Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 3dfd8d93dfcc69261f5af99df56f3ff598581979 / . / regress / cert-hostkey.sh
blob: baaa35b2ca5b18b3d485ebb296baeed91b2d8390 [file] [log] [blame]
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]1# $OpenBSD: cert-hostkey.sh,v 1.10 2014/12/04 22:31:50 djm Exp $
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]2# Placed in the Public Domain.
3
4tid="certified host keys"
5
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]8cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
9
10HOSTS='localhost-with-alias,127.0.0.1,::1'
11
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]12# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
13${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]14 fail "ssh-keygen of host_ca_key failed"
15(
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]16 printf '@cert-authority '
17 printf "$HOSTS "
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]18 cat $OBJ/host_ca_key.pub
19) > $OBJ/known_hosts-cert
20
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]21# Plain text revocation files
22touch $OBJ/host_revoked_empty
23touch $OBJ/host_revoked_plain
24touch $OBJ/host_revoked_cert
25cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
26
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]27PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
28
29type_has_legacy() {
30 case $1 in
31 ed25519*|ecdsa*) return 1 ;;
32 esac
33 return 0
34}
35
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]36# Prepare certificate, plain key and CA KRLs
37${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
38${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
39${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
40${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
41 || fatal "KRL init failed"
42
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]43# Generate and sign host keys
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]44serial=1
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]45for ktype in $PLAIN_TYPES ; do
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]46 verbose "$tid: sign host ${ktype} cert"
47 # Generate and sign a host key
48 ${SSHKEYGEN} -q -N '' -t ${ktype} \
49 -f $OBJ/cert_host_key_${ktype} || \
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]50 fatal "ssh-keygen of cert_host_key_${ktype} failed"
51 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
52 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
53 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
54 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]55 -I "regress host key for $USER" \
56 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]57 fatal "couldn't sign cert_host_key_${ktype}"
58 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
59 $OBJ/cert_host_key_${ktype}-cert.pub || \
60 fatal "KRL update failed"
61 cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
62 serial=`expr $serial + 1`
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]63 type_has_legacy $ktype || continue
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]64 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
65 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]66 verbose "$tid: sign host ${ktype}_v00 cert"
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]67 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
68 -I "regress host key for $USER" \
69 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]70 fatal "couldn't sign cert_host_key_${ktype}_v00"
71 ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
72 $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
73 fatal "KRL update failed"
74 cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]75done
76
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]77attempt_connect() {
78 _ident="$1"
79 _expect_success="$2"
80 shift; shift
81 verbose "$tid: $_ident expect success $_expect_success"
82 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
83 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
84 "$@" -F $OBJ/ssh_proxy somehost true
85 _r=$?
86 if [ "x$_expect_success" = "xyes" ] ; then
87 if [ $_r -ne 0 ]; then
88 fail "ssh cert connect $_ident failed"
89 fi
90 else
91 if [ $_r -eq 0 ]; then
92 fail "ssh cert connect $_ident succeeded unexpectedly"
93 fi
94 fi
95}
96
97# Basic connect and revocation tests.
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]98for privsep in yes no ; do
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]99 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]100 verbose "$tid: host ${ktype} cert connect privsep $privsep"
101 (
102 cat $OBJ/sshd_proxy_bak
103 echo HostKey $OBJ/cert_host_key_${ktype}
104 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
105 echo UsePrivilegeSeparation $privsep
106 ) > $OBJ/sshd_proxy
107
djm@openbsd.org3dfd8d92014-12-04 22:31:50 +0000[diff] [blame^]108 # test name expect success
109 attempt_connect "$ktype basic connect" "yes"
110 attempt_connect "$ktype empty KRL" "yes" \
111 -oRevokedHostKeys=$OBJ/host_krl_empty
112 attempt_connect "$ktype KRL w/ plain key revoked" "no" \
113 -oRevokedHostKeys=$OBJ/host_krl_plain
114 attempt_connect "$ktype KRL w/ cert revoked" "no" \
115 -oRevokedHostKeys=$OBJ/host_krl_cert
116 attempt_connect "$ktype KRL w/ CA revoked" "no" \
117 -oRevokedHostKeys=$OBJ/host_krl_ca
118 attempt_connect "$ktype empty plaintext revocation" "yes" \
119 -oRevokedHostKeys=$OBJ/host_revoked_empty
120 attempt_connect "$ktype plain key plaintext revocation" "no" \
121 -oRevokedHostKeys=$OBJ/host_revoked_plain
122 attempt_connect "$ktype cert plaintext revocation" "no" \
123 -oRevokedHostKeys=$OBJ/host_revoked_cert
124 attempt_connect "$ktype CA plaintext revocation" "no" \
125 -oRevokedHostKeys=$OBJ/host_revoked_ca
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]126 done
127done
128
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]129# Revoked certificates with key present
130(
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]131 printf '@cert-authority '
132 printf "$HOSTS "
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]133 cat $OBJ/host_ca_key.pub
Damien Millerf9df7f62014-01-20 20:07:15 +1100[diff] [blame]134 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
135 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
136 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
137 done
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]138) > $OBJ/known_hosts-cert
139for privsep in yes no ; do
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]140 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]141 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
