diff options
Diffstat (limited to 'regress/cert-userkey.sh')
-rw-r--r-- | regress/cert-userkey.sh | 48 |
1 files changed, 31 insertions, 17 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index c38c00a02..319746395 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.16 2016/05/03 12:15:49 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -9,8 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | |||
9 | 9 | ||
10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
11 | 11 | ||
12 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | ||
13 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | ||
14 | fi | ||
15 | |||
12 | kname() { | 16 | kname() { |
13 | n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` | 17 | case $ktype in |
18 | rsa-sha2-*) ;; | ||
19 | # subshell because some seds will add a newline | ||
20 | *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; | ||
21 | esac | ||
14 | echo "$n*,ssh-rsa*,ssh-ed25519*" | 22 | echo "$n*,ssh-rsa*,ssh-ed25519*" |
15 | } | 23 | } |
16 | 24 | ||
@@ -19,18 +27,24 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | |||
19 | fail "ssh-keygen of user_ca_key failed" | 27 | fail "ssh-keygen of user_ca_key failed" |
20 | 28 | ||
21 | # Generate and sign user keys | 29 | # Generate and sign user keys |
22 | for ktype in $PLAIN_TYPES ; do | 30 | for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do |
23 | verbose "$tid: sign user ${ktype} cert" | 31 | verbose "$tid: sign user ${ktype} cert" |
24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 32 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
25 | -f $OBJ/cert_user_key_${ktype} || \ | 33 | -f $OBJ/cert_user_key_${ktype} || \ |
26 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 34 | fatal "ssh-keygen of cert_user_key_${ktype} failed" |
27 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 35 | # Generate RSA/SHA2 certs for rsa-sha2* keys. |
28 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 36 | case $ktype in |
29 | fail "couldn't sign cert_user_key_${ktype}" | 37 | rsa-sha2-*) tflag="-t $ktype" ;; |
38 | *) tflag="" ;; | ||
39 | esac | ||
40 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ | ||
41 | -I "regress user key for $USER" \ | ||
42 | -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ | ||
43 | fatal "couldn't sign cert_user_key_${ktype}" | ||
30 | done | 44 | done |
31 | 45 | ||
32 | # Test explicitly-specified principals | 46 | # Test explicitly-specified principals |
33 | for ktype in $PLAIN_TYPES ; do | 47 | for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do |
34 | t=$(kname $ktype) | 48 | t=$(kname $ktype) |
35 | for privsep in yes no ; do | 49 | for privsep in yes no ; do |
36 | _prefix="${ktype} privsep $privsep" | 50 | _prefix="${ktype} privsep $privsep" |
@@ -67,7 +81,7 @@ for ktype in $PLAIN_TYPES ; do | |||
67 | if [ $? -eq 0 ]; then | 81 | if [ $? -eq 0 ]; then |
68 | fail "ssh cert connect succeeded unexpectedly" | 82 | fail "ssh cert connect succeeded unexpectedly" |
69 | fi | 83 | fi |
70 | 84 | ||
71 | # Wrong authorized_principals | 85 | # Wrong authorized_principals |
72 | verbose "$tid: ${_prefix} wrong authorized_principals" | 86 | verbose "$tid: ${_prefix} wrong authorized_principals" |
73 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 87 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
@@ -166,8 +180,8 @@ basic_tests() { | |||
166 | echo > $OBJ/authorized_keys_$USER | 180 | echo > $OBJ/authorized_keys_$USER |
167 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 181 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
168 | fi | 182 | fi |
169 | 183 | ||
170 | for ktype in $PLAIN_TYPES ; do | 184 | for ktype in $PLAIN_TYPES ; do |
171 | t=$(kname $ktype) | 185 | t=$(kname $ktype) |
172 | for privsep in yes no ; do | 186 | for privsep in yes no ; do |
173 | _prefix="${ktype} privsep $privsep $auth" | 187 | _prefix="${ktype} privsep $privsep $auth" |
@@ -183,7 +197,7 @@ basic_tests() { | |||
183 | cat $OBJ/ssh_proxy_bak | 197 | cat $OBJ/ssh_proxy_bak |
184 | echo "PubkeyAcceptedKeyTypes ${t}" | 198 | echo "PubkeyAcceptedKeyTypes ${t}" |
185 | ) > $OBJ/ssh_proxy | 199 | ) > $OBJ/ssh_proxy |
186 | 200 | ||
187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 201 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
188 | -F $OBJ/ssh_proxy somehost true | 202 | -F $OBJ/ssh_proxy somehost true |
189 | if [ $? -ne 0 ]; then | 203 | if [ $? -ne 0 ]; then |
@@ -223,7 +237,7 @@ basic_tests() { | |||
223 | fail "ssh cert connect failed" | 237 | fail "ssh cert connect failed" |
224 | fi | 238 | fi |
225 | done | 239 | done |
226 | 240 | ||
227 | # Revoked CA | 241 | # Revoked CA |
228 | verbose "$tid: ${ktype} $auth revoked CA key" | 242 | verbose "$tid: ${ktype} $auth revoked CA key" |
229 | ( | 243 | ( |
@@ -238,7 +252,7 @@ basic_tests() { | |||
238 | fail "ssh cert connect succeeded unexpecedly" | 252 | fail "ssh cert connect succeeded unexpecedly" |
239 | fi | 253 | fi |
240 | done | 254 | done |
241 | 255 | ||
242 | verbose "$tid: $auth CA does not authenticate" | 256 | verbose "$tid: $auth CA does not authenticate" |
243 | ( | 257 | ( |
244 | cat $OBJ/sshd_proxy_bak | 258 | cat $OBJ/sshd_proxy_bak |
@@ -286,7 +300,7 @@ test_one() { | |||
286 | echo $auth_opt >> $OBJ/sshd_proxy | 300 | echo $auth_opt >> $OBJ/sshd_proxy |
287 | fi | 301 | fi |
288 | fi | 302 | fi |
289 | 303 | ||
290 | verbose "$tid: $ident auth $auth expect $result $ktype" | 304 | verbose "$tid: $ident auth $auth expect $result $ktype" |
291 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 305 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
292 | -I "regress user key for $USER" \ | 306 | -I "regress user key for $USER" \ |
@@ -342,13 +356,13 @@ test_one "principals key option no principals" failure "" \ | |||
342 | 356 | ||
343 | # Wrong certificate | 357 | # Wrong certificate |
344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 358 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
345 | for ktype in $PLAIN_TYPES ; do | 359 | for ktype in $PLAIN_TYPES ; do |
346 | t=$(kname $ktype) | 360 | t=$(kname $ktype) |
347 | # Self-sign | 361 | # Self-sign |
348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 362 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
349 | "regress user key for $USER" \ | 363 | "regress user key for $USER" \ |
350 | -n $USER $OBJ/cert_user_key_${ktype} || | 364 | -n $USER $OBJ/cert_user_key_${ktype} || |
351 | fail "couldn't sign cert_user_key_${ktype}" | 365 | fatal "couldn't sign cert_user_key_${ktype}" |
352 | verbose "$tid: user ${ktype} connect wrong cert" | 366 | verbose "$tid: user ${ktype} connect wrong cert" |
353 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 367 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
354 | somehost true >/dev/null 2>&1 | 368 | somehost true >/dev/null 2>&1 |