1 files changed, 161 insertions, 0 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
new file mode 100644
index 000000000..62a239c38
--- /dev/null
+++ b/regress/krl.sh
@@ -0,0 +1,161 @@
+#       $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
+#       Placed in the Public Domain.
+tid="key revocation lists"
+# If we don't support ecdsa keys then this tell will be much slower.
+ECDSA=ecdsa
+if test "x$TEST_SSH_ECC" != "xyes"; then
+        ECDSA=rsa
+fi
+# Do most testing with ssh-keygen; it uses the same verification code as sshd.
+# Old keys will interfere with ssh-keygen.
+rm -f $OBJ/revoked-* $OBJ/krl-*
+# Generate a CA key
+$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
+        fatal "$SSHKEYGEN CA failed"
+# A specification that revokes some certificates by serial numbers
+# The serial pattern is chosen to ensure the KRL includes list, range and
+# bitmap sections.
+cat << EOF >> $OBJ/revoked-serials
+serial: 1-4
+serial: 10
+serial: 15
+serial: 30
+serial: 50
+serial: 999
+# The following sum to 500-799
+serial: 500
+serial: 501
+serial: 502
+serial: 503-600
+serial: 700-797
+serial: 798
+serial: 799
+serial: 599-701
+EOF
+jot() {
+        awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
+}
+# A specification that revokes some certificated by key ID.
+touch $OBJ/revoked-keyid
+for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+        # Fill in by-ID revocation spec.
+        echo "id: revoked $n" >> $OBJ/revoked-keyid
+done
+keygen() {
+        N=$1
+        f=$OBJ/revoked-`printf "%04d" $N`
+        # Vary the keytype. We use mostly ECDSA since this is fastest by far.
+        keytype=$ECDSA
+        case $N in
+        2 | 10 | 510 | 1001)    keytype=rsa;;
+        4 | 30 | 520 | 1002)    keytype=dsa;;
+        esac
+        $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
+                || fatal "$SSHKEYGEN failed"
+        # Sign cert
+        $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
+                || fatal "$SSHKEYGEN sign failed"
+        echo $f
+}
+# Generate some keys.
+verbose "$tid: generating test keys"
+REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
+for n in $REVOKED_SERIALS ; do
+        f=`keygen $n`
+        REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
+        REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
+done
+NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
+NOTREVOKED=""
+for n in $NOTREVOKED_SERIALS ; do
+        NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
+        NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
+done
+genkrls() {
+        OPTS=$1
+$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+# KRLs from serial/key-id spec need the CA specified.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
+        >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
+        >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
+        >/dev/null || fatal "$SSHKEYGEN KRL failed"
+}
+verbose "$tid: generating KRLs"
+genkrls
+check_krl() {
+        KEY=$1
+        KRL=$2
+        EXPECT_REVOKED=$3
+        TAG=$4
+        $SSHKEYGEN -Qf $KRL $KEY >/dev/null
+        result=$?
+        if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+                fatal "key $KEY not revoked by KRL $KRL: $TAG"
+        elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+                fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
+        fi
+}
+test_all() {
+        FILES=$1
+        TAG=$2
+        KEYS_RESULT=$3
+        ALL_RESULT=$4
+        SERIAL_RESULT=$5
+        KEYID_RESULT=$6
+        CERTS_RESULT=$7
+        CA_RESULT=$8
+        verbose "$tid: checking revocations for $TAG"
+        for f in $FILES ; do
+                check_krl $f $OBJ/krl-empty  no             "$TAG"
+                check_krl $f $OBJ/krl-keys   $KEYS_RESULT   "$TAG"
+                check_krl $f $OBJ/krl-all    $ALL_RESULT    "$TAG"
+                check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
+                check_krl $f $OBJ/krl-keyid  $KEYID_RESULT  "$TAG"
+                check_krl $f $OBJ/krl-cert  $CERTS_RESULT   "$TAG"
+                check_krl $f $OBJ/krl-ca     $CA_RESULT     "$TAG"
+        done
+}
+#                                            keys  all serial  keyid  certs   CA
+test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
+test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
+test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
+test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
+# Check update. Results should be identical.
+verbose "$tid: testing KRL update"
+for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
+    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
+        cp -f $OBJ/krl-empty $f
+        genkrls -u
+done
+#                                            keys  all serial  keyid  certs   CA
+test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
+test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
+test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
+test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes

diff --git a/regress/krl.sh b/regress/krl.sh new file mode 100644 index 000000000..62a239c38 --- /dev/null +++ b/regress/krl.sh
@@ -0,0 +1,161 @@
	1	# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="key revocation lists"
	5
	6	# If we don't support ecdsa keys then this tell will be much slower.
