diff options
Diffstat (limited to 'regress/krl.sh')
-rw-r--r-- | regress/krl.sh | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/regress/krl.sh b/regress/krl.sh index 1077358ff..a70c79c66 100644 --- a/regress/krl.sh +++ b/regress/krl.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ | 1 | # $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="key revocation lists" | 4 | tid="key revocation lists" |
@@ -85,6 +85,15 @@ for n in $UNREVOKED_SERIALS ; do | |||
85 | UCERTS="$UCERTS ${f}-cert.pub" | 85 | UCERTS="$UCERTS ${f}-cert.pub" |
86 | done | 86 | done |
87 | 87 | ||
88 | # Specifications that revoke keys by hash. | ||
89 | touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash | ||
90 | for rkey in $RKEYS; do | ||
91 | (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1 | ||
92 | (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256 | ||
93 | (printf "hash: "; $SSHKEYGEN -lf $rkey | \ | ||
94 | awk '{ print $2 }') >> $OBJ/revoked-hash | ||
95 | done | ||
96 | |||
88 | genkrls() { | 97 | genkrls() { |
89 | OPTS=$1 | 98 | OPTS=$1 |
90 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ | 99 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ |
@@ -97,6 +106,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ | |||
97 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | 106 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
98 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ | 107 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ |
99 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | 108 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
109 | $SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \ | ||
110 | >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" | ||
111 | $SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \ | ||
112 | >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" | ||
113 | $SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \ | ||
114 | >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" | ||
100 | # This should fail as KRLs from serial/key-id spec need the CA specified. | 115 | # This should fail as KRLs from serial/key-id spec need the CA specified. |
101 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ | 116 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ |
102 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | 117 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" |
@@ -131,9 +146,9 @@ check_krl() { | |||
131 | TAG=$4 | 146 | TAG=$4 |
132 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null | 147 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null |
133 | result=$? | 148 | result=$? |
134 | if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then | 149 | if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then |
135 | fatal "key $KEY not revoked by KRL $KRL: $TAG" | 150 | fatal "key $KEY not revoked by KRL $KRL: $TAG" |
136 | elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then | 151 | elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then |
137 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" | 152 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" |
138 | fi | 153 | fi |
139 | } | 154 | } |
@@ -142,17 +157,21 @@ test_rev() { | |||
142 | TAG=$2 | 157 | TAG=$2 |
143 | KEYS_RESULT=$3 | 158 | KEYS_RESULT=$3 |
144 | ALL_RESULT=$4 | 159 | ALL_RESULT=$4 |
145 | SERIAL_RESULT=$5 | 160 | HASH_RESULT=$5 |
146 | KEYID_RESULT=$6 | 161 | SERIAL_RESULT=$6 |
147 | CERTS_RESULT=$7 | 162 | KEYID_RESULT=$7 |
148 | CA_RESULT=$8 | 163 | CERTS_RESULT=$8 |
149 | SERIAL_WRESULT=$9 | 164 | CA_RESULT=$9 |
150 | KEYID_WRESULT=$10 | 165 | SERIAL_WRESULT=$10 |
166 | KEYID_WRESULT=$11 | ||
151 | verbose "$tid: checking revocations for $TAG" | 167 | verbose "$tid: checking revocations for $TAG" |
152 | for f in $FILES ; do | 168 | for f in $FILES ; do |
153 | check_krl $f $OBJ/krl-empty no "$TAG" | 169 | check_krl $f $OBJ/krl-empty no "$TAG" |
154 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" | 170 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" |
155 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" | 171 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" |
172 | check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" | ||
173 | check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" | ||
174 | check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" | ||
156 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" | 175 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" |
157 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" | 176 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" |
158 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" | 177 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" |
@@ -163,12 +182,12 @@ test_rev() { | |||
163 | } | 182 | } |
164 | 183 | ||
165 | test_all() { | 184 | test_all() { |
166 | # wildcard | 185 | # wildcard |
167 | # keys all sr# k.ID cert CA sr.# k.ID | 186 | # keys all hash sr# ID cert CA srl ID |
168 | test_rev "$RKEYS" "revoked keys" yes yes no no no no no no | 187 | test_rev "$RKEYS" "revoked keys" y y y n n n n n n |
169 | test_rev "$UKEYS" "unrevoked keys" no no no no no no no no | 188 | test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n |
170 | test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes | 189 | test_rev "$RCERTS" "revoked certs" y y y y y y y y y |
171 | test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no | 190 | test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n |
172 | } | 191 | } |
173 | 192 | ||
174 | test_all | 193 | test_all |