diff options
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index a41a9a9c0..fcca3708b 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,8 +1,14 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.6 2010/06/29 23:59:54 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| 5 | 5 | ||
| 6 | # used to disable ECC based tests on platforms without ECC | ||
| 7 | ecdsa="" | ||
| 8 | if test "x$TEST_SSH_ECC" = "xyes"; then | ||
| 9 | ecdsa=ecdsa | ||
| 10 | fi | ||
| 11 | |||
| 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 12 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 13 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 8 | 14 | ||
| @@ -11,7 +17,7 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | |||
| 11 | fail "ssh-keygen of user_ca_key failed" | 17 | fail "ssh-keygen of user_ca_key failed" |
| 12 | 18 | ||
| 13 | # Generate and sign user keys | 19 | # Generate and sign user keys |
| 14 | for ktype in rsa dsa ; do | 20 | for ktype in rsa dsa $ecdsa ; do |
| 15 | verbose "$tid: sign user ${ktype} cert" | 21 | verbose "$tid: sign user ${ktype} cert" |
| 16 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 22 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 17 | -f $OBJ/cert_user_key_${ktype} || \ | 23 | -f $OBJ/cert_user_key_${ktype} || \ |
| @@ -20,6 +26,8 @@ for ktype in rsa dsa ; do | |||
| 20 | "regress user key for $USER" \ | 26 | "regress user key for $USER" \ |
| 21 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 27 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
| 22 | fail "couldn't sign cert_user_key_${ktype}" | 28 | fail "couldn't sign cert_user_key_${ktype}" |
| 29 | # v00 ecdsa certs do not exist | ||
| 30 | test "{ktype}" = "ecdsa" && continue | ||
| 23 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | 31 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 |
| 24 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | 32 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub |
| 25 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | 33 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ |
| @@ -29,7 +37,7 @@ for ktype in rsa dsa ; do | |||
| 29 | done | 37 | done |
| 30 | 38 | ||
| 31 | # Test explicitly-specified principals | 39 | # Test explicitly-specified principals |
| 32 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | 40 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do |
| 33 | for privsep in yes no ; do | 41 | for privsep in yes no ; do |
| 34 | _prefix="${ktype} privsep $privsep" | 42 | _prefix="${ktype} privsep $privsep" |
| 35 | 43 | ||
| @@ -155,7 +163,7 @@ basic_tests() { | |||
| 155 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 163 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 156 | fi | 164 | fi |
| 157 | 165 | ||
| 158 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | 166 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do |
| 159 | for privsep in yes no ; do | 167 | for privsep in yes no ; do |
| 160 | _prefix="${ktype} privsep $privsep $auth" | 168 | _prefix="${ktype} privsep $privsep $auth" |
| 161 | # Simple connect | 169 | # Simple connect |
| @@ -230,6 +238,11 @@ test_one() { | |||
| 230 | 238 | ||
| 231 | for auth in $auth_choice ; do | 239 | for auth in $auth_choice ; do |
| 232 | for ktype in rsa rsa_v00 ; do | 240 | for ktype in rsa rsa_v00 ; do |
| 241 | case $ktype in | ||
| 242 | *_v00) keyv="-t v00" ;; | ||
| 243 | *) keyv="" ;; | ||
| 244 | esac | ||
| 245 | |||
| 233 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 246 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 234 | if test "x$auth" = "xauthorized_keys" ; then | 247 | if test "x$auth" = "xauthorized_keys" ; then |
| 235 | # Add CA to authorized_keys | 248 | # Add CA to authorized_keys |
| @@ -249,7 +262,7 @@ test_one() { | |||
| 249 | verbose "$tid: $ident auth $auth expect $result $ktype" | 262 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 250 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 263 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 251 | -I "regress user key for $USER" \ | 264 | -I "regress user key for $USER" \ |
| 252 | $sign_opts \ | 265 | $sign_opts $keyv \ |
| 253 | $OBJ/cert_user_key_${ktype} || | 266 | $OBJ/cert_user_key_${ktype} || |
| 254 | fail "couldn't sign cert_user_key_${ktype}" | 267 | fail "couldn't sign cert_user_key_${ktype}" |
| 255 | 268 | ||
| @@ -302,7 +315,7 @@ test_one "principals key option no principals" failure "" \ | |||
| 302 | 315 | ||
| 303 | # Wrong certificate | 316 | # Wrong certificate |
| 304 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 317 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 305 | for ktype in rsa dsa rsa_v00 dsa_v00 ; do | 318 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do |
| 306 | case $ktype in | 319 | case $ktype in |
| 307 | *_v00) args="-t v00" ;; | 320 | *_v00) args="-t v00" ;; |
| 308 | *) args="" ;; | 321 | *) args="" ;; |