3 files changed, 67 insertions, 124 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2b..c99c2b1c3 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
-type_has_legacy() {
-        case $1 in
-                ed25519*|ecdsa*) return 1 ;;
-        esac
-        return 0
-}
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
                fatal "KRL update failed"
        cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
        serial=`expr $serial + 1`
-        type_has_legacy $ktype || continue
-        cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
-        cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
-        verbose "$tid: sign host ${ktype}_v00 cert"
-        ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-            -I "regress host key for $USER" \
-            -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
-                fatal "couldn't sign cert_host_key_${ktype}_v00"
-        ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
-            $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
-                fatal "KRL update failed"
-        cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
 done
 attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES ; do 
                verbose "$tid: host ${ktype} cert connect privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
        printf '@cert-authority '
        printf "$HOSTS "
        cat $OBJ/host_ca_key.pub
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+        for ktype in $PLAIN_TYPES ; do
                test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
                printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
        done
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES ; do 
                verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
        verbose "$tid: host ${ktype} revoked cert"
        (
                cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
        result=$2
        sign_opts=$3
-        for kt in rsa rsa_v00 ; do
+        for kt in rsa ed25519 ; do
-                case $kt in
-                *_v00) args="-t v00" ;;
-                *) args="" ;;
-                esac
-                verbose "$tid: host cert connect $ident $kt expect $result"
                ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
                    -I "regress host key for $USER" \
-                    $sign_opts $args \
+                    $sign_opts $OBJ/cert_host_key_${kt} ||
-                    $OBJ/cert_host_key_${kt} ||
                        fail "couldn't sign cert_host_key_${kt}"
                (
                        cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints" failure "-h -Oforce-command=false"
 # Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ;  do 
+for ktype in $PLAIN_TYPES ; do 
-        for ktype in $PLAIN_TYPES ; do 
+        rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-                type_has_legacy $ktype || continue
+        verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-                rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+        # Generate and sign a host key
-                verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+        ${SSHKEYGEN} -q -N '' -t ${ktype} \
-                # Generate and sign a host key
+            -f $OBJ/cert_host_key_${ktype} || \
-                ${SSHKEYGEN} -q -N '' -t ${ktype} \
+                fail "ssh-keygen of cert_host_key_${ktype} failed"
-                    -f $OBJ/cert_host_key_${ktype} || \
+        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-                        fail "ssh-keygen of cert_host_key_${ktype} failed"
+            -I "regress host key for $USER" \
-                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+            -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                    -I "regress host key for $USER" \
+                fail "couldn't sign cert_host_key_${ktype}"
-                    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+        (
-                        fail "couldn't sign cert_host_key_${ktype}"
+                printf "$HOSTS "
-                (
+                cat $OBJ/cert_host_key_${ktype}.pub
-                        printf "$HOSTS "
+        ) > $OBJ/known_hosts-cert
-                        cat $OBJ/cert_host_key_${ktype}.pub
+        (
-                ) > $OBJ/known_hosts-cert
+                cat $OBJ/sshd_proxy_bak
-                (
+                echo HostKey $OBJ/cert_host_key_${ktype}
-                        cat $OBJ/sshd_proxy_bak
+                echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-                        echo HostKey $OBJ/cert_host_key_${ktype}
+        ) > $OBJ/sshd_proxy
-                        echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+        
-                ) > $OBJ/sshd_proxy
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy somehost true
-                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+        if [ $? -ne 0 ]; then
-                        -F $OBJ/ssh_proxy somehost true
+                fail "ssh cert connect failed"
-                if [ $? -ne 0 ]; then
+        fi
-                        fail "ssh cert connect failed"
-                fi
-        done
 done
 # Wrong certificate
@@ -281,33 +252,30 @@ done
        cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ;  do 
+for kt in $PLAIN_TYPES ; do 
-        for kt in $PLAIN_TYPES ; do 
+        rm -f $OBJ/cert_host_key*
-                type_has_legacy $kt || continue
+        # Self-sign key
-                rm -f $OBJ/cert_host_key*
+        ${SSHKEYGEN} -q -N '' -t ${kt} \
-                # Self-sign key
+            -f $OBJ/cert_host_key_${kt} || \
-                ${SSHKEYGEN} -q -N '' -t ${kt} \
+                fail "ssh-keygen of cert_host_key_${kt} failed"
-                    -f $OBJ/cert_host_key_${kt} || \
+        ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-                        fail "ssh-keygen of cert_host_key_${kt} failed"
+            -I "regress host key for $USER" \
-                ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+            -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                    -I "regress host key for $USER" \
+                fail "couldn't sign cert_host_key_${kt}"
-                    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+        verbose "$tid: host ${kt} connect wrong cert"
-                        fail "couldn't sign cert_host_key_${kt}"
+        (
