summaryrefslogtreecommitdiff
path: root/regress/krl.sh
blob: 09246371c558103843d61020ad556dd028249810 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#	$OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $
#	Placed in the Public Domain.

tid="key revocation lists"

# If we don't support ecdsa keys then this tell will be much slower.
ECDSA=ecdsa
if test "x$TEST_SSH_ECC" != "xyes"; then
	ECDSA=rsa
fi

# Do most testing with ssh-keygen; it uses the same verification code as sshd.

# Old keys will interfere with ssh-keygen.
rm -f $OBJ/revoked-* $OBJ/krl-*

# Generate a CA key
$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
	fatal "$SSHKEYGEN CA failed"

# A specification that revokes some certificates by serial numbers
# The serial pattern is chosen to ensure the KRL includes list, range and
# bitmap sections.
cat << EOF >> $OBJ/revoked-serials
serial: 1-4
serial: 10
serial: 15
serial: 30
serial: 50
serial: 999
# The following sum to 500-799
serial: 500
serial: 501
serial: 502
serial: 503-600
serial: 700-797
serial: 798
serial: 799
serial: 599-701
EOF

# A specification that revokes some certificated by key ID.
touch $OBJ/revoked-keyid
for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
	# Fill in by-ID revocation spec.
	echo "id: revoked $n" >> $OBJ/revoked-keyid
done

keygen() {
	N=$1
	f=$OBJ/revoked-`printf "%04d" $N`
	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
	keytype=$ECDSA
	case $N in
	2 | 10 | 510 | 1001)	keytype=rsa;;
	4 | 30 | 520 | 1002)	keytype=dsa;;
	esac
	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
		|| fatal "$SSHKEYGEN failed"
	# Sign cert
	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
		|| fatal "$SSHKEYGEN sign failed"
	echo $f
}

# Generate some keys.
verbose "$tid: generating test keys"
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
for n in $REVOKED_SERIALS ; do
	f=`keygen $n`
	REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
	REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
done
NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
NOTREVOKED=""
for n in $NOTREVOKED_SERIALS ; do
	NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
	NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
done

genkrls() {
	OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
# KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
	>/dev/null || fatal "$SSHKEYGEN KRL failed"
}

## XXX dump with trace and grep for set cert serials
## XXX test ranges near (u64)-1, etc.

verbose "$tid: generating KRLs"
genkrls

check_krl() {
	KEY=$1
	KRL=$2
	EXPECT_REVOKED=$3
	TAG=$4
	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
	result=$?
	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
		fatal "key $KEY not revoked by KRL $KRL: $TAG"
	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
	fi
}
test_all() {
	FILES=$1
	TAG=$2
	KEYS_RESULT=$3
	ALL_RESULT=$4
	SERIAL_RESULT=$5
	KEYID_RESULT=$6
	CERTS_RESULT=$7
	CA_RESULT=$8
	verbose "$tid: checking revocations for $TAG"
	for f in $FILES ; do
		check_krl $f $OBJ/krl-empty  no             "$TAG"
		check_krl $f $OBJ/krl-keys   $KEYS_RESULT   "$TAG"
		check_krl $f $OBJ/krl-all    $ALL_RESULT    "$TAG"
		check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
		check_krl $f $OBJ/krl-keyid  $KEYID_RESULT  "$TAG"
		check_krl $f $OBJ/krl-cert  $CERTS_RESULT   "$TAG"
		check_krl $f $OBJ/krl-ca     $CA_RESULT     "$TAG"
	done
}
#                                            keys  all serial  keyid  certs   CA
test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes

# Check update. Results should be identical.
verbose "$tid: testing KRL update"
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
	cp -f $OBJ/krl-empty $f
	genkrls -u
done
#                                            keys  all serial  keyid  certs   CA
test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes