diff options
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6700db274..3bba9f8f2 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -22,9 +22,8 @@ for ktype in rsa dsa $ecdsa ; do | |||
| 22 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 22 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 23 | -f $OBJ/cert_user_key_${ktype} || \ | 23 | -f $OBJ/cert_user_key_${ktype} || \ |
| 24 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 24 | fail "ssh-keygen of cert_user_key_${ktype} failed" |
| 25 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ | 25 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 26 | "regress user key for $USER" \ | 26 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
| 27 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | ||
| 28 | fail "couldn't sign cert_user_key_${ktype}" | 27 | fail "couldn't sign cert_user_key_${ktype}" |
| 29 | # v00 ecdsa certs do not exist | 28 | # v00 ecdsa certs do not exist |
| 30 | test "${ktype}" = "ecdsa" && continue | 29 | test "${ktype}" = "ecdsa" && continue |
| @@ -185,14 +184,32 @@ basic_tests() { | |||
| 185 | ( | 184 | ( |
| 186 | cat $OBJ/sshd_proxy_bak | 185 | cat $OBJ/sshd_proxy_bak |
| 187 | echo "UsePrivilegeSeparation $privsep" | 186 | echo "UsePrivilegeSeparation $privsep" |
| 188 | echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" | 187 | echo "RevokedKeys $OBJ/cert_user_key_revoked" |
| 189 | echo "$extra_sshd" | 188 | echo "$extra_sshd" |
| 190 | ) > $OBJ/sshd_proxy | 189 | ) > $OBJ/sshd_proxy |
| 190 | cp $OBJ/cert_user_key_${ktype}.pub \ | ||
| 191 | $OBJ/cert_user_key_revoked | ||
| 192 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 193 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 194 | if [ $? -eq 0 ]; then | ||
| 195 | fail "ssh cert connect succeeded unexpecedly" | ||
| 196 | fi | ||
| 197 | verbose "$tid: ${_prefix} revoked via KRL" | ||
| 198 | rm $OBJ/cert_user_key_revoked | ||
| 199 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ | ||
| 200 | $OBJ/cert_user_key_${ktype}.pub | ||
| 191 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 201 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 192 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 202 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 193 | if [ $? -eq 0 ]; then | 203 | if [ $? -eq 0 ]; then |
| 194 | fail "ssh cert connect succeeded unexpecedly" | 204 | fail "ssh cert connect succeeded unexpecedly" |
| 195 | fi | 205 | fi |
| 206 | verbose "$tid: ${_prefix} empty KRL" | ||
| 207 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked | ||
| 208 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
| 209 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
| 210 | if [ $? -ne 0 ]; then | ||
| 211 | fail "ssh cert connect failed" | ||
| 212 | fi | ||
| 196 | done | 213 | done |
| 197 | 214 | ||
| 198 | # Revoked CA | 215 | # Revoked CA |