summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/cert-hostkey.sh148
-rw-r--r--regress/cert-userkey.sh39
-rw-r--r--regress/unittests/sshkey/test_sshkey.c4
3 files changed, 67 insertions, 124 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2b..c99c2b1c3 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
27 27
28PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 28PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
29 29
30type_has_legacy() {
31 case $1 in
32 ed25519*|ecdsa*) return 1 ;;
33 esac
34 return 0
35}
36
37# Prepare certificate, plain key and CA KRLs 30# Prepare certificate, plain key and CA KRLs
38${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" 31${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
39${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" 32${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
61 fatal "KRL update failed" 54 fatal "KRL update failed"
62 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert 55 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63 serial=`expr $serial + 1` 56 serial=`expr $serial + 1`
64 type_has_legacy $ktype || continue
65 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
66 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
67 verbose "$tid: sign host ${ktype}_v00 cert"
68 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
69 -I "regress host key for $USER" \
70 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
71 fatal "couldn't sign cert_host_key_${ktype}_v00"
72 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73 $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
74 fatal "KRL update failed"
75 cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
76done 57done
77 58
78attempt_connect() { 59attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
98 79
99# Basic connect and revocation tests. 80# Basic connect and revocation tests.
100for privsep in yes no ; do 81for privsep in yes no ; do
101 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 82 for ktype in $PLAIN_TYPES ; do
102 verbose "$tid: host ${ktype} cert connect privsep $privsep" 83 verbose "$tid: host ${ktype} cert connect privsep $privsep"
103 ( 84 (
104 cat $OBJ/sshd_proxy_bak 85 cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
133 printf '@cert-authority ' 114 printf '@cert-authority '
134 printf "$HOSTS " 115 printf "$HOSTS "
135 cat $OBJ/host_ca_key.pub 116 cat $OBJ/host_ca_key.pub
136 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 117 for ktype in $PLAIN_TYPES ; do
137 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" 118 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
138 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" 119 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
139 done 120 done
140) > $OBJ/known_hosts-cert.orig 121) > $OBJ/known_hosts-cert.orig
141cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 122cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
142for privsep in yes no ; do 123for privsep in yes no ; do
143 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 124 for ktype in $PLAIN_TYPES ; do
144 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 125 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
145 ( 126 (
146 cat $OBJ/sshd_proxy_bak 127 cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
169 cat $OBJ/host_ca_key.pub 150 cat $OBJ/host_ca_key.pub
170) > $OBJ/known_hosts-cert.orig 151) > $OBJ/known_hosts-cert.orig
171cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 152cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 153for ktype in $PLAIN_TYPES ; do
173 verbose "$tid: host ${ktype} revoked cert" 154 verbose "$tid: host ${ktype} revoked cert"
174 ( 155 (
175 cat $OBJ/sshd_proxy_bak 156 cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
198 result=$2 179 result=$2
199 sign_opts=$3 180 sign_opts=$3
200 181
201 for kt in rsa rsa_v00 ; do 182 for kt in rsa ed25519 ; do
202 case $kt in
203 *_v00) args="-t v00" ;;
204 *) args="" ;;
205 esac
206
207 verbose "$tid: host cert connect $ident $kt expect $result"
208 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 183 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
209 -I "regress host key for $USER" \ 184 -I "regress host key for $USER" \
210 $sign_opts $args \ 185 $sign_opts $OBJ/cert_host_key_${kt} ||
211 $OBJ/cert_host_key_${kt} ||
212 fail "couldn't sign cert_host_key_${kt}" 186 fail "couldn't sign cert_host_key_${kt}"
213 ( 187 (
214 cat $OBJ/sshd_proxy_bak 188 cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
242test_one "cert has constraints" failure "-h -Oforce-command=false" 216test_one "cert has constraints" failure "-h -Oforce-command=false"