-                verbose "$tid: host ${kt} connect wrong cert"
+                cat $OBJ/sshd_proxy_bak
-                (
+                echo HostKey $OBJ/cert_host_key_${kt}
-                        cat $OBJ/sshd_proxy_bak
+                echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-                        echo HostKey $OBJ/cert_host_key_${kt}
+        ) > $OBJ/sshd_proxy
-                        echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-                ) > $OBJ/sshd_proxy
+        cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-        
+        ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+            -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+                -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-                    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+        if [ $? -eq 0 ]; then
-                        -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+                fail "ssh cert connect $ident succeeded unexpectedly"
-                if [ $? -eq 0 ]; then
+        fi
-                        fail "ssh cert connect $ident succeeded unexpectedly"
-                fi
-        done
 done
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index b093a9196..d461b9e34 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
-type_has_legacy() {
-        case $1 in
-                ed25519*|ecdsa*) return 1 ;;
-        esac
-        return 0
-}
 # Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
        fail "ssh-keygen of user_ca_key failed"
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
        ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
            -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
-        type_has_legacy $ktype || continue
-        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
-        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
-        verbose "$tid: sign host ${ktype}_v00 cert"
-        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
-            "regress user key for $USER" \
-            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-                fatal "couldn't sign cert_user_key_${ktype}_v00"
 done
 # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
        for privsep in yes no ; do
                _prefix="${ktype} privsep $privsep"
@@ -165,7 +150,7 @@ basic_tests() {
                extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
        fi
        
-        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+        for ktype in $PLAIN_TYPES ; do 
                for privsep in yes no ; do
                        _prefix="${ktype} privsep $privsep $auth"
                        # Simple connect
@@ -257,12 +242,7 @@ test_one() {
        fi
        for auth in $auth_choice ; do
-                for ktype in rsa rsa_v00 ; do
+                for ktype in rsa ed25519 ; do
-                        case $ktype in
-                        *_v00) keyv="-t v00" ;;
-                        *) keyv="" ;;
-                        esac
                        cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
                        if test "x$auth" = "xauthorized_keys" ; then
                                # Add CA to authorized_keys
@@ -282,8 +262,7 @@ test_one() {
                        verbose "$tid: $ident auth $auth expect $result $ktype"
                        ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
                            -I "regress user key for $USER" \
-                            $sign_opts $keyv \
+                            $sign_opts $OBJ/cert_user_key_${ktype} ||
-                            $OBJ/cert_user_key_${ktype} ||
                                fail "couldn't sign cert_user_key_${ktype}"
                        ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
-        case $ktype in
-        *_v00) args="-t v00" ;;
-        *) args="" ;;
-        esac
        # Self-sign
-        ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+        ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
            "regress user key for $USER" \
            -n $USER $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 4453a8599..9e780701a 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */
+/*      $OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
 /*
 * Regress test for sshkey.h key management API
 *
@@ -424,7 +424,7 @@ sshkey_tests(void)
        ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
            &k1, NULL), 0);
        k2 = get_private("ed25519_2");
-        ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0);
+        ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
        ASSERT_PTR_NE(k1->cert, NULL);
        k1->cert->type = SSH2_CERT_TYPE_USER;
        k1->cert->serial = 1234;

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 51685dc2b..c99c2b1c3 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
27		27
28	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`	28	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
29		29
30	type_has_legacy() {
31	case $1 in
32	ed25519\|ecdsa) return 1 ;;
33	esac
34	return 0
35	}
36
37	# Prepare certificate, plain key and CA KRLs	30	# Prepare certificate, plain key and CA KRLs
38	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"	31	${SSHKEYGEN} -kf $OBJ/host_krl_empty \|\| fatal "KRL init failed"
39	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"	32	${SSHKEYGEN} -kf $OBJ/host_krl_plain \|\| fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
61	fatal "KRL update failed"	54	fatal "KRL update failed"
62	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert	55	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
63	serial=`expr $serial + 1`	56	serial=`expr $serial + 1`
64	type_has_legacy $ktype \|\| continue
65	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
66	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
67	verbose "$tid: sign host ${ktype}_v00 cert"
68	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
69	-I "regress host key for $USER" \
70	-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 \|\|
71	fatal "couldn't sign cert_host_key_${ktype}_v00"
72	${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
73	$OBJ/cert_host_key_${ktype}_v00-cert.pub \|\| \
74	fatal "KRL update failed"
75	cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
76	done	57	done
77		58
78	attempt_connect() {	59	attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
98		79
99	# Basic connect and revocation tests.	80	# Basic connect and revocation tests.
