Blame - regress/krl.sh - platform/external/openssh

blob: 1077358ff9f0bf2c4a02ed826460023cd1fcc57a [file] [log] [blame]

djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	1	# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	2	# Placed in the Public Domain.
				3
				4	tid="key revocation lists"
				5
Damien Miller	2653f5c	2013-02-14 10:14:51 +1100	[diff] [blame]	6	# If we don't support ecdsa keys then this tell will be much slower.
				7	ECDSA=ecdsa
				8	if test "x$TEST_SSH_ECC" != "xyes"; then
Damien Miller	6d77d6e	2013-02-14 10:31:03 +1100	[diff] [blame]	9	ECDSA=rsa
Damien Miller	2653f5c	2013-02-14 10:14:51 +1100	[diff] [blame]	10	fi
				11
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	12	# Do most testing with ssh-keygen; it uses the same verification code as sshd.
				13
				14	# Old keys will interfere with ssh-keygen.
				15	rm -f $OBJ/revoked-* $OBJ/krl-*
				16
				17	# Generate a CA key
Damien Miller	2653f5c	2013-02-14 10:14:51 +1100	[diff] [blame]	18	$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null \|\|
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	19	fatal "$SSHKEYGEN CA failed"
djm@openbsd.org	51b64e4	2014-11-17 00:21:40 +0000	[diff] [blame]	20	$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null \|\|
				21	fatal "$SSHKEYGEN CA2 failed"
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	22
				23	# A specification that revokes some certificates by serial numbers
				24	# The serial pattern is chosen to ensure the KRL includes list, range and
				25	# bitmap sections.
				26	cat << EOF >> $OBJ/revoked-serials
				27	serial: 1-4
				28	serial: 10
				29	serial: 15
				30	serial: 30
				31	serial: 50
				32	serial: 999
				33	# The following sum to 500-799
				34	serial: 500
				35	serial: 501
				36	serial: 502
				37	serial: 503-600
				38	serial: 700-797
				39	serial: 798
				40	serial: 799
				41	serial: 599-701
Damien Miller	c1dc24b	2014-07-02 17:02:03 +1000	[diff] [blame]	42	# Some multiple consecutive serial number ranges
				43	serial: 10000-20000
				44	serial: 30000-40000
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	45	EOF
				46
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	47	# A specification that revokes some certificated by key ID.
				48	touch $OBJ/revoked-keyid
				49	for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
djm@openbsd.org	d3716ca	2015-01-19 17:31:13 +0000	[diff] [blame]	50	test "x$n" = "x499" && continue
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	51	# Fill in by-ID revocation spec.
				52	echo "id: revoked $n" >> $OBJ/revoked-keyid
				53	done
				54
				55	keygen() {
				56	N=$1
				57	f=$OBJ/revoked-`printf "%04d" $N`
				58	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
Damien Miller	2653f5c	2013-02-14 10:14:51 +1100	[diff] [blame]	59	keytype=$ECDSA
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	60	case $N in
				61	2 \| 10 \| 510 \| 1001) keytype=rsa;;
djm@openbsd.org	d3716ca	2015-01-19 17:31:13 +0000	[diff] [blame]	62	4 \| 30 \| 520 \| 1002) keytype=ed25519;;
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	63	esac
				64	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
				65	\|\| fatal "$SSHKEYGEN failed"
				66	# Sign cert
				67	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
				68	\|\| fatal "$SSHKEYGEN sign failed"
				69	echo $f
				70	}
				71
				72	# Generate some keys.
				73	verbose "$tid: generating test keys"
				74	REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
				75	for n in $REVOKED_SERIALS ; do
				76	f=`keygen $n`
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	77	RKEYS="$RKEYS ${f}.pub"
				78	RCERTS="$RCERTS ${f}-cert.pub"
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	79	done
djm@openbsd.org	d3716ca	2015-01-19 17:31:13 +0000	[diff] [blame]	80	UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
				81	UNREVOKED=""
				82	for n in $UNREVOKED_SERIALS ; do
				83	f=`keygen $n`
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	84	UKEYS="$UKEYS ${f}.pub"
				85	UCERTS="$UCERTS ${f}-cert.pub"
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	86	done
				87
				88	genkrls() {
				89	OPTS=$1
				90	$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
				91	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	92	$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	93	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	94	$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	95	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	96	$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	97	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
				98	$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
				99	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
djm@openbsd.org	51b64e4	2014-11-17 00:21:40 +0000	[diff] [blame]	100	# This should fail as KRLs from serial/key-id spec need the CA specified.
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	101	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
				102	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
				103	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
				104	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	105	# These should succeed; they specify an explicit CA key.
				106	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
				107	$OBJ/revoked-serials >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
				108	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
				109	$OBJ/revoked-keyid >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
				110	# These should succeed; they specify an wildcard CA key.
				111	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
				112	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
				113	$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	114	>/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
djm@openbsd.org	51b64e4	2014-11-17 00:21:40 +0000	[diff] [blame]	115	# Revoke the same serials with the second CA key to ensure a multi-CA
				116	# KRL is generated.
				117	$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
				118	$OBJ/revoked-serials >/dev/null \|\| fatal "$SSHKEYGEN KRL failed"
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	119	}
				120
Damien Miller	36aba25	2013-11-21 14:24:42 +1100	[diff] [blame]	121	## XXX dump with trace and grep for set cert serials
				122	## XXX test ranges near (u64)-1, etc.
				123
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	124	verbose "$tid: generating KRLs"
				125	genkrls
				126
				127	check_krl() {
				128	KEY=$1
				129	KRL=$2
				130	EXPECT_REVOKED=$3
				131	TAG=$4
				132	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
				133	result=$?
				134	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
				135	fatal "key $KEY not revoked by KRL $KRL: $TAG"
				136	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
				137	fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
				138	fi
				139	}
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	140	test_rev() {
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	141	FILES=$1
				142	TAG=$2
				143	KEYS_RESULT=$3
				144	ALL_RESULT=$4
				145	SERIAL_RESULT=$5
				146	KEYID_RESULT=$6
				147	CERTS_RESULT=$7
				148	CA_RESULT=$8
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	149	SERIAL_WRESULT=$9
				150	KEYID_WRESULT=$10
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	151	verbose "$tid: checking revocations for $TAG"
				152	for f in $FILES ; do
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	153	check_krl $f $OBJ/krl-empty no "$TAG"
				154	check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
				155	check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
				156	check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
				157	check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
				158	check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
				159	check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
				160	check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
				161	check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	162	done
				163	}
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	164
				165	test_all() {
				166	# wildcard
				167	# keys all sr# k.ID cert CA sr.# k.ID
				168	test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
				169	test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
				170	test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
				171	test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
				172	}
				173
				174	test_all
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	175
				176	# Check update. Results should be identical.
				177	verbose "$tid: testing KRL update"
				178	for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	179	$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
				180	$OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
Damien Miller	ebafebd	2013-01-18 11:51:56 +1100	[diff] [blame]	181	cp -f $OBJ/krl-empty $f
				182	genkrls -u
				183	done
djm@openbsd.org	86936ec	2015-01-30 01:11:39 +0000	[diff] [blame]	184
				185	test_all