	7	ECDSA=ecdsa
	8	if test "x$TEST_SSH_ECC" != "xyes"; then
	9	ECDSA=rsa
	10	fi
	11
	12	# Do most testing with ssh-keygen; it uses the same verification code as sshd.
	13
	14	# Old keys will interfere with ssh-keygen.
	15	rm -f $OBJ/revoked-* $OBJ/krl-*
	16
	17	# Generate a CA key
	18	$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null \|\|
	19	fatal "$SSHKEYGEN CA failed"
	20
	21	# A specification that revokes some certificates by serial numbers
	22	# The serial pattern is chosen to ensure the KRL includes list, range and
	23	# bitmap sections.
	24	cat << EOF >> $OBJ/revoked-serials
	25	serial: 1-4
	26	serial: 10
	27	serial: 15
	28	serial: 30
	29	serial: 50
	30	serial: 999
	31	# The following sum to 500-799
	32	serial: 500
	33	serial: 501
	34	serial: 502
	35	serial: 503-600
	36	serial: 700-797
	37	serial: 798
	38	serial: 799
	39	serial: 599-701
	40	EOF
	41
	42	jot() {
	43	awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
	44	}
	45
	46	# A specification that revokes some certificated by key ID.
	47	touch $OBJ/revoked-keyid
	48	for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
	49	# Fill in by-ID revocation spec.
	50	echo "id: revoked $n" >> $OBJ/revoked-keyid
	51	done
	52
	53	keygen() {
	54	N=$1
	55	f=$OBJ/revoked-`printf "%04d" $N`
	56	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
	57	keytype=$ECDSA
	58	case $N in
	59	2 \| 10 \| 510 \| 1001) keytype=rsa;;
	60	4 \| 30 \| 520 \| 1002) keytype=dsa;;
	61	esac
	62	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
	63	\|\| fatal "$SSHKEYGEN failed"
	64	# Sign cert
	65	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
	66	\|\| fatal "$SSHKEYGEN sign failed"
	67	echo $f
	68	}
	69
	70	# Generate some keys.
	71	verbose "$tid: generating test keys"
	72	REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
	73	for n in $REVOKED_SERIALS ; do
	74	f=`keygen $n`
	75	REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
	76	REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
	77	done
	78	NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
	79	NOTREVOKED=""
	80	for n in $NOTREVOKED_SERIALS ; do
	81	NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
	82	NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
	83	done
	84
	85	genkrls() {
	86	OPTS=$1
	87	$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
	88	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	89	$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
	90	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	91	$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
	92	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	93	$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
	94	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	95	$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
	96	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	97	# KRLs from serial/key-id spec need the CA specified.
	98	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
	99	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
	100	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
	101	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
	102	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
	103	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	104	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
	105	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
	106	}
	107
	108	verbose "$tid: generating KRLs"
	109	genkrls
	110
	111	check_krl() {
	112	KEY=$1
	113	KRL=$2
	114	EXPECT_REVOKED=$3
	115	TAG=$4
	116	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
	117	result=$?
	118	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
	119	fatal "key $KEY not revoked by KRL $KRL: $TAG"
	120	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
	121	fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
	122	fi
	123	}
	124	test_all() {
	125	FILES=$1
	126	TAG=$2
	127	KEYS_RESULT=$3
	128	ALL_RESULT=$4
	129	SERIAL_RESULT=$5
	130	KEYID_RESULT=$6
	131	CERTS_RESULT=$7
	132	CA_RESULT=$8
	133	verbose "$tid: checking revocations for $TAG"
	134	for f in $FILES ; do
	135	check_krl $f $OBJ/krl-empty no "$TAG"
	136	check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
	137	check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
	138	check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
	139	check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
	140	check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
	141	check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
	142	done
	143	}
	144	# keys all serial keyid certs CA
	145	test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
	146	test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
	147	test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
	148	test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
	149
	150	# Check update. Results should be identical.
	151	verbose "$tid: testing KRL update"
	152	for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
	153	$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
	154	cp -f $OBJ/krl-empty $f
	155	genkrls -u
	156	done
	157	# keys all serial keyid certs CA
	158	test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
	159	test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
	160	test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
	161	test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes