2 files changed, 147 insertions, 107 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3fda667cb..0265e8f6b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
            -I "regress host key for $USER" \
            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
                fail "couldn't sign cert_host_key_${ktype}"
+        cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
+        cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+        ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
+            -I "regress host key for $USER" \
+            -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
+                fail "couldn't sign cert_host_key_${ktype}_v00"
 done
 # Basic connect tests
 for privsep in yes no ; do
-        for ktype in rsa dsa ; do 
+        for ktype in rsa dsa rsa_v00 dsa_v00; do 
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
        echon '@revoked '
        echon "* "
        cat $OBJ/cert_host_key_dsa.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_rsa_v00.pub
+        echon '@revoked '
+        echon "* "
+        cat $OBJ/cert_host_key_dsa_v00.pub
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in rsa dsa ; do 
+        for ktype in rsa dsa rsa_v00 dsa_v00; do 
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
        echon "* "
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
        ident=$1
        result=$2
        sign_opts=$3
-        
-        verbose "$tid: test host cert connect $ident expect $result"
-        ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
-            $sign_opts \
-            $OBJ/cert_host_key_rsa ||
-                fail "couldn't sign cert_host_key_rsa"
-        (
-                cat $OBJ/sshd_proxy_bak
-                echo HostKey $OBJ/cert_host_key_rsa
-                echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
-        ) > $OBJ/sshd_proxy
-        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+        for kt in rsa rsa_v00 ; do
-            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                case $kt in
-            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                *_v00) args="-t v00" ;;
-        rc=$?
+                *) args="" ;;
-        if [ "x$result" = "xsuccess" ] ; then
+                esac
-                if [ $rc -ne 0 ]; then
-                        fail "ssh cert connect $ident failed unexpectedly"
+                verbose "$tid: host cert connect $ident $kt expect $result"
-                fi
+                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-        else
+                    -I "regress host key for $USER" \
-                if [ $rc -eq 0 ]; then
+                    $sign_opts $args \
-                        fail "ssh cert connect $ident succeeded unexpectedly"
+                    $OBJ/cert_host_key_${kt} ||
+                        fail "couldn't sign cert_host_key_${kt}"
+                (
+                        cat $OBJ/sshd_proxy_bak
+                        echo HostKey $OBJ/cert_host_key_${kt}
+                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+                ) > $OBJ/sshd_proxy
+        
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                rc=$?
+                if [ "x$result" = "xsuccess" ] ; then
+                        if [ $rc -ne 0 ]; then
+                                fail "ssh cert connect $ident failed unexpectedly"
+                        fi
+                else
+                        if [ $rc -eq 0 ]; then
+                                fail "ssh cert connect $ident succeeded unexpectedly"
+                        fi
                fi
-        fi
+        done
 }
 test_one "user-certificate"     failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+for v in v01 v00 ;  do 
-for ktype in rsa dsa ; do 
+        for ktype in rsa dsa ; do 
-        verbose "$tid: host ${ktype} cert downgrade to raw key"
+                rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-        # Generate and sign a host key
+                verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-        ${SSHKEYGEN} -q -N '' -t ${ktype} \
+                # Generate and sign a host key
-            -f $OBJ/cert_host_key_${ktype} || \
+                ${SSHKEYGEN} -q -N '' -t ${ktype} \
-                fail "ssh-keygen of cert_host_key_${ktype} failed"
+                    -f $OBJ/cert_host_key_${ktype} || \
-        ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+                        fail "ssh-keygen of cert_host_key_${ktype} failed"
-            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-                fail "couldn't sign cert_host_key_${ktype}"
+                    -I "regress host key for $USER" \
-        (
+                    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                echon "$HOSTS "
+                        fail "couldn't sign cert_host_key_${ktype}"
-                cat $OBJ/cert_host_key_${ktype}.pub
+                (
-        ) > $OBJ/known_hosts-cert
+                        echon "$HOSTS "
-        (
+                        cat $OBJ/cert_host_key_${ktype}.pub
-                cat $OBJ/sshd_proxy_bak
+                ) > $OBJ/known_hosts-cert
-                echo HostKey $OBJ/cert_host_key_${ktype}
+                (
-                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        cat $OBJ/sshd_proxy_bak
-        ) > $OBJ/sshd_proxy
+                        echo HostKey $OBJ/cert_host_key_${ktype}
-        
+                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                ) > $OBJ/sshd_proxy
-            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                
-                -F $OBJ/ssh_proxy somehost true
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-        if [ $? -ne 0 ]; then
