Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 700dcfa3e0a98be44f2e3675849055984f04a70a^! / . / regress / cert-hostkey.sh
commit700dcfa3e0a98be44f2e3675849055984f04a70a[log] [tgz]
authorDamien Miller <djm@mindrot.org>Thu Mar 04 21:58:01 2010 +1100
committerDamien Miller <djm@mindrot.org>Thu Mar 04 21:58:01 2010 +1100
treec10708a700b61025695b7755c25aa98f3dff0d9b
parent017d1e777ef197eab866b9d0046e000a46baf10b [diff] [blame]
   - djm@cvs.openbsd.org 2010/03/04 10:38:23
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     additional regression tests for revoked keys and TrustedUserCAKeys

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9097a13..3fda667 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -50,6 +50,68 @@
 	done
 done
 
+# Revoked certificates with key present
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_rsa.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_dsa.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+	for ktype in rsa dsa ; do 
+		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			echo UsePrivilegeSeparation $privsep
+		) > $OBJ/sshd_proxy
+
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+	done
+done
+
+# Revoked CA
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+	verbose "$tid: host ${ktype} revoked cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+done
+
+# Create a CA key and add it to known hosts
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+
 test_one() {
 	ident=$1
 	result=$2