djm@openbsd.org | 907da2f | 2018-04-10 00:14:10 +0000 | [diff] [blame] | 1 | # $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 2 | # Placed in the Public Domain. |
| 3 | |
| 4 | tid="ssh with certificates" |
| 5 | |
| 6 | rm -f $OBJ/user_ca_key* $OBJ/user_key* |
| 7 | rm -f $OBJ/cert_user_key* |
| 8 | |
| 9 | # Create a CA key |
| 10 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ |
| 11 | fatal "ssh-keygen failed" |
| 12 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ |
| 13 | fatal "ssh-keygen failed" |
| 14 | |
| 15 | # Make some keys and certificates. |
| 16 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ |
| 17 | fatal "ssh-keygen failed" |
| 18 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ |
| 19 | fatal "ssh-keygen failed" |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 20 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ |
| 21 | fatal "ssh-keygen failed" |
| 22 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ |
| 23 | fatal "ssh-keygen failed" |
| 24 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ |
| 25 | fatal "ssh-keygen failed" |
| 26 | |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 27 | # Move the certificate to a different address to better control |
| 28 | # when it is offered. |
| 29 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 30 | -z $$ -n ${USER} $OBJ/user_key1 || |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 31 | fatal "couldn't sign user_key1 with user_ca_key1" |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 32 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub |
| 33 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ |
| 34 | -z $$ -n ${USER} $OBJ/user_key1 || |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 35 | fatal "couldn't sign user_key1 with user_ca_key2" |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 36 | mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 37 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 38 | -z $$ -n ${USER} $OBJ/user_key3 || |
| 39 | fatal "couldn't sign user_key3 with user_ca_key1" |
| 40 | rm $OBJ/user_key3.pub # to test use of private key w/o public half. |
| 41 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ |
| 42 | -z $$ -n ${USER} $OBJ/user_key4 || |
| 43 | fatal "couldn't sign user_key4 with user_ca_key1" |
| 44 | rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 45 | |
| 46 | trace 'try with identity files' |
| 47 | opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" |
| 48 | opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" |
| 49 | echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER |
| 50 | |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 51 | # Make a clean config that doesn't have any pre-added identities. |
| 52 | cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config |
| 53 | |
| 54 | # XXX: verify that certificate used was what we expect. Needs exposure of |
djm@openbsd.org | 907da2f | 2018-04-10 00:14:10 +0000 | [diff] [blame] | 55 | # keys via environment variable or similar. |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 56 | |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 57 | # Key with no .pub should work - finding the equivalent *-cert.pub. |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 58 | verbose "identity cert with no plain public file" |
| 59 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
| 60 | -i $OBJ/user_key3 somehost exit 52 |
| 61 | [ $? -ne 52 ] && fail "ssh failed" |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 62 | |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 63 | # CertificateFile matching private key with no .pub file should work. |
| 64 | verbose "CertificateFile with no plain public file" |
| 65 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
| 66 | -oCertificateFile=$OBJ/user_key3-cert.pub \ |
| 67 | -i $OBJ/user_key3 somehost exit 52 |
| 68 | [ $? -ne 52 ] && fail "ssh failed" |
djm@openbsd.org | 8ff3fc3 | 2017-03-11 23:44:16 +0000 | [diff] [blame] | 69 | |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 70 | # Just keys should fail |
| 71 | verbose "plain keys" |
| 72 | ${SSH} $opts2 somehost exit 52 |
| 73 | r=$? |
| 74 | if [ $r -eq 52 ]; then |
| 75 | fail "ssh succeeded with no certs" |
| 76 | fi |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 77 | |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 78 | # Keys with untrusted cert should fail. |
| 79 | verbose "untrusted cert" |
| 80 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 81 | ${SSH} $opts3 somehost exit 52 |
| 82 | r=$? |
| 83 | if [ $r -eq 52 ]; then |
| 84 | fail "ssh succeeded with bad cert" |
| 85 | fi |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 86 | |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 87 | # Good cert with bad key should fail. |
| 88 | verbose "good cert, bad key" |
| 89 | opts3="$opts -i $OBJ/user_key2" |
| 90 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 91 | ${SSH} $opts3 somehost exit 52 |
| 92 | r=$? |
| 93 | if [ $r -eq 52 ]; then |
| 94 | fail "ssh succeeded with no matching key" |
| 95 | fi |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 96 | |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 97 | # Keys with one trusted cert, should succeed. |
| 98 | verbose "single trusted" |
| 99 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 100 | ${SSH} $opts3 somehost exit 52 |
| 101 | r=$? |
| 102 | if [ $r -ne 52 ]; then |
| 103 | fail "ssh failed with trusted cert and key" |
| 104 | fi |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 105 | |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 106 | # Multiple certs and keys, with one trusted cert, should succeed. |
| 107 | verbose "multiple trusted" |
| 108 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 109 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 110 | ${SSH} $opts3 somehost exit 52 |
| 111 | r=$? |
| 112 | if [ $r -ne 52 ]; then |
| 113 | fail "ssh failed with multiple certs" |
| 114 | fi |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 115 | |
| 116 | #next, using an agent in combination with the keys |
| 117 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 |
| 118 | if [ $? -ne 2 ]; then |
| 119 | fatal "ssh-add -l did not fail with exit code 2" |
| 120 | fi |
| 121 | |
| 122 | trace "start agent" |
| 123 | eval `${SSHAGENT} -s` > /dev/null |
| 124 | r=$? |
| 125 | if [ $r -ne 0 ]; then |
| 126 | fatal "could not start ssh-agent: exit code $r" |
| 127 | fi |
| 128 | |
| 129 | # add private keys to agent |
| 130 | ${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 |
| 131 | if [ $? -ne 0 ]; then |
| 132 | fatal "ssh-add did not succeed with exit code 0" |
| 133 | fi |
| 134 | ${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 |
| 135 | if [ $? -ne 0 ]; then |
| 136 | fatal "ssh-add did not succeed with exit code 0" |
| 137 | fi |
| 138 | |
| 139 | # try ssh with the agent and certificates |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 140 | opts="-F $OBJ/ssh_proxy" |
djm@openbsd.org | 907da2f | 2018-04-10 00:14:10 +0000 | [diff] [blame] | 141 | # with no certificates, should fail |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 142 | ${SSH} $opts somehost exit 52 |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 143 | if [ $? -eq 52 ]; then |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 144 | fail "ssh connect with agent in succeeded with no cert" |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 145 | fi |
| 146 | |
| 147 | #with an untrusted certificate, should fail |
djm@openbsd.org | 21ae8ee | 2015-09-24 07:15:39 +0000 | [diff] [blame] | 148 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 149 | ${SSH} $opts somehost exit 52 |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 150 | if [ $? -eq 52 ]; then |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 151 | fail "ssh connect with agent in succeeded with bad cert" |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 152 | fi |
| 153 | |
| 154 | #with an additional trusted certificate, should succeed |
djm@openbsd.org | 21ae8ee | 2015-09-24 07:15:39 +0000 | [diff] [blame] | 155 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 156 | ${SSH} $opts somehost exit 52 |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 157 | if [ $? -ne 52 ]; then |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 158 | fail "ssh connect with agent in failed with good cert" |
djm@openbsd.org | e14ac43 | 2015-09-24 06:16:53 +0000 | [diff] [blame] | 159 | fi |
| 160 | |
| 161 | trace "kill agent" |
| 162 | ${SSHAGENT} -k > /dev/null |
| 163 | |
| 164 | #cleanup |
| 165 | rm -f $OBJ/user_ca_key* $OBJ/user_key* |
| 166 | rm -f $OBJ/cert_user_key* |