100	for privsep in yes no ; do	81	for privsep in yes no ; do
101	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	82	for ktype in $PLAIN_TYPES ; do
102	verbose "$tid: host ${ktype} cert connect privsep $privsep"	83	verbose "$tid: host ${ktype} cert connect privsep $privsep"
103	(	84	(
104	cat $OBJ/sshd_proxy_bak	85	cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
133	printf '@cert-authority '	114	printf '@cert-authority '
134	printf "$HOSTS "	115	printf "$HOSTS "
135	cat $OBJ/host_ca_key.pub	116	cat $OBJ/host_ca_key.pub
136	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	117	for ktype in $PLAIN_TYPES ; do
137	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"	118	test -f "$OBJ/cert_host_key_${ktype}.pub" \|\| fatal "no pubkey"
138	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"	119	printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
139	done	120	done
140	) > $OBJ/known_hosts-cert.orig	121	) > $OBJ/known_hosts-cert.orig
141	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	122	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
142	for privsep in yes no ; do	123	for privsep in yes no ; do
143	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do	124	for ktype in $PLAIN_TYPES ; do
144	verbose "$tid: host ${ktype} revoked cert privsep $privsep"	125	verbose "$tid: host ${ktype} revoked cert privsep $privsep"
145	(	126	(
146	cat $OBJ/sshd_proxy_bak	127	cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
169	cat $OBJ/host_ca_key.pub	150	cat $OBJ/host_ca_key.pub
170	) > $OBJ/known_hosts-cert.orig	151	) > $OBJ/known_hosts-cert.orig
171	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	152	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do	153	for ktype in $PLAIN_TYPES ; do
173	verbose "$tid: host ${ktype} revoked cert"	154	verbose "$tid: host ${ktype} revoked cert"
174	(	155	(
175	cat $OBJ/sshd_proxy_bak	156	cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
198	result=$2	179	result=$2
199	sign_opts=$3	180	sign_opts=$3
200		181
201	for kt in rsa rsa_v00 ; do	182	for kt in rsa ed25519 ; do
202	case $kt in
203	*_v00) args="-t v00" ;;
204	*) args="" ;;
205	esac
206
207	verbose "$tid: host cert connect $ident $kt expect $result"
208	${SSHKEYGEN} -q -s $OBJ/host_ca_key \	183	${SSHKEYGEN} -q -s $OBJ/host_ca_key \
209	-I "regress host key for $USER" \	184	-I "regress host key for $USER" \
210	$sign_opts $args \	185	$sign_opts $OBJ/cert_host_key_${kt} \|\|
211	$OBJ/cert_host_key_${kt} \|\|
212	fail "couldn't sign cert_host_key_${kt}"	186	fail "couldn't sign cert_host_key_${kt}"
213	(	187	(
214	cat $OBJ/sshd_proxy_bak	188	cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
242	test_one "cert has constraints" failure "-h -Oforce-command=false"	216	test_one "cert has constraints" failure "-h -Oforce-command=false"
243		217
244	# Check downgrade of cert to raw key when no CA found	218	# Check downgrade of cert to raw key when no CA found
245	for v in v01 v00 ; do	219	for ktype in $PLAIN_TYPES ; do
246	for ktype in $PLAIN_TYPES ; do	220	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
247	type_has_legacy $ktype \|\| continue	221	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
248	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*	222	# Generate and sign a host key
249	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"	223	${SSHKEYGEN} -q -N '' -t ${ktype} \
250	# Generate and sign a host key	224	-f $OBJ/cert_host_key_${ktype} \|\| \
251	${SSHKEYGEN} -q -N '' -t ${ktype} \	225	fail "ssh-keygen of cert_host_key_${ktype} failed"
252	-f $OBJ/cert_host_key_${ktype} \|\| \	226	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
253	fail "ssh-keygen of cert_host_key_${ktype} failed"	227	-I "regress host key for $USER" \
254	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \	228	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|
255	-I "regress host key for $USER" \	229	fail "couldn't sign cert_host_key_${ktype}"
256	-n $HOSTS $OBJ/cert_host_key_${ktype} \|\|	230	(
257	fail "couldn't sign cert_host_key_${ktype}"	231	printf "$HOSTS "
258	(	232	cat $OBJ/cert_host_key_${ktype}.pub
259	printf "$HOSTS "	233	) > $OBJ/known_hosts-cert
