1 files changed, 196 insertions, 0 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
new file mode 100644
index 000000000..eb99486ae
--- /dev/null
+++ b/regress/sshsig.sh
@@ -0,0 +1,196 @@
+#       $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
+#       Placed in the Public Domain.
+tid="sshsig"
+DATA2=$OBJ/${DATANAME}.2
+cat ${DATA} ${DATA} > ${DATA2}
+rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
+sig_namespace="test-$$"
+sig_principal="user-$$@example.com"
+# Make a "wrong key"
+${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
+        || fatal "couldn't generate key"
+WRONG=$OBJ/wrong-key.pub
+# Make a CA key.
+${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
+        || fatal "couldn't generate key"
+CA_PRIV=$OBJ/sigca-key
+CA_PUB=$OBJ/sigca-key.pub
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+        fatal "could not start ssh-agent: exit code $r"
+fi
+SIGNKEYS="$SSH_KEYTYPES"
+verbose "$tid: make certificates"
+for t in $SSH_KEYTYPES ; do
+        ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
+            -I "regress signature key for $USER" \
+            -n $sig_principal $OBJ/${t} || \
+                fatal "couldn't sign ${t}"
+        SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
+done
+for t in $SIGNKEYS; do
+        verbose "$tid: check signature for $t"
+        keybase=`basename $t .pub`
+        privkey=${OBJ}/`basename $t -cert.pub`
+        sigfile=${OBJ}/sshsig-${keybase}.sig
+        sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
+        pubkey=${OBJ}/${keybase}.pub
+        ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
+                < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
+        (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 || \
+                fail "failed signature for $t key"
+        (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
+         cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 || \
+                fail "failed signature for $t key w/ limited namespace"
+        # Invalid option
+        (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key with bad signers option"
+        # Wrong key trusted.
+        (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key with wrong key trusted"
+        # incorrect data
+        (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA2 >/dev/null 2>&1 && \
+                fail "passed signature for wrong data with $t key"
+        # wrong principal in signers
+        (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key with wrong principal"
+        # wrong namespace
+        (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key with wrong namespace"
+        # namespace excluded by option
+        (printf "$sig_principal namespaces=\"whatever\" " ;
+         cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key with excluded namespace"
+        # public key in revoked keys file
+        cat $pubkey > $OBJ/revoked_keys
+        (printf "$sig_principal namespaces=\"whatever\" " ;
+         cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                -r $OBJ/revoked_keys \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t key, but key is in revoked_keys"
+        # public key not revoked, but other are present in revoked_keysfile
+        cat $WRONG > $OBJ/revoked_keys
+        (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                -r $OBJ/revoked_keys \
+                < $DATA >/dev/null 2>&1 || \
+                fail "couldn't verify signature for $t key, but key not in revoked_keys"
+        # check-novalidate with valid data
+        ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
+                < $DATA >/dev/null 2>&1 || \
+                fail "failed to check valid signature for $t key"
+        # check-novalidate with invalid data
+        ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
+                < $DATA2 >/dev/null 2>&1 && \
+                fail "sucessfully checked signature for $t key with invalid data"
+        # Check signing keys using ssh-agent.
+        ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
+        ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
+        # Move private key to ensure agent key is used
+        mv ${privkey} ${privkey}.tmp
+        ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
+                < $DATA > $sigfile_agent 2>/dev/null || \
+                fail "ssh-agent based sign using $pubkey failed"
+        ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
+                -n $sig_namespace < $DATA >/dev/null 2>&1 || \
+                fail "failed to check valid signature for $t key"
+        # Move private key back
+        mv ${privkey}.tmp ${privkey}
+        # Remaining tests are for certificates only.
