- djm@cvs.openbsd.org 2010/03/03 00:47:23

[regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does)
2010-03-04 21:57:21 +11:00 · 2010-03-04 21:57:21 +11:00 · 017d1e777e
parent 1aed65eb27
commit 017d1e777e
3 changed files with 48 additions and 3 deletions
--- a/4
+++ b/4
@ -35,6 +35,10 @@
     authentication.
     
     feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/03/03 00:47:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     add an extra test to ensure that authentication with the wrong
+     certificate fails as it should (and it does)

 20100303
 - (djm) [PROTOCOL.certkeys] Add RCS Ident
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -119,4 +119,31 @@ for ktype in rsa dsa ; do
 	fi
 done

+# Wrong certificate
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+	# Self-sign key
+	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		fail "couldn't sign cert_host_key_${ktype}"
+	verbose "$tid: host ${ktype} connect wrong cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
+done
+
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.1 2010/02/26 20:33:21 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -24,7 +24,6 @@ for ktype in rsa dsa ; do
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
-
 done

 # Basic connect tests
@ -86,4 +85,19 @@ test_one "cert valid interval"	success "-V-1w:+2w"
 test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
 test_one "force-command"	failure "-Oforce-command=false"

+# Wrong certificate
+for ktype in rsa dsa ; do 
+	# Self-sign
+	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+	    "regress user key for $USER" \
+	    -n $USER $OBJ/cert_user_key_${ktype} ||
+		fail "couldn't sign cert_user_key_${ktype}"
+	verbose "$tid: user ${ktype} connect wrong cert"
+	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	    somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
+done
+
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*