summaryrefslogtreecommitdiff
path: root/regress/krl.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/krl.sh')
-rw-r--r--regress/krl.sh49
1 files changed, 34 insertions, 15 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
index 1077358ff..a70c79c66 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ 1# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key revocation lists" 4tid="key revocation lists"
@@ -85,6 +85,15 @@ for n in $UNREVOKED_SERIALS ; do
85 UCERTS="$UCERTS ${f}-cert.pub" 85 UCERTS="$UCERTS ${f}-cert.pub"
86done 86done
87 87
88# Specifications that revoke keys by hash.
89touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
90for rkey in $RKEYS; do
91 (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
92 (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
93 (printf "hash: "; $SSHKEYGEN -lf $rkey | \
94 awk '{ print $2 }') >> $OBJ/revoked-hash
95done
96
88genkrls() { 97genkrls() {
89 OPTS=$1 98 OPTS=$1
90$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ 99$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
@@ -97,6 +106,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
97 >/dev/null || fatal "$SSHKEYGEN KRL failed" 106 >/dev/null || fatal "$SSHKEYGEN KRL failed"
98$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 107$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
99 >/dev/null || fatal "$SSHKEYGEN KRL failed" 108 >/dev/null || fatal "$SSHKEYGEN KRL failed"
109$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
110 >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
111$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
112 >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
113$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
114 >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
100# This should fail as KRLs from serial/key-id spec need the CA specified. 115# This should fail as KRLs from serial/key-id spec need the CA specified.
101$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 116$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
102 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 117 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
@@ -131,9 +146,9 @@ check_krl() {
131 TAG=$4 146 TAG=$4
132 $SSHKEYGEN -Qf $KRL $KEY >/dev/null 147 $SSHKEYGEN -Qf $KRL $KEY >/dev/null
133 result=$? 148 result=$?
134 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then 149 if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
135 fatal "key $KEY not revoked by KRL $KRL: $TAG" 150 fatal "key $KEY not revoked by KRL $KRL: $TAG"
136 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then 151 elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
137 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" 152 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
138 fi 153 fi
139} 154}
@@ -142,17 +157,21 @@ test_rev() {
142 TAG=$2 157 TAG=$2
143 KEYS_RESULT=$3 158 KEYS_RESULT=$3
144 ALL_RESULT=$4 159 ALL_RESULT=$4
145 SERIAL_RESULT=$5 160 HASH_RESULT=$5
146 KEYID_RESULT=$6 161 SERIAL_RESULT=$6
147 CERTS_RESULT=$7 162 KEYID_RESULT=$7
148 CA_RESULT=$8 163 CERTS_RESULT=$8
149 SERIAL_WRESULT=$9 164 CA_RESULT=$9
150 KEYID_WRESULT=$10 165 SERIAL_WRESULT=$10
166 KEYID_WRESULT=$11
151 verbose "$tid: checking revocations for $TAG" 167 verbose "$tid: checking revocations for $TAG"
152 for f in $FILES ; do 168 for f in $FILES ; do
153 check_krl $f $OBJ/krl-empty no "$TAG" 169 check_krl $f $OBJ/krl-empty no "$TAG"
154 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" 170 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
155 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" 171 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
172 check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
173 check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
174 check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
156 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" 175 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
157 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" 176 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
158 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" 177 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
@@ -163,12 +182,12 @@ test_rev() {
163} 182}
164 183
165test_all() { 184test_all() {
166 # wildcard 185 # wildcard
167 # keys all sr# k.ID cert CA sr.# k.ID 186 # keys all hash sr# ID cert CA srl ID
168 test_rev "$RKEYS" "revoked keys" yes yes no no no no no no 187 test_rev "$RKEYS" "revoked keys" y y y n n n n n n
169 test_rev "$UKEYS" "unrevoked keys" no no no no no no no no 188 test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
170 test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes 189 test_rev "$RCERTS" "revoked certs" y y y y y y y y y
171 test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no 190 test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
172} 191}
173 192
174test_all 193test_all