+        case "$keybase" in
+                *-cert) ;;
+                *) continue ;;
+        esac
+        # correct CA key
+        (printf "$sig_principal cert-authority " ;
+         cat $CA_PUB) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 || \
+                fail "failed signature for $t cert"
+        # signing key listed as cert-authority
+        (printf "$sig_principal cert-authority" ;
+         cat $pubkey) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature with $t key listed as CA"
+        # CA key not flagged cert-authority
+        (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t cert with CA not marked"
+        # mismatch between cert principal and file
+        (printf "josef.k@example.com cert-authority" ;
+         cat $CA_PUB) > $OBJ/allowed_signers
+        ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+                -I $sig_principal -f $OBJ/allowed_signers \
+                < $DATA >/dev/null 2>&1 && \
+                fail "accepted signature for $t cert with wrong principal"
+done
+trace "kill agent"
+${SSHAGENT} -k > /dev/null

diff --git a/regress/sshsig.sh b/regress/sshsig.sh new file mode 100644 index 000000000..eb99486ae --- /dev/null +++ b/regress/sshsig.sh
@@ -0,0 +1,196 @@
	1	# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="sshsig"
	5
	6	DATA2=$OBJ/${DATANAME}.2
	7	cat ${DATA} ${DATA} > ${DATA2}
	8
	9	rm -f $OBJ/sshsig-.sig $OBJ/wrong-key $OBJ/sigca-key*
	10
	11	sig_namespace="test-$$"
	12	sig_principal="user-$$@example.com"
	13
	14	# Make a "wrong key"
	15	${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
	16	\|\| fatal "couldn't generate key"
	17	WRONG=$OBJ/wrong-key.pub
	18
	19	# Make a CA key.
	20	${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
	21	\|\| fatal "couldn't generate key"
	22	CA_PRIV=$OBJ/sigca-key
	23	CA_PUB=$OBJ/sigca-key.pub
	24
	25	trace "start agent"
	26	eval `${SSHAGENT} -s` > /dev/null
	27	r=$?
	28	if [ $r -ne 0 ]; then
	29	fatal "could not start ssh-agent: exit code $r"
	30	fi
	31
	32	SIGNKEYS="$SSH_KEYTYPES"
	33	verbose "$tid: make certificates"
	34	for t in $SSH_KEYTYPES ; do
	35	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
	36	-I "regress signature key for $USER" \
	37	-n $sig_principal $OBJ/${t} \|\| \
	38	fatal "couldn't sign ${t}"
	39	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
	40	done
	41
	42	for t in $SIGNKEYS; do
	43	verbose "$tid: check signature for $t"
	44	keybase=`basename $t .pub`
	45	privkey=${OBJ}/`basename $t -cert.pub`
	46	sigfile=${OBJ}/sshsig-${keybase}.sig
	47	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
	48	pubkey=${OBJ}/${keybase}.pub
	49
	50	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
	51	< $DATA > $sigfile 2>/dev/null \|\| fail "sign using $t failed"
	52
	53	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
	54	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	55	-I $sig_principal -f $OBJ/allowed_signers \
	56	< $DATA >/dev/null 2>&1 \|\| \
	57	fail "failed signature for $t key"
	58
	59	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
	60	cat $pubkey) > $OBJ/allowed_signers
	61	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	62	-I $sig_principal -f $OBJ/allowed_signers \
	63	< $DATA >/dev/null 2>&1 \|\| \
	64	fail "failed signature for $t key w/ limited namespace"
	65
	66	# Invalid option
	67	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
	68	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	69	-I $sig_principal -f $OBJ/allowed_signers \
	70	< $DATA >/dev/null 2>&1 && \
	71	fail "accepted signature for $t key with bad signers option"
	72
	73	# Wrong key trusted.
