tid: ${_prefix} connect"
43 (
44 cat $OBJ/sshd_proxy_bak
45 echo "UsePrivilegeSeparation $privsep"
46 echo "$extra_sshd"
47 ) > $OBJ/sshd_proxy
48
49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
50 -F $OBJ/ssh_proxy somehost true
51 if [ $? -ne 0 ]; then
52 fail "ssh cert connect failed"
53 fi
54
55 # Revoked keys
56 verbose "$tid: ${_prefix} revoked key"
57 (
58 cat $OBJ/sshd_proxy_bak
59 echo "UsePrivilegeSeparation $privsep"
60 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
61 echo "$extra_sshd"
62 ) > $OBJ/sshd_proxy
63 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
64 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
65 if [ $? -eq 0 ]; then
66 fail "ssh cert connect succeeded unexpecedly"
67 fi
68 done
69
70 # Revoked CA
71 verbose "$tid: ${ktype} $auth revoked CA key"
72 (
73 cat $OBJ/sshd_proxy_bak
74 echo "RevokedKeys $OBJ/user_ca_key.pub"
75 echo "$extra_sshd"
76 ) > $OBJ/sshd_proxy
77 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
78 somehost true >/dev/null 2>&1
79 if [ $? -eq 0 ]; then
80 fail "ssh cert connect succeeded unexpecedly"
81 fi
82 done
83
84 verbose "$tid: $auth CA does not authenticate"
85 (
86 cat $OBJ/sshd_proxy_bak
87 echo "$extra_sshd"
88 ) > $OBJ/sshd_proxy
89 verbose "$tid: ensure CA key does not authenticate user"
90 ${SSH} -2i $OBJ/user_ca_key \
91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92 if [ $? -eq 0 ]; then
93 fail "ssh cert connect with CA key succeeded unexpectedly"
94 fi
95}
96
97basic_tests authorized_keys
98basic_tests TrustedUserCAKeys
99
100test_one() {
101 ident=$1
102 result=$2
103 sign_opts=$3
104 auth_choice=$4
105
106 if test "x$auth_choice" = "x" ; then
107 auth_choice="authorized_keys TrustedUserCAKeys"
108 fi
109
110 for auth in $auth_choice ; do
111 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
112 if test "x$auth" = "xauthorized_keys" ; then
113 # Add CA to authorized_keys
114 (
115 echon 'cert-authority '
116 cat $OBJ/user_ca_key.pub
117 ) > $OBJ/authorized_keys_$USER
118 else
119 echo > $OBJ/authorized_keys_$USER
120 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
121 $OBJ/sshd_proxy
122
123 fi
124
125 verbose "$tid: $ident auth $auth expect $result"
126 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127 -I "regress user key for $USER" \
128 $sign_opts \
129 $OBJ/cert_user_key_rsa ||
130 fail "couldn't sign cert_user_key_rsa"
131
132 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133 somehost true >/dev/null 2>&1
134 rc=$?
135 if [ "x$result" = "xsuccess" ] ; then
136 if [ $rc -ne 0 ]; then
137 fail "$ident failed unexpectedly"
138 fi
139 else
140 if [ $rc -eq 0 ]; then
141 fail "$ident succeeded unexpectedly"
142 fi
143 fi
144 done
145}
146
147test_one "correct principal" success "-n ${USER}"
148test_one "host-certificate" failure "-n ${USER} -h"
149test_one "wrong principals" failure "-n foo"
150test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
151test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
152test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
153test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
154test_one "force-command" failure "-n ${USER} -Oforce-command=false"
155
156# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
157test_one "empty principals" success "" authorized_keys
158test_one "empty principals" failure "" TrustedUserCAKeys
159
160# Wrong certificate
161for ktype in rsa dsa ; do
162 # Self-sign
163 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
164 "regress user key for $USER" \
165 -n $USER $OBJ/cert_user_key_${ktype} ||
166 fail "couldn't sign cert_user_key_${ktype}"
167 verbose "$tid: user ${ktype} connect wrong cert"
168 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
169 somehost true >/dev/null 2>&1
170 if [ $? -eq 0 ]; then
171 fail "ssh cert connect $ident succeeded unexpectedly"
172 fi
173done
174
175rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
176