- djm@cvs.openbsd.org 2010/03/04 10:38:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
additional regression tests for revoked keys and TrustedUserCAKeys
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9097a13..3fda667 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -50,6 +50,68 @@
done
done
+# Revoked certificates with key present
+(
+ echon '@cert-authority '
+ echon "$HOSTS "
+ cat $OBJ/host_ca_key.pub
+ echon '@revoked '
+ echon "* "
+ cat $OBJ/cert_host_key_rsa.pub
+ echon '@revoked '
+ echon "* "
+ cat $OBJ/cert_host_key_dsa.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+ for ktype in rsa dsa ; do
+ verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${ktype}
+ echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+ echo UsePrivilegeSeparation $privsep
+ ) > $OBJ/sshd_proxy
+
+ ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+ done
+done
+
+# Revoked CA
+(
+ echon '@cert-authority '
+ echon "$HOSTS "
+ cat $OBJ/host_ca_key.pub
+ echon '@revoked '
+ echon "* "
+ cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do
+ verbose "$tid: host ${ktype} revoked cert"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${ktype}
+ echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+ ) > $OBJ/sshd_proxy
+ ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpectedly"
+ fi
+done
+
+# Create a CA key and add it to known hosts
+(
+ echon '@cert-authority '
+ echon "$HOSTS "
+ cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+
test_one() {
ident=$1
result=$2
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 8749152..7a58e7b 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -6,13 +6,9 @@
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-# Create a CA key and add it to authorized_keys
+# Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
-(
- echon 'cert-authority '
- cat $OBJ/user_ca_key.pub
-) > $OBJ/authorized_keys_$USER
# Generate and sign user keys
for ktype in rsa dsa ; do
@@ -26,64 +22,140 @@
fail "couldn't sign cert_user_key_${ktype}"
done
-# Basic connect tests
-for privsep in yes no ; do
+basic_tests() {
+ auth=$1
+ if test "x$auth" = "xauthorized_keys" ; then
+ # Add CA to authorized_keys
+ (
+ echon 'cert-authority '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ else
+ echo > $OBJ/authorized_keys_$USER
+ extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
+ fi
+
for ktype in rsa dsa ; do
- verbose "$tid: user ${ktype} cert connect privsep $privsep"
+ for privsep in yes no ; do
+ _prefix="${ktype} privsep $privsep $auth"
+ # Simple connect
+ verbose "$tid: ${_prefix} connect"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "UsePrivilegeSeparation $privsep"
+ echo "$extra_sshd"
+ ) > $OBJ/sshd_proxy
+
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
+
+ # Revoked keys
+ verbose "$tid: ${_prefix} revoked key"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "UsePrivilegeSeparation $privsep"
+ echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+ echo "$extra_sshd"
+ ) > $OBJ/sshd_proxy
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpecedly"
+ fi
+ done
+
+ # Revoked CA
+ verbose "$tid: ${ktype} $auth revoked CA key"
(
cat $OBJ/sshd_proxy_bak
- echo "UsePrivilegeSeparation $privsep"
+ echo "RevokedKeys $OBJ/user_ca_key.pub"
+ echo "$extra_sshd"
) > $OBJ/sshd_proxy
-
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
- somehost true
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
+ somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpecedly"
fi
done
-done
+
+ verbose "$tid: $auth CA does not authenticate"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo "$extra_sshd"
+ ) > $OBJ/sshd_proxy
+ verbose "$tid: ensure CA key does not authenticate user"
+ ${SSH} -2i $OBJ/user_ca_key \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect with CA key succeeded unexpectedly"
+ fi
+}
-verbose "$tid: ensure CA key does not authenticate user"
-${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-if [ $? -eq 0 ]; then
- fail "ssh cert connect with CA key succeeded unexpectedly"
-fi
+basic_tests authorized_keys
+basic_tests TrustedUserCAKeys
test_one() {
ident=$1
result=$2
sign_opts=$3
-
- verbose "$tid: test user cert connect $ident expect $result"
+ auth_choice=$4
- ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
- $sign_opts \
- $OBJ/cert_user_key_rsa ||
- fail "couldn't sign cert_user_key_rsa"
-
- ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
- somehost true >/dev/null 2>&1
- rc=$?
- if [ "x$result" = "xsuccess" ] ; then
- if [ $rc -ne 0 ]; then
- fail "ssh cert connect $ident failed unexpectedly"
- fi
- else
- if [ $rc -eq 0 ]; then
- fail "ssh cert connect $ident succeeded unexpectedly"
- fi
+ if test "x$auth_choice" = "x" ; then
+ auth_choice="authorized_keys TrustedUserCAKeys"
fi
- cleanup
+
+ for auth in $auth_choice ; do
+ cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+ if test "x$auth" = "xauthorized_keys" ; then
+ # Add CA to authorized_keys
+ (
+ echon 'cert-authority '
+ cat $OBJ/user_ca_key.pub
+ ) > $OBJ/authorized_keys_$USER
+ else
+ echo > $OBJ/authorized_keys_$USER
+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+ $OBJ/sshd_proxy
+
+ fi
+
+ verbose "$tid: $ident auth $auth expect $result"
+ ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+ -I "regress user key for $USER" \
+ $sign_opts \
+ $OBJ/cert_user_key_rsa ||
+ fail "couldn't sign cert_user_key_rsa"
+
+ ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+ somehost true >/dev/null 2>&1
+ rc=$?
+ if [ "x$result" = "xsuccess" ] ; then
+ if [ $rc -ne 0 ]; then
+ fail "$ident failed unexpectedly"
+ fi
+ else
+ if [ $rc -eq 0 ]; then
+ fail "$ident succeeded unexpectedly"
+ fi
+ fi
+ done
}
-test_one "host-certificate" failure "-h"
-test_one "empty principals" success ""
+test_one "correct principal" success "-n ${USER}"
+test_one "host-certificate" failure "-n ${USER} -h"
test_one "wrong principals" failure "-n foo"
-test_one "cert not yet valid" failure "-V20200101:20300101"
-test_one "cert expired" failure "-V19800101:19900101"
-test_one "cert valid interval" success "-V-1w:+2w"
-test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"
-test_one "force-command" failure "-Oforce-command=false"
+test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
+test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
+test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
+test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
+test_one "force-command" failure "-n ${USER} -Oforce-command=false"
+
+# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
+test_one "empty principals" success "" authorized_keys
+test_one "empty principals" failure "" TrustedUserCAKeys
# Wrong certificate
for ktype in rsa dsa ; do
@@ -101,3 +173,4 @@
done
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+