	74	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
	75	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	76	-I $sig_principal -f $OBJ/allowed_signers \
	77	< $DATA >/dev/null 2>&1 && \
	78	fail "accepted signature for $t key with wrong key trusted"
	79
	80	# incorrect data
	81	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
	82	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	83	-I $sig_principal -f $OBJ/allowed_signers \
	84	< $DATA2 >/dev/null 2>&1 && \
	85	fail "passed signature for wrong data with $t key"
	86
	87	# wrong principal in signers
	88	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
	89	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	90	-I $sig_principal -f $OBJ/allowed_signers \
	91	< $DATA >/dev/null 2>&1 && \
	92	fail "accepted signature for $t key with wrong principal"
	93
	94	# wrong namespace
	95	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
	96	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
	97	-I $sig_principal -f $OBJ/allowed_signers \
	98	< $DATA >/dev/null 2>&1 && \
	99	fail "accepted signature for $t key with wrong namespace"
	100
	101	# namespace excluded by option
	102	(printf "$sig_principal namespaces=\"whatever\" " ;
	103	cat $pubkey) > $OBJ/allowed_signers
	104	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	105	-I $sig_principal -f $OBJ/allowed_signers \
	106	< $DATA >/dev/null 2>&1 && \
	107	fail "accepted signature for $t key with excluded namespace"
	108
	109	# public key in revoked keys file
	110	cat $pubkey > $OBJ/revoked_keys
	111	(printf "$sig_principal namespaces=\"whatever\" " ;
	112	cat $pubkey) > $OBJ/allowed_signers
	113	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	114	-I $sig_principal -f $OBJ/allowed_signers \
	115	-r $OBJ/revoked_keys \
	116	< $DATA >/dev/null 2>&1 && \
	117	fail "accepted signature for $t key, but key is in revoked_keys"
	118
	119	# public key not revoked, but other are present in revoked_keysfile
	120	cat $WRONG > $OBJ/revoked_keys
	121	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
	122	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	123	-I $sig_principal -f $OBJ/allowed_signers \
	124	-r $OBJ/revoked_keys \
	125	< $DATA >/dev/null 2>&1 \|\| \
	126	fail "couldn't verify signature for $t key, but key not in revoked_keys"
	127
	128	# check-novalidate with valid data
	129	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
	130	< $DATA >/dev/null 2>&1 \|\| \
	131	fail "failed to check valid signature for $t key"
	132
	133	# check-novalidate with invalid data
	134	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
	135	< $DATA2 >/dev/null 2>&1 && \
	136	fail "sucessfully checked signature for $t key with invalid data"
	137
	138	# Check signing keys using ssh-agent.
	139	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
	140	${SSHADD} ${privkey} > /dev/null 2>&1 \|\| fail "ssh-add failed"
	141
	142	# Move private key to ensure agent key is used
	143	mv ${privkey} ${privkey}.tmp
	144
	145	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
	146	< $DATA > $sigfile_agent 2>/dev/null \|\| \
	147	fail "ssh-agent based sign using $pubkey failed"
	148	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
	149	-n $sig_namespace < $DATA >/dev/null 2>&1 \|\| \
	150	fail "failed to check valid signature for $t key"
	151
	152	# Move private key back
	153	mv ${privkey}.tmp ${privkey}
	154
	155	# Remaining tests are for certificates only.
	156	case "$keybase" in
	157	*-cert) ;;
	158	*) continue ;;
	159	esac
	160
	161
	162	# correct CA key
	163	(printf "$sig_principal cert-authority " ;
	164	cat $CA_PUB) > $OBJ/allowed_signers
	165	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	166	-I $sig_principal -f $OBJ/allowed_signers \
	167	< $DATA >/dev/null 2>&1 \|\| \
	168	fail "failed signature for $t cert"
	169
	170	# signing key listed as cert-authority
	171	(printf "$sig_principal cert-authority" ;
	172	cat $pubkey) > $OBJ/allowed_signers
	173	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	174	-I $sig_principal -f $OBJ/allowed_signers \
	175	< $DATA >/dev/null 2>&1 && \
	176	fail "accepted signature with $t key listed as CA"
	177
	178	# CA key not flagged cert-authority
	179	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
	180	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	181	-I $sig_principal -f $OBJ/allowed_signers \
	182	< $DATA >/dev/null 2>&1 && \
	183	fail "accepted signature for $t cert with CA not marked"
	184
	185	# mismatch between cert principal and file
	186	(printf "josef.k@example.com cert-authority" ;
	187	cat $CA_PUB) > $OBJ/allowed_signers
	188	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
	189	-I $sig_principal -f $OBJ/allowed_signers \
	190	< $DATA >/dev/null 2>&1 && \
	191	fail "accepted signature for $t cert with wrong principal"
	192	done
	193
	194	trace "kill agent"
	195	${SSHAGENT} -k > /dev/null
	196