260	cat $OBJ/cert_host_key_${ktype}.pub	234	(
261	) > $OBJ/known_hosts-cert	235	cat $OBJ/sshd_proxy_bak
262	(	236	echo HostKey $OBJ/cert_host_key_${ktype}
263	cat $OBJ/sshd_proxy_bak	237	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
264	echo HostKey $OBJ/cert_host_key_${ktype}	238	) > $OBJ/sshd_proxy
265	echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub	239
266	) > $OBJ/sshd_proxy	240	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
267		241	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
268	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	242	-F $OBJ/ssh_proxy somehost true
269	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	243	if [ $? -ne 0 ]; then
270	-F $OBJ/ssh_proxy somehost true	244	fail "ssh cert connect failed"
271	if [ $? -ne 0 ]; then	245	fi
272	fail "ssh cert connect failed"
273	fi
274	done
275	done	246	done
276		247
277	# Wrong certificate	248	# Wrong certificate
@@ -281,33 +252,30 @@ done
281	cat $OBJ/host_ca_key.pub	252	cat $OBJ/host_ca_key.pub
282	) > $OBJ/known_hosts-cert.orig	253	) > $OBJ/known_hosts-cert.orig
283	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	254	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
284	for v in v01 v00 ; do	255	for kt in $PLAIN_TYPES ; do
285	for kt in $PLAIN_TYPES ; do	256	rm -f $OBJ/cert_host_key*
286	type_has_legacy $kt \|\| continue	257	# Self-sign key
287	rm -f $OBJ/cert_host_key*	258	${SSHKEYGEN} -q -N '' -t ${kt} \
288	# Self-sign key	259	-f $OBJ/cert_host_key_${kt} \|\| \
289	${SSHKEYGEN} -q -N '' -t ${kt} \	260	fail "ssh-keygen of cert_host_key_${kt} failed"
290	-f $OBJ/cert_host_key_${kt} \|\| \	261	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
291	fail "ssh-keygen of cert_host_key_${kt} failed"	262	-I "regress host key for $USER" \
292	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \	263	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|
293	-I "regress host key for $USER" \	264	fail "couldn't sign cert_host_key_${kt}"
294	-n $HOSTS $OBJ/cert_host_key_${kt} \|\|	265	verbose "$tid: host ${kt} connect wrong cert"
295	fail "couldn't sign cert_host_key_${kt}"	266	(
296	verbose "$tid: host ${kt} connect wrong cert"	267	cat $OBJ/sshd_proxy_bak
297	(	268	echo HostKey $OBJ/cert_host_key_${kt}
298	cat $OBJ/sshd_proxy_bak	269	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
299	echo HostKey $OBJ/cert_host_key_${kt}	270	) > $OBJ/sshd_proxy
300	echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub	271
301	) > $OBJ/sshd_proxy	272	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
302		273	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
303	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert	274	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
304	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \	275	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
305	-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \	276	if [ $? -eq 0 ]; then
306	-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1	277	fail "ssh cert connect $ident succeeded unexpectedly"
307	if [ $? -eq 0 ]; then	278	fi
308	fail "ssh cert connect $ident succeeded unexpectedly"
309	fi
310	done
311	done	279	done
312		280
313	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*	281	rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index b093a9196..d461b9e34 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8		8
9	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`	9	PLAIN_TYPES=`$SSH -Q key-plain \| sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
10		10
11	type_has_legacy() {
12	case $1 in
13	ed25519\|ecdsa) return 1 ;;
14	esac
15	return 0
16	}
17
18	# Create a CA key	11	# Create a CA key
19	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\	12	${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\
20	fail "ssh-keygen of user_ca_key failed"	13	fail "ssh-keygen of user_ca_key failed"
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
28	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \	21	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
29	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|	22	-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|
