diff options
Diffstat (limited to 'regress/cert-userkey.sh')
| -rw-r--r-- | regress/cert-userkey.sh | 48 |
1 files changed, 31 insertions, 17 deletions
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index c38c00a02..319746395 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.16 2016/05/03 12:15:49 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -9,8 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | |||
| 9 | 9 | ||
| 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | 10 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` |
| 11 | 11 | ||
| 12 | if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then | ||
| 13 | PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" | ||
| 14 | fi | ||
| 15 | |||
| 12 | kname() { | 16 | kname() { |
| 13 | n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` | 17 | case $ktype in |
| 18 | rsa-sha2-*) ;; | ||
| 19 | # subshell because some seds will add a newline | ||
| 20 | *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; | ||
| 21 | esac | ||
| 14 | echo "$n*,ssh-rsa*,ssh-ed25519*" | 22 | echo "$n*,ssh-rsa*,ssh-ed25519*" |
| 15 | } | 23 | } |
| 16 | 24 | ||
| @@ -19,18 +27,24 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | |||
| 19 | fail "ssh-keygen of user_ca_key failed" | 27 | fail "ssh-keygen of user_ca_key failed" |
| 20 | 28 | ||
| 21 | # Generate and sign user keys | 29 | # Generate and sign user keys |
| 22 | for ktype in $PLAIN_TYPES ; do | 30 | for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do |
| 23 | verbose "$tid: sign user ${ktype} cert" | 31 | verbose "$tid: sign user ${ktype} cert" |
| 24 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 32 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 25 | -f $OBJ/cert_user_key_${ktype} || \ | 33 | -f $OBJ/cert_user_key_${ktype} || \ |
| 26 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 34 | fatal "ssh-keygen of cert_user_key_${ktype} failed" |
| 27 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 35 | # Generate RSA/SHA2 certs for rsa-sha2* keys. |
| 28 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 36 | case $ktype in |
| 29 | fail "couldn't sign cert_user_key_${ktype}" | 37 | rsa-sha2-*) tflag="-t $ktype" ;; |
| 38 | *) tflag="" ;; | ||
| 39 | esac | ||
| 40 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \ | ||
| 41 | -I "regress user key for $USER" \ | ||
| 42 | -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \ | ||
| 43 | fatal "couldn't sign cert_user_key_${ktype}" | ||
| 30 | done | 44 | done |
| 31 | 45 | ||
| 32 | # Test explicitly-specified principals | 46 | # Test explicitly-specified principals |
| 33 | for ktype in $PLAIN_TYPES ; do | 47 | for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do |
| 34 | t=$(kname $ktype) | 48 | t=$(kname $ktype) |
| 35 | for privsep in yes no ; do | 49 | for privsep in yes no ; do |
| 36 | _prefix="${ktype} privsep $privsep" | 50 | _prefix="${ktype} privsep $privsep" |
| @@ -67,7 +81,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 67 | if [ $? -eq 0 ]; then | 81 | if [ $? -eq 0 ]; then |
| 68 | fail "ssh cert connect succeeded unexpectedly" | 82 | fail "ssh cert connect succeeded unexpectedly" |
| 69 | fi | 83 | fi |
| 70 | 84 | ||
| 71 | # Wrong authorized_principals | 85 | # Wrong authorized_principals |
| 72 | verbose "$tid: ${_prefix} wrong authorized_principals" | 86 | verbose "$tid: ${_prefix} wrong authorized_principals" |
| 73 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 87 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
| @@ -166,8 +180,8 @@ basic_tests() { | |||
| 166 | echo > $OBJ/authorized_keys_$USER | 180 | echo > $OBJ/authorized_keys_$USER |
| 167 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 181 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 168 | fi | 182 | fi |
| 169 | 183 | ||
| 170 | for ktype in $PLAIN_TYPES ; do | 184 | for ktype in $PLAIN_TYPES ; do |
| 171 | t=$(kname $ktype) | 185 | t=$(kname $ktype) |
| 172 | for privsep in yes no ; do | 186 | for privsep in yes no ; do |
| 173 | _prefix="${ktype} privsep $privsep $auth" | 187 | _prefix="${ktype} privsep $privsep $auth" |
| @@ -183,7 +197,7 @@ basic_tests() { | |||
| 183 | cat $OBJ/ssh_proxy_bak | 197 | cat $OBJ/ssh_proxy_bak |
| 184 | echo "PubkeyAcceptedKeyTypes ${t}" | 198 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 185 | ) > $OBJ/ssh_proxy | 199 | ) > $OBJ/ssh_proxy |
| 186 | 200 | ||
| 187 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 201 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
| 188 | -F $OBJ/ssh_proxy somehost true | 202 | -F $OBJ/ssh_proxy somehost true |
| 189 | if [ $? -ne 0 ]; then | 203 | if [ $? -ne 0 ]; then |
| @@ -223,7 +237,7 @@ basic_tests() { | |||
| 223 | fail "ssh cert connect failed" | 237 | fail "ssh cert connect failed" |
| 224 | fi | 238 | fi |
| 225 | done | 239 | done |
| 226 | 240 | ||
| 227 | # Revoked CA | 241 | # Revoked CA |
| 228 | verbose "$tid: ${ktype} $auth revoked CA key" | 242 | verbose "$tid: ${ktype} $auth revoked CA key" |
| 229 | ( | 243 | ( |
| @@ -238,7 +252,7 @@ basic_tests() { | |||
| 238 | fail "ssh cert connect succeeded unexpecedly" | 252 | fail "ssh cert connect succeeded unexpecedly" |
| 239 | fi | 253 | fi |
| 240 | done | 254 | done |
| 241 | 255 | ||
| 242 | verbose "$tid: $auth CA does not authenticate" | 256 | verbose "$tid: $auth CA does not authenticate" |
| 243 | ( | 257 | ( |
| 244 | cat $OBJ/sshd_proxy_bak | 258 | cat $OBJ/sshd_proxy_bak |
| @@ -286,7 +300,7 @@ test_one() { | |||
| 286 | echo $auth_opt >> $OBJ/sshd_proxy | 300 | echo $auth_opt >> $OBJ/sshd_proxy |
| 287 | fi | 301 | fi |
| 288 | fi | 302 | fi |
| 289 | 303 | ||
| 290 | verbose "$tid: $ident auth $auth expect $result $ktype" | 304 | verbose "$tid: $ident auth $auth expect $result $ktype" |
| 291 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ | 305 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ |
| 292 | -I "regress user key for $USER" \ | 306 | -I "regress user key for $USER" \ |
| @@ -342,13 +356,13 @@ test_one "principals key option no principals" failure "" \ | |||
| 342 | 356 | ||
| 343 | # Wrong certificate | 357 | # Wrong certificate |
| 344 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 358 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 345 | for ktype in $PLAIN_TYPES ; do | 359 | for ktype in $PLAIN_TYPES ; do |
| 346 | t=$(kname $ktype) | 360 | t=$(kname $ktype) |
| 347 | # Self-sign | 361 | # Self-sign |
| 348 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ | 362 | ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ |
| 349 | "regress user key for $USER" \ | 363 | "regress user key for $USER" \ |
| 350 | -n $USER $OBJ/cert_user_key_${ktype} || | 364 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 351 | fail "couldn't sign cert_user_key_${ktype}" | 365 | fatal "couldn't sign cert_user_key_${ktype}" |
| 352 | verbose "$tid: user ${ktype} connect wrong cert" | 366 | verbose "$tid: user ${ktype} connect wrong cert" |
| 353 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 367 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| 354 | somehost true >/dev/null 2>&1 | 368 | somehost true >/dev/null 2>&1 |