From 700dcfa3e0a98be44f2e3675849055984f04a70a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 4 Mar 2010 21:58:01 +1100 Subject: - djm@cvs.openbsd.org 2010/03/04 10:38:23 [regress/cert-hostkey.sh regress/cert-userkey.sh] additional regression tests for revoked keys and TrustedUserCAKeys --- regress/cert-userkey.sh | 161 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 117 insertions(+), 44 deletions(-) (limited to 'regress/cert-userkey.sh') diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 874915205..7a58e7b75 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -6,13 +6,9 @@ tid="certified user keys" rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -# Create a CA key and add it to authorized_keys +# Create a CA key ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ fail "ssh-keygen of user_ca_key failed" -( - echon 'cert-authority ' - cat $OBJ/user_ca_key.pub -) > $OBJ/authorized_keys_$USER # Generate and sign user keys for ktype in rsa dsa ; do @@ -26,64 +22,140 @@ for ktype in rsa dsa ; do fail "couldn't sign cert_user_key_${ktype}" done -# Basic connect tests -for privsep in yes no ; do +basic_tests() { + auth=$1 + if test "x$auth" = "xauthorized_keys" ; then + # Add CA to authorized_keys + ( + echon 'cert-authority ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + else + echo > $OBJ/authorized_keys_$USER + extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" + fi + for ktype in rsa dsa ; do - verbose "$tid: user ${ktype} cert connect privsep $privsep" + for privsep in yes no ; do + _prefix="${ktype} privsep $privsep $auth" + # Simple connect + verbose "$tid: ${_prefix} connect" + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Revoked keys + verbose "$tid: ${_prefix} revoked key" + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + ${SSH} -2i $OBJ/cert_user_key_${ktype} \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" + fi + done + + # Revoked CA + verbose "$tid: ${ktype} $auth revoked CA key" ( cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" + echo "RevokedKeys $OBJ/user_ca_key.pub" + echo "$extra_sshd" ) > $OBJ/sshd_proxy - ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ - somehost true - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" + somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpecedly" fi done -done + + verbose "$tid: $auth CA does not authenticate" + ( + cat $OBJ/sshd_proxy_bak + echo "$extra_sshd" + ) > $OBJ/sshd_proxy + verbose "$tid: ensure CA key does not authenticate user" + ${SSH} -2i $OBJ/user_ca_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect with CA key succeeded unexpectedly" + fi +} -verbose "$tid: ensure CA key does not authenticate user" -${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 -if [ $? -eq 0 ]; then - fail "ssh cert connect with CA key succeeded unexpectedly" -fi +basic_tests authorized_keys +basic_tests TrustedUserCAKeys test_one() { ident=$1 result=$2 sign_opts=$3 - - verbose "$tid: test user cert connect $ident expect $result" + auth_choice=$4 + + if test "x$auth_choice" = "x" ; then + auth_choice="authorized_keys TrustedUserCAKeys" + fi - ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ - $sign_opts \ - $OBJ/cert_user_key_rsa || - fail "couldn't sign cert_user_key_rsa" + for auth in $auth_choice ; do + cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy + if test "x$auth" = "xauthorized_keys" ; then + # Add CA to authorized_keys + ( + echon 'cert-authority ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + else + echo > $OBJ/authorized_keys_$USER + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ + $OBJ/sshd_proxy - ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ - somehost true >/dev/null 2>&1 - rc=$? - if [ "x$result" = "xsuccess" ] ; then - if [ $rc -ne 0 ]; then - fail "ssh cert connect $ident failed unexpectedly" fi - else - if [ $rc -eq 0 ]; then - fail "ssh cert connect $ident succeeded unexpectedly" + + verbose "$tid: $ident auth $auth expect $result" + ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ + -I "regress user key for $USER" \ + $sign_opts \ + $OBJ/cert_user_key_rsa || + fail "couldn't sign cert_user_key_rsa" + + ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ + somehost true >/dev/null 2>&1 + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "$ident failed unexpectedly" + fi + else + if [ $rc -eq 0 ]; then + fail "$ident succeeded unexpectedly" + fi fi - fi - cleanup + done } -test_one "host-certificate" failure "-h" -test_one "empty principals" success "" +test_one "correct principal" success "-n ${USER}" +test_one "host-certificate" failure "-n ${USER} -h" test_one "wrong principals" failure "-n foo" -test_one "cert not yet valid" failure "-V20200101:20300101" -test_one "cert expired" failure "-V19800101:19900101" -test_one "cert valid interval" success "-V-1w:+2w" -test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" -test_one "force-command" failure "-Oforce-command=false" +test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" +test_one "cert expired" failure "-n ${USER} -V19800101:19900101" +test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" +test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" +test_one "force-command" failure "-n ${USER} -Oforce-command=false" + +# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals +test_one "empty principals" success "" authorized_keys +test_one "empty principals" failure "" TrustedUserCAKeys # Wrong certificate for ktype in rsa dsa ; do @@ -101,3 +173,4 @@ for ktype in rsa dsa ; do done rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* + -- cgit v1.2.3