30	fail "couldn't sign cert_user_key_${ktype}"	23	fail "couldn't sign cert_user_key_${ktype}"
31	type_has_legacy $ktype \|\| continue
32	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
33	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
34	verbose "$tid: sign host ${ktype}_v00 cert"
35	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
36	"regress user key for $USER" \
37	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 \|\|
38	fatal "couldn't sign cert_user_key_${ktype}_v00"
39	done	24	done
40		25
41	# Test explicitly-specified principals	26	# Test explicitly-specified principals
42	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do	27	for ktype in $PLAIN_TYPES ; do
43	for privsep in yes no ; do	28	for privsep in yes no ; do
44	_prefix="${ktype} privsep $privsep"	29	_prefix="${ktype} privsep $privsep"
45		30
@@ -165,7 +150,7 @@ basic_tests() {
165	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"	150	extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
166	fi	151	fi
167		152
168	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do	153	for ktype in $PLAIN_TYPES ; do
169	for privsep in yes no ; do	154	for privsep in yes no ; do
170	_prefix="${ktype} privsep $privsep $auth"	155	_prefix="${ktype} privsep $privsep $auth"
171	# Simple connect	156	# Simple connect
@@ -257,12 +242,7 @@ test_one() {
257	fi	242	fi
258		243
259	for auth in $auth_choice ; do	244	for auth in $auth_choice ; do
260	for ktype in rsa rsa_v00 ; do	245	for ktype in rsa ed25519 ; do
261	case $ktype in
262	*_v00) keyv="-t v00" ;;
263	*) keyv="" ;;
264	esac
265
266	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy	246	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
267	if test "x$auth" = "xauthorized_keys" ; then	247	if test "x$auth" = "xauthorized_keys" ; then
268	# Add CA to authorized_keys	248	# Add CA to authorized_keys
@@ -282,8 +262,7 @@ test_one() {
282	verbose "$tid: $ident auth $auth expect $result $ktype"	262	verbose "$tid: $ident auth $auth expect $result $ktype"
283	${SSHKEYGEN} -q -s $OBJ/user_ca_key \	263	${SSHKEYGEN} -q -s $OBJ/user_ca_key \
284	-I "regress user key for $USER" \	264	-I "regress user key for $USER" \
285	$sign_opts $keyv \	265	$sign_opts $OBJ/cert_user_key_${ktype} \|\|
286	$OBJ/cert_user_key_${ktype} \|\|
287	fail "couldn't sign cert_user_key_${ktype}"	266	fail "couldn't sign cert_user_key_${ktype}"
288		267
289	${SSH} -2i $OBJ/cert_user_key_${ktype} \	268	${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
335		314
336	# Wrong certificate	315	# Wrong certificate
337	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy	316	cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
338	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do	317	for ktype in $PLAIN_TYPES ; do
339	case $ktype in
340	*_v00) args="-t v00" ;;
341	*) args="" ;;
342	esac
343	# Self-sign	318	# Self-sign
344	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \	319	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
345	"regress user key for $USER" \	320	"regress user key for $USER" \
346	-n $USER $OBJ/cert_user_key_${ktype} \|\|	321	-n $USER $OBJ/cert_user_key_${ktype} \|\|
347	fail "couldn't sign cert_user_key_${ktype}"	322	fail "couldn't sign cert_user_key_${ktype}"


diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 4453a8599..9e780701a 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */	1	/* $OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
2	/*	2	/*
3	* Regress test for sshkey.h key management API	3	* Regress test for sshkey.h key management API
4	*	4	*
@@ -424,7 +424,7 @@ sshkey_tests(void)
424	ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),	424	ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
425	&k1, NULL), 0);	425	&k1, NULL), 0);
426	k2 = get_private("ed25519_2");	426	k2 = get_private("ed25519_2");
427	ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0);	427	ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
428	ASSERT_PTR_NE(k1->cert, NULL);	428	ASSERT_PTR_NE(k1->cert, NULL);
429	k1->cert->type = SSH2_CERT_TYPE_USER;	429	k1->cert->type = SSH2_CERT_TYPE_USER;
430	k1->cert->serial = 1234;	430	k1->cert->serial = 1234;