blob: 6216abd875b055e66be108006a9d5f2e853d8f5e [file] [log] [blame]
Damien Miller3045b452011-05-20 19:07:45 +10001# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $
Damien Miller58ac6de2010-02-27 07:57:12 +11002# Placed in the Public Domain.
3
4tid="certified host keys"
5
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +11006# used to disable ECC based tests on platforms without ECC
7ecdsa=""
Damien Miller322125b2011-01-07 09:50:08 +11008if test "x$TEST_SSH_ECC" = "xyes"; then
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +11009 ecdsa=ecdsa
10fi
11
Damien Miller58ac6de2010-02-27 07:57:12 +110012rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
14
15HOSTS='localhost-with-alias,127.0.0.1,::1'
16
17# Create a CA key and add it to known hosts
18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
19 fail "ssh-keygen of host_ca_key failed"
20(
Darren Tuckerc614c782010-03-01 12:49:05 +110021 echon '@cert-authority '
22 echon "$HOSTS "
Damien Miller58ac6de2010-02-27 07:57:12 +110023 cat $OBJ/host_ca_key.pub
24) > $OBJ/known_hosts-cert
25
26# Generate and sign host keys
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +110027for ktype in rsa dsa $ecdsa ; do
Damien Miller58ac6de2010-02-27 07:57:12 +110028 verbose "$tid: sign host ${ktype} cert"
29 # Generate and sign a host key
30 ${SSHKEYGEN} -q -N '' -t ${ktype} \
31 -f $OBJ/cert_host_key_${ktype} || \
32 fail "ssh-keygen of cert_host_key_${ktype} failed"
33 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
34 -I "regress host key for $USER" \
35 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
36 fail "couldn't sign cert_host_key_${ktype}"
Damien Miller6fd2d7d2010-10-21 15:27:14 +110037 # v00 ecdsa certs do not exist
Tim Rice02d99da2011-01-13 22:20:27 -080038 test "${ktype}" = "ecdsa" && continue
Damien Miller53f4bb62010-04-18 08:15:14 +100039 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
40 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
41 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
42 -I "regress host key for $USER" \
43 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
44 fail "couldn't sign cert_host_key_${ktype}_v00"
Damien Miller58ac6de2010-02-27 07:57:12 +110045done
46
47# Basic connect tests
48for privsep in yes no ; do
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +110049 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
Damien Miller58ac6de2010-02-27 07:57:12 +110050 verbose "$tid: host ${ktype} cert connect privsep $privsep"
51 (
52 cat $OBJ/sshd_proxy_bak
53 echo HostKey $OBJ/cert_host_key_${ktype}
54 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
55 echo UsePrivilegeSeparation $privsep
56 ) > $OBJ/sshd_proxy
57
58 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
59 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
60 -F $OBJ/ssh_proxy somehost true
61 if [ $? -ne 0 ]; then
62 fail "ssh cert connect failed"
63 fi
64 done
65done
66
Damien Miller700dcfa2010-03-04 21:58:01 +110067# Revoked certificates with key present
68(
69 echon '@cert-authority '
70 echon "$HOSTS "
71 cat $OBJ/host_ca_key.pub
72 echon '@revoked '
73 echon "* "
74 cat $OBJ/cert_host_key_rsa.pub
Tim Ricec5c346b2011-01-13 22:36:14 -080075 if test "x$TEST_SSH_ECC" = "xyes"; then
76 echon '@revoked '
77 echon "* "
78 cat $OBJ/cert_host_key_ecdsa.pub
79 fi
Damien Miller6fd2d7d2010-10-21 15:27:14 +110080 echon '@revoked '
81 echon "* "
Damien Miller700dcfa2010-03-04 21:58:01 +110082 cat $OBJ/cert_host_key_dsa.pub
Damien Miller53f4bb62010-04-18 08:15:14 +100083 echon '@revoked '
84 echon "* "
85 cat $OBJ/cert_host_key_rsa_v00.pub
86 echon '@revoked '
87 echon "* "
88 cat $OBJ/cert_host_key_dsa_v00.pub
Damien Miller700dcfa2010-03-04 21:58:01 +110089) > $OBJ/known_hosts-cert
90for privsep in yes no ; do
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +110091 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
Damien Miller700dcfa2010-03-04 21:58:01 +110092 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
93 (
94 cat $OBJ/sshd_proxy_bak
95 echo HostKey $OBJ/cert_host_key_${ktype}
96 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
97 echo UsePrivilegeSeparation $privsep
98 ) > $OBJ/sshd_proxy
99
100 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
101 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
102 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
103 if [ $? -eq 0 ]; then
104 fail "ssh cert connect succeeded unexpectedly"
105 fi
106 done
107done
108
109# Revoked CA
110(
111 echon '@cert-authority '
112 echon "$HOSTS "
113 cat $OBJ/host_ca_key.pub
114 echon '@revoked '
115 echon "* "
116 cat $OBJ/host_ca_key.pub
117) > $OBJ/known_hosts-cert
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +1100118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
Damien Miller700dcfa2010-03-04 21:58:01 +1100119 verbose "$tid: host ${ktype} revoked cert"
120 (
121 cat $OBJ/sshd_proxy_bak
122 echo HostKey $OBJ/cert_host_key_${ktype}
123 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
124 ) > $OBJ/sshd_proxy
125 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
126 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
127 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
128 if [ $? -eq 0 ]; then
129 fail "ssh cert connect succeeded unexpectedly"
130 fi
131done
132
133# Create a CA key and add it to known hosts
134(
135 echon '@cert-authority '
136 echon "$HOSTS "
137 cat $OBJ/host_ca_key.pub
138) > $OBJ/known_hosts-cert
139
Damien Miller58ac6de2010-02-27 07:57:12 +1100140test_one() {
141 ident=$1
142 result=$2
143 sign_opts=$3
Damien Miller53f4bb62010-04-18 08:15:14 +1000144
145 for kt in rsa rsa_v00 ; do
146 case $kt in
147 *_v00) args="-t v00" ;;
148 *) args="" ;;
149 esac
150
151 verbose "$tid: host cert connect $ident $kt expect $result"
152 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
153 -I "regress host key for $USER" \
154 $sign_opts $args \
155 $OBJ/cert_host_key_${kt} ||
156 fail "couldn't sign cert_host_key_${kt}"
157 (
158 cat $OBJ/sshd_proxy_bak
159 echo HostKey $OBJ/cert_host_key_${kt}
160 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
161 ) > $OBJ/sshd_proxy
Damien Miller58ac6de2010-02-27 07:57:12 +1100162
Damien Miller53f4bb62010-04-18 08:15:14 +1000163 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
164 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
165 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
166 rc=$?
