openssh-portable/regress/cert-userkey.sh

#	$OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
#	Placed in the Public Domain.

tid="certified user keys"

rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

# Create a CA key and add it to authorized_keys
${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
	fail "ssh-keygen of user_ca_key failed"
(
	echon 'cert-authority '
	cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER

# Generate and sign user keys
for ktype in rsa dsa ; do 
	verbose "$tid: sign user ${ktype} cert"
	${SSHKEYGEN} -q -N '' -t ${ktype} \
	    -f $OBJ/cert_user_key_${ktype} || \
		fail "ssh-keygen of cert_user_key_${ktype} failed"
	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
	    "regress user key for $USER" \
	    -n $USER $OBJ/cert_user_key_${ktype} ||
		fail "couldn't sign cert_user_key_${ktype}"
done

# Basic connect tests
for privsep in yes no ; do
	for ktype in rsa dsa ; do 
		verbose "$tid: user ${ktype} cert connect privsep $privsep"
		(
			cat $OBJ/sshd_proxy_bak
			echo "UsePrivilegeSeparation $privsep"
		) > $OBJ/sshd_proxy

		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
		    somehost true
		if [ $? -ne 0 ]; then
			fail "ssh cert connect failed"
		fi
	done
done

verbose "$tid: ensure CA key does not authenticate user"
${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
	fail "ssh cert connect with CA key succeeded unexpectedly"
fi

test_one() {
	ident=$1
	result=$2
	sign_opts=$3
	
	verbose "$tid: test user cert connect $ident expect $result"

	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
	    $sign_opts \
	    $OBJ/cert_user_key_rsa ||
		fail "couldn't sign cert_user_key_rsa"

	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
	    somehost true >/dev/null 2>&1
	rc=$?
	if [ "x$result" = "xsuccess" ] ; then
		if [ $rc -ne 0 ]; then
			fail "ssh cert connect $ident failed unexpectedly"
		fi
	else
		if [ $rc -eq 0 ]; then
			fail "ssh cert connect $ident succeeded unexpectedly"
		fi
	fi
	cleanup
}

test_one "host-certificate"	failure "-h"
test_one "empty principals"	success ""
test_one "wrong principals"	failure "-n foo"
test_one "cert not yet valid"	failure "-V20200101:20300101"
test_one "cert expired"		failure "-V19800101:19900101"
test_one "cert valid interval"	success "-V-1w:+2w"
test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
test_one "force-command"	failure "-Oforce-command=false"

# Wrong certificate
for ktype in rsa dsa ; do 
	# Self-sign
	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
	    "regress user key for $USER" \
	    -n $USER $OBJ/cert_user_key_${ktype} ||
		fail "couldn't sign cert_user_key_${ktype}"
	verbose "$tid: user ${ktype} connect wrong cert"
	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
	    somehost true >/dev/null 2>&1
	if [ $? -eq 0 ]; then
		fail "ssh cert connect $ident succeeded unexpectedly"
	fi
done

rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
- djm@cvs.openbsd.org 2010/03/03 00:47:23 [regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does) 2010-03-04 11:57:21 +01:00			`# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $`
- djm@cvs.openbsd.org 2010/02/26 20:33:21 [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys 2010-02-26 21:57:12 +01:00			`# Placed in the Public Domain.`

			`tid="certified user keys"`

			`rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*`
			`cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak`

			`# Create a CA key and add it to authorized_keys`
			`${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key \|\|\`
			`fail "ssh-keygen of user_ca_key failed"`
			`(`
- (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too 2010-03-03 03:22:41 +01:00			`echon 'cert-authority '`
- djm@cvs.openbsd.org 2010/02/26 20:33:21 [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys 2010-02-26 21:57:12 +01:00			`cat $OBJ/user_ca_key.pub`
			`) > $OBJ/authorized_keys_$USER`

			`# Generate and sign user keys`
			`for ktype in rsa dsa ; do`
			`verbose "$tid: sign user ${ktype} cert"`
			`${SSHKEYGEN} -q -N '' -t ${ktype} \`
			`-f $OBJ/cert_user_key_${ktype} \|\| \`
			`fail "ssh-keygen of cert_user_key_${ktype} failed"`
			`${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \`
			`"regress user key for $USER" \`
			`-n $USER $OBJ/cert_user_key_${ktype} \|\|`
			`fail "couldn't sign cert_user_key_${ktype}"`
			`done`

			`# Basic connect tests`
			`for privsep in yes no ; do`
			`for ktype in rsa dsa ; do`
			`verbose "$tid: user ${ktype} cert connect privsep $privsep"`
			`(`
			`cat $OBJ/sshd_proxy_bak`
			`echo "UsePrivilegeSeparation $privsep"`
			`) > $OBJ/sshd_proxy`

			`${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \`
			`somehost true`
			`if [ $? -ne 0 ]; then`
			`fail "ssh cert connect failed"`
			`fi`
			`done`
			`done`

			`verbose "$tid: ensure CA key does not authenticate user"`
			`${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect with CA key succeeded unexpectedly"`
			`fi`

			`test_one() {`
			`ident=$1`
			`result=$2`
			`sign_opts=$3`

			`verbose "$tid: test user cert connect $ident expect $result"`

			`${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \`
			`$sign_opts \`
			`$OBJ/cert_user_key_rsa \|\|`
			`fail "couldn't sign cert_user_key_rsa"`

			`${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \`
			`somehost true >/dev/null 2>&1`
			`rc=$?`
			`if [ "x$result" = "xsuccess" ] ; then`
			`if [ $rc -ne 0 ]; then`
			`fail "ssh cert connect $ident failed unexpectedly"`
			`fi`
			`else`
			`if [ $rc -eq 0 ]; then`
			`fail "ssh cert connect $ident succeeded unexpectedly"`
			`fi`
			`fi`
			`cleanup`
			`}`

			`test_one "host-certificate" failure "-h"`
			`test_one "empty principals" success ""`
			`test_one "wrong principals" failure "-n foo"`
			`test_one "cert not yet valid" failure "-V20200101:20300101"`
			`test_one "cert expired" failure "-V19800101:19900101"`
			`test_one "cert valid interval" success "-V-1w:+2w"`
			`test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8"`
			`test_one "force-command" failure "-Oforce-command=false"`

- djm@cvs.openbsd.org 2010/03/03 00:47:23 [regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does) 2010-03-04 11:57:21 +01:00			`# Wrong certificate`
			`for ktype in rsa dsa ; do`
			`# Self-sign`
			`${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \`
			`"regress user key for $USER" \`
			`-n $USER $OBJ/cert_user_key_${ktype} \|\|`
			`fail "couldn't sign cert_user_key_${ktype}"`
			`verbose "$tid: user ${ktype} connect wrong cert"`
			`${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \`
			`somehost true >/dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`fail "ssh cert connect $ident succeeded unexpectedly"`
			`fi`
			`done`

- djm@cvs.openbsd.org 2010/02/26 20:33:21 [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys 2010-02-26 21:57:12 +01:00			`rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*`