142 (
143 cat $OBJ/sshd_proxy_bak
144 echo HostKey $OBJ/cert_host_key_${ktype}
145 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
146 echo UsePrivilegeSeparation $privsep
147 ) > $OBJ/sshd_proxy
148
149 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
150 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
151 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
152 if [ $? -eq 0 ]; then
153 fail "ssh cert connect succeeded unexpectedly"
154 fi
155 done
156done
157
158# Revoked CA
159(
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]160 printf '@cert-authority '
161 printf "$HOSTS "
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]162 cat $OBJ/host_ca_key.pub
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]163 printf '@revoked '
164 printf "* "
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]165 cat $OBJ/host_ca_key.pub
166) > $OBJ/known_hosts-cert
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]167for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]168 verbose "$tid: host ${ktype} revoked cert"
169 (
170 cat $OBJ/sshd_proxy_bak
171 echo HostKey $OBJ/cert_host_key_${ktype}
172 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
173 ) > $OBJ/sshd_proxy
174 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
175 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
176 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
177 if [ $? -eq 0 ]; then
178 fail "ssh cert connect succeeded unexpectedly"
179 fi
180done
181
182# Create a CA key and add it to known hosts
183(
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]184 printf '@cert-authority '
185 printf "$HOSTS "
Damien Miller700dcfa2010-03-04 21:58:01 +1100[diff] [blame]186 cat $OBJ/host_ca_key.pub
187) > $OBJ/known_hosts-cert
188
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]189test_one() {
190 ident=$1
191 result=$2
192 sign_opts=$3
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]193
194 for kt in rsa rsa_v00 ; do
195 case $kt in
196 *_v00) args="-t v00" ;;
197 *) args="" ;;
198 esac
199
200 verbose "$tid: host cert connect $ident $kt expect $result"
201 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
202 -I "regress host key for $USER" \
203 $sign_opts $args \
204 $OBJ/cert_host_key_${kt} ||
205 fail "couldn't sign cert_host_key_${kt}"
206 (
207 cat $OBJ/sshd_proxy_bak
208 echo HostKey $OBJ/cert_host_key_${kt}
209 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
210 ) > $OBJ/sshd_proxy
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]211
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]212 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
213 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
214 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
215 rc=$?
216 if [ "x$result" = "xsuccess" ] ; then
217 if [ $rc -ne 0 ]; then
218 fail "ssh cert connect $ident failed unexpectedly"
219 fi
220 else
221 if [ $rc -eq 0 ]; then
222 fail "ssh cert connect $ident succeeded unexpectedly"
223 fi
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]224 fi
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]225 done
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]226}
227
228test_one "user-certificate" failure "-n $HOSTS"
229test_one "empty principals" success "-h"
230test_one "wrong principals" failure "-h -n foo"
231test_one "cert not yet valid" failure "-h -V20200101:20300101"
232test_one "cert expired" failure "-h -V19800101:19900101"
233test_one "cert valid interval" success "-h -V-1w:+2w"
234test_one "cert has constraints" failure "-h -Oforce-command=false"
235
236# Check downgrade of cert to raw key when no CA found
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]237for v in v01 v00 ; do
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]238 for ktype in $PLAIN_TYPES ; do
239 type_has_legacy $ktype || continue
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]240 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
241 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
242 # Generate and sign a host key
243 ${SSHKEYGEN} -q -N '' -t ${ktype} \
244 -f $OBJ/cert_host_key_${ktype} || \
245 fail "ssh-keygen of cert_host_key_${ktype} failed"
246 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
247 -I "regress host key for $USER" \
248 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
249 fail "couldn't sign cert_host_key_${ktype}"
250 (
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]251 printf "$HOSTS "
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]252 cat $OBJ/cert_host_key_${ktype}.pub
253 ) > $OBJ/known_hosts-cert
254 (
255 cat $OBJ/sshd_proxy_bak
256 echo HostKey $OBJ/cert_host_key_${ktype}
257 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
258 ) > $OBJ/sshd_proxy
259
260 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
261 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
262 -F $OBJ/ssh_proxy somehost true
263 if [ $? -ne 0 ]; then
264 fail "ssh cert connect failed"
265 fi
266 done
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]267done
268
Damien Miller017d1e72010-03-04 21:57:21 +1100[diff] [blame]269# Wrong certificate
270(
Darren Tucker56347ef2013-05-17 13:28:36 +1000[diff] [blame]271 printf '@cert-authority '
272 printf "$HOSTS "
Damien Miller017d1e72010-03-04 21:57:21 +1100[diff] [blame]273 cat $OBJ/host_ca_key.pub
274) > $OBJ/known_hosts-cert
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]275for v in v01 v00 ; do
Damien Millerf54542a2013-12-07 16:32:44 +1100[diff] [blame]276 for kt in $PLAIN_TYPES ; do
277 type_has_legacy $kt || continue
Damien Miller53f4bb62010-04-18 08:15:14 +1000[diff] [blame]278 rm -f $OBJ/cert_host_key*
279 # Self-sign key
280 ${SSHKEYGEN} -q -N '' -t ${kt} \
281 -f $OBJ/cert_host_key_${kt} || \
282 fail "ssh-keygen of cert_host_key_${kt} failed"
283 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
284 -I "regress host key for $USER" \
285 -n $HOSTS $OBJ/cert_host_key_${kt} ||
286 fail "couldn't sign cert_host_key_${kt}"
287 verbose "$tid: host ${kt} connect wrong cert"
288 (
289 cat $OBJ/sshd_proxy_bak
290 echo HostKey $OBJ/cert_host_key_${kt}
291 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
292 ) > $OBJ/sshd_proxy
293
294 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
295 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
296 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
297 if [ $? -eq 0 ]; then
298 fail "ssh cert connect $ident succeeded unexpectedly"
299 fi
300 done
Damien Miller017d1e72010-03-04 21:57:21 +1100[diff] [blame]301done
302
Damien Miller58ac6de2010-02-27 07:57:12 +1100[diff] [blame]303rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*