167 if [ "x$result" = "xsuccess" ] ; then
168 if [ $rc -ne 0 ]; then
169 fail "ssh cert connect $ident failed unexpectedly"
170 fi
171 else
172 if [ $rc -eq 0 ]; then
173 fail "ssh cert connect $ident succeeded unexpectedly"
174 fi
Damien Miller58ac6de2010-02-27 07:57:12 +1100175 fi
Damien Miller53f4bb62010-04-18 08:15:14 +1000176 done
Damien Miller58ac6de2010-02-27 07:57:12 +1100177}
178
179test_one "user-certificate" failure "-n $HOSTS"
180test_one "empty principals" success "-h"
181test_one "wrong principals" failure "-h -n foo"
182test_one "cert not yet valid" failure "-h -V20200101:20300101"
183test_one "cert expired" failure "-h -V19800101:19900101"
184test_one "cert valid interval" success "-h -V-1w:+2w"
185test_one "cert has constraints" failure "-h -Oforce-command=false"
186
187# Check downgrade of cert to raw key when no CA found
Damien Miller53f4bb62010-04-18 08:15:14 +1000188for v in v01 v00 ; do
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +1100189 for ktype in rsa dsa $ecdsa ; do
Damien Miller6fd2d7d2010-10-21 15:27:14 +1100190 # v00 ecdsa certs do not exist.
191 test "${v}${ktype}" = "v00ecdsa" && continue
Damien Miller53f4bb62010-04-18 08:15:14 +1000192 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
193 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
194 # Generate and sign a host key
195 ${SSHKEYGEN} -q -N '' -t ${ktype} \
196 -f $OBJ/cert_host_key_${ktype} || \
197 fail "ssh-keygen of cert_host_key_${ktype} failed"
198 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
199 -I "regress host key for $USER" \
200 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
201 fail "couldn't sign cert_host_key_${ktype}"
202 (
203 echon "$HOSTS "
204 cat $OBJ/cert_host_key_${ktype}.pub
205 ) > $OBJ/known_hosts-cert
206 (
207 cat $OBJ/sshd_proxy_bak
208 echo HostKey $OBJ/cert_host_key_${ktype}
209 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
210 ) > $OBJ/sshd_proxy
211
212 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
213 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
214 -F $OBJ/ssh_proxy somehost true
215 if [ $? -ne 0 ]; then
216 fail "ssh cert connect failed"
217 fi
218 done
Damien Miller58ac6de2010-02-27 07:57:12 +1100219done
220
Damien Miller017d1e72010-03-04 21:57:21 +1100221# Wrong certificate
222(
223 echon '@cert-authority '
224 echon "$HOSTS "
225 cat $OBJ/host_ca_key.pub
226) > $OBJ/known_hosts-cert
Damien Miller53f4bb62010-04-18 08:15:14 +1000227for v in v01 v00 ; do
Darren Tuckerbfd9b1b2010-10-24 11:19:26 +1100228 for kt in rsa dsa $ecdsa ; do
Damien Miller6fd2d7d2010-10-21 15:27:14 +1100229 # v00 ecdsa certs do not exist.
230 test "${v}${ktype}" = "v00ecdsa" && continue
Damien Miller53f4bb62010-04-18 08:15:14 +1000231 rm -f $OBJ/cert_host_key*
232 # Self-sign key
233 ${SSHKEYGEN} -q -N '' -t ${kt} \
234 -f $OBJ/cert_host_key_${kt} || \
235 fail "ssh-keygen of cert_host_key_${kt} failed"
236 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
237 -I "regress host key for $USER" \
238 -n $HOSTS $OBJ/cert_host_key_${kt} ||
239 fail "couldn't sign cert_host_key_${kt}"
240 verbose "$tid: host ${kt} connect wrong cert"
241 (
242 cat $OBJ/sshd_proxy_bak
243 echo HostKey $OBJ/cert_host_key_${kt}
244 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
245 ) > $OBJ/sshd_proxy
246
247 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
248 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
249 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
250 if [ $? -eq 0 ]; then
251 fail "ssh cert connect $ident succeeded unexpectedly"
252 fi
253 done
Damien Miller017d1e72010-03-04 21:57:21 +1100254done
255
Damien Miller58ac6de2010-02-27 07:57:12 +1100256rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*