From 86936ec245a15c7abe71a0722610998b0a28b194 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 30 Jan 2015 01:11:39 +0000 Subject: upstream commit regression test for 'wildcard CA' serial/key ID revocations --- regress/krl.sh | 74 ++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 30 deletions(-) (limited to 'regress/krl.sh') diff --git a/regress/krl.sh b/regress/krl.sh index 799f9d093..1077358ff 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.5 2015/01/19 17:31:13 djm Exp $ +# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -74,26 +74,26 @@ verbose "$tid: generating test keys" REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" for n in $REVOKED_SERIALS ; do f=`keygen $n` - REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" - REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" + RKEYS="$RKEYS ${f}.pub" + RCERTS="$RCERTS ${f}-cert.pub" done UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011" UNREVOKED="" for n in $UNREVOKED_SERIALS ; do f=`keygen $n` - UNREVOKED_KEYS="$UNREVOKED_KEYS ${f}.pub" - UNREVOKED_CERTS="$UNREVOKED_CERTS ${f}-cert.pub" + UKEYS="$UKEYS ${f}.pub" + UCERTS="$UCERTS ${f}-cert.pub" done genkrls() { OPTS=$1 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - /dev/null || fatal "$SSHKEYGEN KRL failed" -$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ +$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \ >/dev/null || fatal "$SSHKEYGEN KRL failed" -$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ +$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \ >/dev/null || fatal "$SSHKEYGEN KRL failed" -$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ +$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ >/dev/null || fatal "$SSHKEYGEN KRL failed" $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ >/dev/null || fatal "$SSHKEYGEN KRL failed" @@ -102,14 +102,20 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" -$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ +# These should succeed; they specify an explicit CA key. +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \ + $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \ + $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed" +# These should succeed; they specify an wildcard CA key. +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \ >/dev/null || fatal "$SSHKEYGEN KRL failed" # Revoke the same serials with the second CA key to ensure a multi-CA # KRL is generated. $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \ $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" -$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ - >/dev/null || fatal "$SSHKEYGEN KRL failed" } ## XXX dump with trace and grep for set cert serials @@ -131,7 +137,7 @@ check_krl() { fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" fi } -test_all() { +test_rev() { FILES=$1 TAG=$2 KEYS_RESULT=$3 @@ -140,32 +146,40 @@ test_all() { KEYID_RESULT=$6 CERTS_RESULT=$7 CA_RESULT=$8 + SERIAL_WRESULT=$9 + KEYID_WRESULT=$10 verbose "$tid: checking revocations for $TAG" for f in $FILES ; do - check_krl $f $OBJ/krl-empty no "$TAG" - check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" - check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" - check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" - check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" - check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" - check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" + check_krl $f $OBJ/krl-empty no "$TAG" + check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" + check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" + check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" + check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" + check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" + check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" + check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG" + check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG" done } -# keys all serial keyid certs CA -test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no -test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no -test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes -test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes + +test_all() { + # wildcard + # keys all sr# k.ID cert CA sr.# k.ID + test_rev "$RKEYS" "revoked keys" yes yes no no no no no no + test_rev "$UKEYS" "unrevoked keys" no no no no no no no no + test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes + test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no +} + +test_all # Check update. Results should be identical. verbose "$tid: testing KRL update" for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ - $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do + $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \ + $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do cp -f $OBJ/krl-empty $f genkrls -u done -# keys all serial keyid certs CA -test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no -test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no -test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes -test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes + +test_all -- cgit v1.2.3