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                fail "ssh cert connect failed"
+                        -F $OBJ/ssh_proxy somehost true
-        fi
+                if [ $? -ne 0 ]; then
+                        fail "ssh cert connect failed"
+                fi
+        done
 done
 # Wrong certificate
@@ -187,25 +209,31 @@ done
        echon "$HOSTS "
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for v in v01 v00 ;  do 
-        # Self-sign key
+        for kt in rsa dsa ; do 
-        ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+                rm -f $OBJ/cert_host_key*
-            -I "regress host key for $USER" \
+                # Self-sign key
-            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+                ${SSHKEYGEN} -q -N '' -t ${kt} \
-                fail "couldn't sign cert_host_key_${ktype}"
+                    -f $OBJ/cert_host_key_${kt} || \
-        verbose "$tid: host ${ktype} connect wrong cert"
+                        fail "ssh-keygen of cert_host_key_${kt} failed"
-        (
+                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-                cat $OBJ/sshd_proxy_bak
+                    -I "regress host key for $USER" \
-                echo HostKey $OBJ/cert_host_key_${ktype}
+                    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+                        fail "couldn't sign cert_host_key_${kt}"
-        ) > $OBJ/sshd_proxy
+                verbose "$tid: host ${kt} connect wrong cert"
+                (
-        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                        cat $OBJ/sshd_proxy_bak
-            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        echo HostKey $OBJ/cert_host_key_${kt}
-                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-        if [ $? -eq 0 ]; then
+                ) > $OBJ/sshd_proxy
-                fail "ssh cert connect $ident succeeded unexpectedly"
+        
-        fi
+                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+                        -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        fail "ssh cert connect $ident succeeded unexpectedly"
+                fi
+        done
 done
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7a58e7b75..88d6d70a4 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
+        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
+        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
+            "regress user key for $USER" \
+            -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+                fail "couldn't sign cert_user_key_${ktype}_v00"
 done
 basic_tests() {
@@ -35,7 +41,7 @@ basic_tests() {
                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
        fi
        
-        for ktype in rsa dsa ; do 
+        for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
                for privsep in yes no ; do
                        _prefix="${ktype} privsep $privsep $auth"
                        # Simple connect
@@ -108,39 +114,41 @@ test_one() {
        fi
        for auth in $auth_choice ; do
-                cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+                for ktype in rsa rsa_v00 ; do
-                if test "x$auth" = "xauthorized_keys" ; then
+                        cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-                        # Add CA to authorized_keys
+                        if test "x$auth" = "xauthorized_keys" ; then
-                        (
+                                # Add CA to authorized_keys
-                                echon 'cert-authority '
+                                (
-                                cat $OBJ/user_ca_key.pub
+                                        echon 'cert-authority '
-                        ) > $OBJ/authorized_keys_$USER
+                                        cat $OBJ/user_ca_key.pub
-                else
+                                ) > $OBJ/authorized_keys_$USER
-                        echo > $OBJ/authorized_keys_$USER
+                        else
-                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+                                echo > $OBJ/authorized_keys_$USER
-                            $OBJ/sshd_proxy
+                                echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
+                                    >> $OBJ/sshd_proxy
-                fi
-                
-                verbose "$tid: $ident auth $auth expect $result"
-                ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-                    -I "regress user key for $USER" \
-                    $sign_opts \
-                    $OBJ/cert_user_key_rsa ||
-                        fail "couldn't sign cert_user_key_rsa"
        
-                ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-                    somehost true >/dev/null 2>&1
-                rc=$?
-                if [ "x$result" = "xsuccess" ] ; then
-                        if [ $rc -ne 0 ]; then
-                                fail "$ident failed unexpectedly"
                        fi
-                else
+                        
-                        if [ $rc -eq 0 ]; then
+                        verbose "$tid: $ident auth $auth expect $result $ktype"
-                                fail "$ident succeeded unexpectedly"
+                        ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+                            -I "regress user key for $USER" \
+                            $sign_opts \
+                            $OBJ/cert_user_key_${ktype} ||
+                                fail "couldn't sign cert_user_key_${ktype}"
+                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+                            -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+                        rc=$?
