Damien Miller | c1dc24b | 2014-07-02 17:02:03 +1000 | [diff] [blame] | 1 | # $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $ |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 2 | # Placed in the Public Domain. |
| 3 | |
| 4 | tid="key revocation lists" |
| 5 | |
Damien Miller | 2653f5c | 2013-02-14 10:14:51 +1100 | [diff] [blame] | 6 | # If we don't support ecdsa keys then this tell will be much slower. |
| 7 | ECDSA=ecdsa |
| 8 | if test "x$TEST_SSH_ECC" != "xyes"; then |
Damien Miller | 6d77d6e | 2013-02-14 10:31:03 +1100 | [diff] [blame] | 9 | ECDSA=rsa |
Damien Miller | 2653f5c | 2013-02-14 10:14:51 +1100 | [diff] [blame] | 10 | fi |
| 11 | |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 12 | # Do most testing with ssh-keygen; it uses the same verification code as sshd. |
| 13 | |
| 14 | # Old keys will interfere with ssh-keygen. |
| 15 | rm -f $OBJ/revoked-* $OBJ/krl-* |
| 16 | |
| 17 | # Generate a CA key |
Damien Miller | 2653f5c | 2013-02-14 10:14:51 +1100 | [diff] [blame] | 18 | $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 19 | fatal "$SSHKEYGEN CA failed" |
| 20 | |
| 21 | # A specification that revokes some certificates by serial numbers |
| 22 | # The serial pattern is chosen to ensure the KRL includes list, range and |
| 23 | # bitmap sections. |
| 24 | cat << EOF >> $OBJ/revoked-serials |
| 25 | serial: 1-4 |
| 26 | serial: 10 |
| 27 | serial: 15 |
| 28 | serial: 30 |
| 29 | serial: 50 |
| 30 | serial: 999 |
| 31 | # The following sum to 500-799 |
| 32 | serial: 500 |
| 33 | serial: 501 |
| 34 | serial: 502 |
| 35 | serial: 503-600 |
| 36 | serial: 700-797 |
| 37 | serial: 798 |
| 38 | serial: 799 |
| 39 | serial: 599-701 |
Damien Miller | c1dc24b | 2014-07-02 17:02:03 +1000 | [diff] [blame] | 40 | # Some multiple consecutive serial number ranges |
| 41 | serial: 10000-20000 |
| 42 | serial: 30000-40000 |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 43 | EOF |
| 44 | |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 45 | # A specification that revokes some certificated by key ID. |
| 46 | touch $OBJ/revoked-keyid |
| 47 | for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do |
| 48 | # Fill in by-ID revocation spec. |
| 49 | echo "id: revoked $n" >> $OBJ/revoked-keyid |
| 50 | done |
| 51 | |
| 52 | keygen() { |
| 53 | N=$1 |
| 54 | f=$OBJ/revoked-`printf "%04d" $N` |
| 55 | # Vary the keytype. We use mostly ECDSA since this is fastest by far. |
Damien Miller | 2653f5c | 2013-02-14 10:14:51 +1100 | [diff] [blame] | 56 | keytype=$ECDSA |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 57 | case $N in |
| 58 | 2 | 10 | 510 | 1001) keytype=rsa;; |
| 59 | 4 | 30 | 520 | 1002) keytype=dsa;; |
| 60 | esac |
| 61 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ |
| 62 | || fatal "$SSHKEYGEN failed" |
| 63 | # Sign cert |
| 64 | $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ |
| 65 | || fatal "$SSHKEYGEN sign failed" |
| 66 | echo $f |
| 67 | } |
| 68 | |
| 69 | # Generate some keys. |
| 70 | verbose "$tid: generating test keys" |
| 71 | REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" |
| 72 | for n in $REVOKED_SERIALS ; do |
| 73 | f=`keygen $n` |
| 74 | REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" |
| 75 | REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" |
| 76 | done |
| 77 | NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" |
| 78 | NOTREVOKED="" |
| 79 | for n in $NOTREVOKED_SERIALS ; do |
| 80 | NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" |
| 81 | NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" |
| 82 | done |
| 83 | |
| 84 | genkrls() { |
| 85 | OPTS=$1 |
| 86 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ |
| 87 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 88 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ |
| 89 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 90 | $SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ |
| 91 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 92 | $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ |
| 93 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 94 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ |
| 95 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 96 | # KRLs from serial/key-id spec need the CA specified. |
| 97 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ |
| 98 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" |
| 99 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ |
| 100 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" |
| 101 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ |
| 102 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 103 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ |
| 104 | >/dev/null || fatal "$SSHKEYGEN KRL failed" |
| 105 | } |
| 106 | |
Damien Miller | 36aba25 | 2013-11-21 14:24:42 +1100 | [diff] [blame] | 107 | ## XXX dump with trace and grep for set cert serials |
| 108 | ## XXX test ranges near (u64)-1, etc. |
| 109 | |
Damien Miller | ebafebd | 2013-01-18 11:51:56 +1100 | [diff] [blame] | 110 | verbose "$tid: generating KRLs" |
| 111 | genkrls |
| 112 | |
| 113 | check_krl() { |
| 114 | KEY=$1 |
| 115 | KRL=$2 |
| 116 | EXPECT_REVOKED=$3 |
| 117 | TAG=$4 |
| 118 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null |
| 119 | result=$? |
| 120 | if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then |
| 121 | fatal "key $KEY not revoked by KRL $KRL: $TAG" |
| 122 | elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then |
| 123 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" |
| 124 | fi |
| 125 | } |
| 126 | test_all() { |
| 127 | FILES=$1 |
| 128 | TAG=$2 |
| 129 | KEYS_RESULT=$3 |
| 130 | ALL_RESULT=$4 |
| 131 | SERIAL_RESULT=$5 |
| 132 | KEYID_RESULT=$6 |
| 133 | CERTS_RESULT=$7 |
| 134 | CA_RESULT=$8 |
| 135 | verbose "$tid: checking revocations for $TAG" |
| 136 | for f in $FILES ; do |
| 137 | check_krl $f $OBJ/krl-empty no "$TAG" |
| 138 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" |
| 139 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" |
| 140 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" |
| 141 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" |
| 142 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" |
| 143 | check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" |
| 144 | done |
| 145 | } |
| 146 | # keys all serial keyid certs CA |
| 147 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no |
| 148 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no |
| 149 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes |
| 150 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes |
| 151 | |
| 152 | # Check update. Results should be identical. |
| 153 | verbose "$tid: testing KRL update" |
| 154 | for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ |
| 155 | $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do |
| 156 | cp -f $OBJ/krl-empty $f |
| 157 | genkrls -u |
| 158 | done |
| 159 | # keys all serial keyid certs CA |
| 160 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no |
| 161 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no |
| 162 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes |
| 163 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes |