diff options
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r-- | regress/cert-userkey.sh | 39 |
1 files changed, 7 insertions, 32 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index b093a9196..d461b9e34 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
8 | 8 | ||
9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
10 | 10 | ||
11 | type_has_legacy() { | ||
12 | case $1 in | ||
13 | ed25519*|ecdsa*) return 1 ;; | ||
14 | esac | ||
15 | return 0 | ||
16 | } | ||
17 | |||
18 | # Create a CA key | 11 | # Create a CA key |
19 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | 12 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ |
20 | fail "ssh-keygen of user_ca_key failed" | 13 | fail "ssh-keygen of user_ca_key failed" |
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do | |||
28 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 21 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
29 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 22 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
30 | fail "couldn't sign cert_user_key_${ktype}" | 23 | fail "couldn't sign cert_user_key_${ktype}" |
31 | type_has_legacy $ktype || continue | ||
32 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | ||
33 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | ||
34 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
35 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | ||
36 | "regress user key for $USER" \ | ||
37 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || | ||
38 | fatal "couldn't sign cert_user_key_${ktype}_v00" | ||
39 | done | 24 | done |
40 | 25 | ||
41 | # Test explicitly-specified principals | 26 | # Test explicitly-specified principals |
42 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 27 | for ktype in $PLAIN_TYPES ; do |
43 | for privsep in yes no ; do | 28 | for privsep in yes no ; do |
44 | _prefix="${ktype} privsep $privsep" | 29 | _prefix="${ktype} privsep $privsep" |
45 | 30 | ||
@@ -165,7 +150,7 @@ basic_tests() { | |||
165 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 150 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
166 | fi | 151 | fi |
167 | 152 | ||
168 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 153 | for ktype in $PLAIN_TYPES ; do |
169 | for privsep in yes no ; do | 154 | for privsep in yes no ; do |
170 | _prefix="${ktype} privsep $privsep $auth" | 155 | _prefix="${ktype} privsep $privsep $auth" |
171 | # Simple connect | 156 | # Simple connect |
@@ -257,12 +242,7 @@ test_one() { | |||
257 | fi | 242 | fi |
258 | 243 | ||
259 | for auth in $auth_choice ; do | 244 | for auth in $auth_choice ; do |
260 | for ktype in rsa rsa_v00 ; do | 245 | for ktype in rsa ed25519 ; do |
261 | case $ktype in | ||
262 | *_v00) keyv="-t v00" ;; | ||
263 | *) keyv="" ;; | ||
264 | esac | ||
265 | |||
266 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 246 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
267 | if test "x$auth" = "xauthorized_keys" ; then | 247 | if test "x$auth" = "xauthorized_keys" ; then |
268 | # Add CA to authorized_keys | 248 | # Add CA to authorized_keys |
@@ -282,8 +262,7 @@ test_one() { | |||
282 | verbose "$tid: $ident auth $auth expect $result $ktype" | 262 | verbose "$tid: $ident auth $auth expect $result $ktype" |
283 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 263 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
284 | -I "regress user key for $USER" \ | 264 | -I "regress user key for $USER" \ |
285 | $sign_opts $keyv \ | 265 | $sign_opts $OBJ/cert_user_key_${ktype} || |
286 | $OBJ/cert_user_key_${ktype} || | ||
287 | fail "couldn't sign cert_user_key_${ktype}" | 266 | fail "couldn't sign cert_user_key_${ktype}" |
288 | 267 | ||
289 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 268 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \ | |||
335 | 314 | ||
336 | # Wrong certificate | 315 | # Wrong certificate |
337 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 316 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
338 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do | 317 | for ktype in $PLAIN_TYPES ; do |
339 | case $ktype in | ||
340 | *_v00) args="-t v00" ;; | ||
341 | *) args="" ;; | ||
342 | esac | ||
343 | # Self-sign | 318 | # Self-sign |
344 | ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ | 319 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
345 | "regress user key for $USER" \ | 320 | "regress user key for $USER" \ |
346 | -n $USER $OBJ/cert_user_key_${ktype} || | 321 | -n $USER $OBJ/cert_user_key_${ktype} || |
347 | fail "couldn't sign cert_user_key_${ktype}" | 322 | fail "couldn't sign cert_user_key_${ktype}" |