+                        if [ "x$result" = "xsuccess" ] ; then
+                                if [ $rc -ne 0 ]; then
+                                        fail "$ident failed unexpectedly"
+                                fi
+                        else
+                                if [ $rc -eq 0 ]; then
+                                        fail "$ident succeeded unexpectedly"
+                                fi
                        fi
-                fi
+                done
        done
 }
@@ -158,9 +166,13 @@ test_one "empty principals"	success "" authorized_keys
 test_one "empty principals"     failure "" TrustedUserCAKeys
 # Wrong certificate
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+        case $ktype in
+        *_v00) args="-t v00" ;;
+        *) args="" ;;
+        esac
        # Self-sign
-        ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+        ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3fda667cb..0265e8f6b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
28	-I "regress host key for $USER" \	28	-I "regress host key for $USER" \
29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	29	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
30	fail "couldn't sign cert_host_key_${ktype}"	30	fail "couldn't sign cert_host_key_${ktype}"
		31	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
		32	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
		33	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
		34	-I "regress host key for $USER" \
		35	-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 \|\|
		36	fail "couldn't sign cert_host_key_${ktype}_v00"
31	done	37	done
32		38
33	# Basic connect tests	39	# Basic connect tests
34	for privsep in yes no ; do	40	for privsep in yes no ; do
35	for ktype in rsa dsa ; do	41	for ktype in rsa dsa rsa_v00 dsa_v00; do
36	verbose "$tid: host ${ktype} cert connect privsep $privsep"	42	verbose "$tid: host ${ktype} cert connect privsep $privsep"
37	(	43	(
38	cat $OBJ/sshd_proxy_bak	44	cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
61	echon '@revoked '	67	echon '@revoked '
62	echon "* "	68	echon "* "
63	cat $OBJ/cert_host_key_dsa.pub	69	cat $OBJ/cert_host_key_dsa.pub
		70	echon '@revoked '
		71	echon "* "
		72	cat $OBJ/cert_host_key_rsa_v00.pub
		73	echon '@revoked '
		74	echon "* "
		75	cat $OBJ/cert_host_key_dsa_v00.pub
64	) > $OBJ/known_hosts-cert	76	) > $OBJ/known_hosts-cert
65	for privsep in yes no ; do	77	for privsep in yes no ; do
66	for ktype in rsa dsa ; do	78	for ktype in rsa dsa rsa_v00 dsa_v00; do
67	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	79	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
68	(	80	(
69	cat $OBJ/sshd_proxy_bak	81	cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
90	echon "* "	102	echon "* "
91	cat $OBJ/host_ca_key.pub	103	cat $OBJ/host_ca_key.pub
92	) > $OBJ/known_hosts-cert	104	) > $OBJ/known_hosts-cert
93	for ktype in rsa dsa ; do	105	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
94	verbose "$tid: host ${ktype} revoked cert"	106	verbose "$tid: host ${ktype} revoked cert"
95	(	107	(
96	cat $OBJ/sshd_proxy_bak	108	cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
116	ident=$1	128	ident=$1
117	result=$2	129	result=$2
118	sign_opts=$3	130	sign_opts=$3
119
120	verbose "$tid: test host cert connect $ident expect $result"
121
122	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
123	$sign_opts \
124	$OBJ/cert_host_key_rsa \|\|
125	fail "couldn't sign cert_host_key_rsa"
126	(
127	cat $OBJ/sshd_proxy_bak
128	echo HostKey $OBJ/cert_host_key_rsa
129	echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
130	) > $OBJ/sshd_proxy
131		131
132	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	132	for kt in rsa rsa_v00 ; do
133	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	133	case $kt in
134	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1	134	*_v00) args="-t v00" ;;
135	rc=$?	135	*) args="" ;;
136	if [ "x$result" = "xsuccess" ] ; then	136	esac
137	if [ $rc -ne 0 ]; then	137
138	fail "ssh cert connect $ident failed unexpectedly"	138	verbose "$tid: host cert connect $ident $kt expect $result"
139	fi	139	${SSHKEYGEN} -q -s $OBJ/host_ca_key \
140	else	140	-I "regress host key for $USER" \
141	if [ $rc -eq 0 ]; then	141	$sign_opts $args \
142	fail "ssh cert connect $ident succeeded unexpectedly"	142	$OBJ/cert_host_key_${kt} \|\|
		143	fail "couldn't sign cert_host_key_${kt}"
		144	(
		145	cat $OBJ/sshd_proxy_bak
		146	echo HostKey $OBJ/cert_host_key_${kt}
		147	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
		148	) > $OBJ/sshd_proxy
		149
		150	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		151	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		152	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		153	rc=$?