243 217
244# Check downgrade of cert to raw key when no CA found 218# Check downgrade of cert to raw key when no CA found
245for v in v01 v00 ; do 219for ktype in $PLAIN_TYPES ; do
246 for ktype in $PLAIN_TYPES ; do 220 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
247 type_has_legacy $ktype || continue 221 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
248 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 222 # Generate and sign a host key
249 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 223 ${SSHKEYGEN} -q -N '' -t ${ktype} \
250 # Generate and sign a host key 224 -f $OBJ/cert_host_key_${ktype} || \
251 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 225 fail "ssh-keygen of cert_host_key_${ktype} failed"
252 -f $OBJ/cert_host_key_${ktype} || \ 226 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
253 fail "ssh-keygen of cert_host_key_${ktype} failed" 227 -I "regress host key for $USER" \
254 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 228 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
255 -I "regress host key for $USER" \ 229 fail "couldn't sign cert_host_key_${ktype}"
256 -n $HOSTS $OBJ/cert_host_key_${ktype} || 230 (
257 fail "couldn't sign cert_host_key_${ktype}" 231 printf "$HOSTS "
258 ( 232 cat $OBJ/cert_host_key_${ktype}.pub
259 printf "$HOSTS " 233 ) > $OBJ/known_hosts-cert
260 cat $OBJ/cert_host_key_${ktype}.pub 234 (
261 ) > $OBJ/known_hosts-cert 235 cat $OBJ/sshd_proxy_bak
262 ( 236 echo HostKey $OBJ/cert_host_key_${ktype}
263 cat $OBJ/sshd_proxy_bak 237 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
264 echo HostKey $OBJ/cert_host_key_${ktype} 238 ) > $OBJ/sshd_proxy
265 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 239
266 ) > $OBJ/sshd_proxy 240 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
267 241 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
268 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 242 -F $OBJ/ssh_proxy somehost true
269 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 243 if [ $? -ne 0 ]; then
270 -F $OBJ/ssh_proxy somehost true 244 fail "ssh cert connect failed"
271 if [ $? -ne 0 ]; then 245 fi
272 fail "ssh cert connect failed"
273 fi
274 done
275done 246done
276 247
277# Wrong certificate 248# Wrong certificate
@@ -281,33 +252,30 @@ done
281 cat $OBJ/host_ca_key.pub 252 cat $OBJ/host_ca_key.pub
282) > $OBJ/known_hosts-cert.orig 253) > $OBJ/known_hosts-cert.orig
283cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 254cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
284for v in v01 v00 ; do 255for kt in $PLAIN_TYPES ; do
285 for kt in $PLAIN_TYPES ; do 256 rm -f $OBJ/cert_host_key*
286 type_has_legacy $kt || continue 257 # Self-sign key
287 rm -f $OBJ/cert_host_key* 258 ${SSHKEYGEN} -q -N '' -t ${kt} \
288 # Self-sign key 259 -f $OBJ/cert_host_key_${kt} || \
289 ${SSHKEYGEN} -q -N '' -t ${kt} \ 260 fail "ssh-keygen of cert_host_key_${kt} failed"
290 -f $OBJ/cert_host_key_${kt} || \ 261 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
291 fail "ssh-keygen of cert_host_key_${kt} failed" 262 -I "regress host key for $USER" \
292 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 263 -n $HOSTS $OBJ/cert_host_key_${kt} ||
293 -I "regress host key for $USER" \ 264 fail "couldn't sign cert_host_key_${kt}"
294 -n $HOSTS $OBJ/cert_host_key_${kt} || 265 verbose "$tid: host ${kt} connect wrong cert"
295 fail "couldn't sign cert_host_key_${kt}" 266 (
296 verbose "$tid: host ${kt} connect wrong cert" 267 cat $OBJ/sshd_proxy_bak
297 ( 268 echo HostKey $OBJ/cert_host_key_${kt}
298 cat $OBJ/sshd_proxy_bak 269 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
299 echo HostKey $OBJ/cert_host_key_${kt} 270 ) > $OBJ/sshd_proxy
300 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 271
301 ) > $OBJ/sshd_proxy 272 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
302 273 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
303 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 274 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
304 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 275 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
305 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 276 if [ $? -eq 0 ]; then
306 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 277 fail "ssh cert connect $ident succeeded unexpectedly"
307 if [ $? -eq 0 ]; then 278 fi
308 fail "ssh cert connect $ident succeeded unexpectedly"
309 fi
310 done
311done 279done
312 280
313rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* 281rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index b093a9196..d461b9e34 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 8
9PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 9PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
10 10
11type_has_legacy() {
12 case $1 in
13 ed25519*|ecdsa*) return 1 ;;
14 esac
15 return 0
16}
17
18# Create a CA key 11# Create a CA key
19${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
20 fail "ssh-keygen of user_ca_key failed" 13 fail "ssh-keygen of user_ca_key failed"
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
28 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 21 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
29 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 22 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
30 fail "couldn't sign cert_user_key_${ktype}" 23 fail "couldn't sign cert_user_key_${ktype}"
31 type_has_legacy $ktype || continue
32 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
33 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
34 verbose "$tid: sign host ${ktype}_v00 cert"
35 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
36 "regress user key for $USER" \
37 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
38 fatal "couldn't sign cert_user_key_${ktype}_v00"
39done 24done
40 25
41# Test explicitly-specified principals 26# Test explicitly-specified principals
42for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 27for ktype in $PLAIN_TYPES ; do
43 for privsep in yes no ; do 28 for privsep in yes no ; do
44 _prefix="${ktype} privsep $privsep" 29 _prefix="${ktype} privsep $privsep"
45 30
@@ -165,7 +150,7 @@ basic_tests() {
165 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 150 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
166 fi 151 fi
167 152
168 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 153 for ktype in $PLAIN_TYPES ; do
169 for privsep in yes no ; do 154 for privsep in yes no ; do
170 _prefix="${ktype} privsep $privsep $auth" 155 _prefix="${ktype} privsep $privsep $auth"
171 # Simple connect 156 # Simple connect
@@ -257,12 +242,7 @@ test_one() {
257 fi 242 fi
258 243
259 for auth in $auth_choice ; do 244 for auth in $auth_choice ; do
260 for ktype in rsa rsa_v00 ; do 245 for ktype in rsa ed25519 ; do
261 case $ktype in
262 *_v00) keyv="-t v00" ;;
263 *) keyv="" ;;
264 esac
265
266 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 246 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
267 if test "x$auth" = "xauthorized_keys" ; then 247 if test "x$auth" = "xauthorized_keys" ; then
268 # Add CA to authorized_keys 248 # Add CA to authorized_keys
@@ -282,8 +262,7 @@ test_one() {
282 verbose "$tid: $ident auth $auth expect $result $ktype" 262 verbose "$tid: $ident auth $auth expect $result $ktype"
283 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 263 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
284 -I "regress user key for $USER" \ 264 -I "regress user key for $USER" \
285 $sign_opts $keyv \ 265 $sign_opts $OBJ/cert_user_key_${ktype} ||
286 $OBJ/cert_user_key_${ktype} ||
287 fail "couldn't sign cert_user_key_${ktype}" 266 fail "couldn't sign cert_user_key_${ktype}"
288 267
289 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 268 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
335 314
336# Wrong certificate 315# Wrong certificate
337cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 316cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
338for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 317for ktype in $PLAIN_TYPES ; do
339 case $ktype in
340 *_v00) args="-t v00" ;;
341 *) args="" ;;
342 esac
343 # Self-sign 318 # Self-sign
344 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ 319 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
345 "regress user key for $USER" \ 320 "regress user key for $USER" \
346 -n $USER $OBJ/cert_user_key_${ktype} || 321 -n $USER $OBJ/cert_user_key_${ktype} ||
347 fail "couldn't sign cert_user_key_${ktype}" 322 fail "couldn't sign cert_user_key_${ktype}"
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 4453a8599..9e780701a 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -424,7 +424,7 @@ sshkey_tests(void)
424 ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"), 424 ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
425 &k1, NULL), 0); 425 &k1, NULL), 0);
426 k2 = get_private("ed25519_2"); 426 k2 = get_private("ed25519_2");
427 ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0); 427 ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
428 ASSERT_PTR_NE(k1->cert, NULL); 428 ASSERT_PTR_NE(k1->cert, NULL);
429 k1->cert->type = SSH2_CERT_TYPE_USER; 429 k1->cert->type = SSH2_CERT_TYPE_USER;
430 k1->cert->serial = 1234; 430 k1->cert->serial = 1234;