		154	if [ "x$result" = "xsuccess" ] ; then
		155	if [ $rc -ne 0 ]; then
		156	fail "ssh cert connect $ident failed unexpectedly"
		157	fi
		158	else
		159	if [ $rc -eq 0 ]; then
		160	fail "ssh cert connect $ident succeeded unexpectedly"
		161	fi
143	fi	162	fi
144	fi	163	done
145	}	164	}
146		165
147	test_one "user-certificate" failure "-n $HOSTS"	166	test_one "user-certificate" failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
153	test_one "cert has constraints" failure "-h -Oforce-command=false"	172	test_one "cert has constraints" failure "-h -Oforce-command=false"
154		173
155	# Check downgrade of cert to raw key when no CA found	174	# Check downgrade of cert to raw key when no CA found
156	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	175	for v in v01 v00 ; do
157	for ktype in rsa dsa ; do	176	for ktype in rsa dsa ; do
158	verbose "$tid: host ${ktype} cert downgrade to raw key"	177	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
159	# Generate and sign a host key	178	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
160	${SSHKEYGEN} -q -N '' -t ${ktype} \	179	# Generate and sign a host key
161	-f $OBJ/cert_host_key_${ktype} \|\| \	180	${SSHKEYGEN} -q -N '' -t ${ktype} \
162	fail "ssh-keygen of cert_host_key_${ktype} failed"	181	-f $OBJ/cert_host_key_${ktype} \|\| \
163	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \	182	fail "ssh-keygen of cert_host_key_${ktype} failed"
164	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	183	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
165	fail "couldn't sign cert_host_key_${ktype}"	184	-I "regress host key for $USER" \
166	(	185	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
167	echon "$HOSTS "	186	fail "couldn't sign cert_host_key_${ktype}"
168	cat $OBJ/cert_host_key_${ktype}.pub	187	(
169	) > $OBJ/known_hosts-cert	188	echon "$HOSTS "
170	(	189	cat $OBJ/cert_host_key_${ktype}.pub
171	cat $OBJ/sshd_proxy_bak	190	) > $OBJ/known_hosts-cert
172	echo HostKey $OBJ/cert_host_key_${ktype}	191	(
173	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	192	cat $OBJ/sshd_proxy_bak
174	) > $OBJ/sshd_proxy	193	echo HostKey $OBJ/cert_host_key_${ktype}
175		194	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
176	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	195	) > $OBJ/sshd_proxy
177	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	196
178	-F $OBJ/ssh_proxy somehost true	197	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
179	if [ $? -ne 0 ]; then	198	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
180	fail "ssh cert connect failed"	199	-F $OBJ/ssh_proxy somehost true
181	fi	200	if [ $? -ne 0 ]; then
		201	fail "ssh cert connect failed"
		202	fi
		203	done
182	done	204	done
183		205
184	# Wrong certificate	206	# Wrong certificate
@@ -187,25 +209,31 @@ done
187	echon "$HOSTS "	209	echon "$HOSTS "
188	cat $OBJ/host_ca_key.pub	210	cat $OBJ/host_ca_key.pub
189	) > $OBJ/known_hosts-cert	211	) > $OBJ/known_hosts-cert
190	for ktype in rsa dsa ; do	212	for v in v01 v00 ; do
191	# Self-sign key	213	for kt in rsa dsa ; do
192	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \	214	rm -f $OBJ/cert_host_key*
193	-I "regress host key for $USER" \	215	# Self-sign key
194	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	216	${SSHKEYGEN} -q -N '' -t ${kt} \
195	fail "couldn't sign cert_host_key_${ktype}"	217	-f $OBJ/cert_host_key_${kt} \|\| \
196	verbose "$tid: host ${ktype} connect wrong cert"	218	fail "ssh-keygen of cert_host_key_${kt} failed"
197	(	219	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
198	cat $OBJ/sshd_proxy_bak	220	-I "regress host key for $USER" \
199	echo HostKey $OBJ/cert_host_key_${ktype}	221	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
200	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	222	fail "couldn't sign cert_host_key_${kt}"
201	) > $OBJ/sshd_proxy	223	verbose "$tid: host ${kt} connect wrong cert"
202		224	(
203	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	225	cat $OBJ/sshd_proxy_bak
204	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	226	echo HostKey $OBJ/cert_host_key_${kt}
205	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1	227	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
206	if [ $? -eq 0 ]; then	228	) > $OBJ/sshd_proxy
207	fail "ssh cert connect $ident succeeded unexpectedly"	229
208	fi	230	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
		231	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
		232	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
		233	if [ $? -eq 0 ]; then
		234	fail "ssh cert connect $ident succeeded unexpectedly"
		235	fi
		236	done
209	done	237	done
210		238
211	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*	239	rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7a58e7b75..88d6d70a4 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
20	"regress user key for $USER" \	20	"regress user key for $USER" \
21	-n $USER $OBJ/cert_user_key_${ktype} \|\|	21	-n $USER $OBJ/cert_user_key_${ktype} \|\|
22	fail "couldn't sign cert_user_key_${ktype}"	22	fail "couldn't sign cert_user_key_${ktype}"
		23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
		24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
		25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
		26	"regress user key for $USER" \
		27	-n $USER $OBJ/cert_user_key_${ktype}_v00 \|\|
		28	fail "couldn't sign cert_user_key_${ktype}_v00"
23	done	29	done
24		30
25	basic_tests() {	31	basic_tests() {
@@ -35,7 +41,7 @@ basic_tests() {
35	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"	41	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36	fi	42	fi
37		43
38	for ktype in rsa dsa ; do	44	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
39	for privsep in yes no ; do	45	for privsep in yes no ; do
40	_prefix="${ktype} privsep $privsep $auth"	46	_prefix="${ktype} privsep $privsep $auth"
41	# Simple connect	47	# Simple connect
@@ -108,39 +114,41 @@ test_one() {
108	fi	114	fi
109		115
110	for auth in $auth_choice ; do	116	for auth in $auth_choice ; do
111	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy	117	for ktype in rsa rsa_v00 ; do
112	if test "x$auth" = "xauthorized_keys" ; then	118	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
113	# Add CA to authorized_keys	119	if test "x$auth" = "xauthorized_keys" ; then
114	(	120	# Add CA to authorized_keys
115	echon 'cert-authority '	121	(
116	cat $OBJ/user_ca_key.pub	122	echon 'cert-authority '
117	) > $OBJ/authorized_keys_$USER	123	cat $OBJ/user_ca_key.pub
118	else	124	) > $OBJ/authorized_keys_$USER
119	echo > $OBJ/authorized_keys_$USER	125	else
120	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \	126	echo > $OBJ/authorized_keys_$USER
121	$OBJ/sshd_proxy	127	echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
122		128	>> $OBJ/sshd_proxy
123	fi
124
125	verbose "$tid: $ident auth $auth expect $result"
126	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127	-I "regress user key for $USER" \
128	$sign_opts \
129	$OBJ/cert_user_key_rsa \|\|
130	fail "couldn't sign cert_user_key_rsa"
131		129
132	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133	somehost true >/dev/null 2>&1
134	rc=$?
135	if [ "x$result" = "xsuccess" ] ; then
136	if [ $rc -ne 0 ]; then
137	fail "$ident failed unexpectedly"
138	fi	130	fi
139	else	131
140	if [ $rc -eq 0 ]; then	132	verbose "$tid: $ident auth $auth expect $result $ktype"
141	fail "$ident succeeded unexpectedly"	133	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
		134	-I "regress user key for $USER" \
		135	$sign_opts \
		136	$OBJ/cert_user_key_${ktype} \|\|
		137	fail "couldn't sign cert_user_key_${ktype}"
		138
		139	${SSH} -2i $OBJ/cert_user_key_${ktype} \
		140	-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
		141	rc=$?
		142	if [ "x$result" = "xsuccess" ] ; then
		143	if [ $rc -ne 0 ]; then
		144	fail "$ident failed unexpectedly"
		145	fi
		146	else
		147	if [ $rc -eq 0 ]; then
		148	fail "$ident succeeded unexpectedly"
		149	fi
142	fi	150	fi
143	fi	151	done
144	done	152	done
145	}	153	}
146		154
@@ -158,9 +166,13 @@ test_one "empty principals" success "" authorized_keys
158	test_one "empty principals" failure "" TrustedUserCAKeys	166	test_one "empty principals" failure "" TrustedUserCAKeys
159		167
160	# Wrong certificate	168	# Wrong certificate
161	for ktype in rsa dsa ; do	169	for ktype in rsa dsa rsa_v00 dsa_v00 ; do
		170	case $ktype in
		171	*_v00) args="-t v00" ;;
		172	*) args="" ;;
		173	esac
162	# Self-sign	174	# Self-sign
163	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \	175	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
164	"regress user key for $USER" \	176	"regress user key for $USER" \
165	-n $USER $OBJ/cert_user_key_${ktype} \|\|	177	-n $USER $OBJ/cert_user_key_${ktype} \|\|
166	fail "couldn't sign cert_user_key_${ktype}"	178	fail "couldn't sign cert_user_key_${ktype}"