tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-28 16:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: Make certificate tests work with the supported key

Browse Source 
algorithms.  Allows tests to pass when built without OpenSSL.

OpenBSD-Regress-ID: 617169a6dd9d06db3697a449d9a26c284eca20fc
This commit is contained in:
dtucker@openbsd.org 2019-07-25 08:28:15 +00:00 committed by Darren Tucker
parent 26bf693661
commit 1e94afdfa8
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
regress/cert-hostkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $ # $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified host keys" tid="certified host keys"
@ -7,6 +7,7 @@ rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
rm -f $OBJ/cert_host_key* $OBJ/host_krl_* rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
# Allow all hostkey/pubkey types, prefer certs for the client # Allow all hostkey/pubkey types, prefer certs for the client
rsa=0
types="" types=""
for i in `$SSH -Q key`; do for i in `$SSH -Q key`; do
if [ -z "$types" ]; then if [ -z "$types" ]; then
@ -19,6 +20,7 @@ for i in `$SSH -Q key`; do
types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" types="rsa-sha2-256-cert-v01@openssh.com,$i,$types"
types="rsa-sha2-512-cert-v01@openssh.com,$types";; types="rsa-sha2-512-cert-v01@openssh.com,$types";;
*rsa*) *rsa*)
rsa=1
types="$types,rsa-sha2-512,rsa-sha2-256,$i";; types="$types,rsa-sha2-512,rsa-sha2-256,$i";;
# Prefer certificate to plain keys. # Prefer certificate to plain keys.
*cert*) types="$i,$types";; *cert*) types="$i,$types";;
@ -51,10 +53,12 @@ kh_revoke() {
} }
# Create a CA key and add it to known hosts. Ed25519 chosen for speed. # Create a CA key and add it to known hosts. Ed25519 chosen for speed.
# RSA for testing RSA/SHA2 signatures. # RSA for testing RSA/SHA2 signatures if supported.
ktype2=ed25519
[ "x$rsa" = "x1" ] && ktype2=rsa
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
fail "ssh-keygen of host_ca_key failed" fail "ssh-keygen of host_ca_key failed"
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/host_ca_key2 ||\
fail "ssh-keygen of host_ca_key failed" fail "ssh-keygen of host_ca_key failed"
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@ -214,7 +218,7 @@ test_one() {
result=$2 result=$2
sign_opts=$3 sign_opts=$3
for kt in rsa ed25519 ; do for kt in $PLAIN_TYPES; do
case $ktype in case $ktype in
rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
*) tflag=""; ca="$OBJ/host_ca_key" ;; *) tflag=""; ca="$OBJ/host_ca_key" ;;

17
regress/cert-userkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $ # $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified user keys" tid="certified user keys"
@ -9,8 +9,10 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
EXTRA_TYPES="" EXTRA_TYPES=""
rsa=""
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
rsa=rsa
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
fi fi
@ -20,11 +22,20 @@ kname() {
# subshell because some seds will add a newline # subshell because some seds will add a newline
*) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
esac esac
if [ -z "$rsa" ]; then
echo "$n*,ssh-ed25519*"
else
echo "$n*,ssh-rsa*,ssh-ed25519*" echo "$n*,ssh-rsa*,ssh-ed25519*"
fi
} }
# Create a CA key # Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ if [ ! -z "$rsa" ]; then
catype=rsa
else
catype=ed25519
fi
${SSHKEYGEN} -q -N '' -t $catype -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed" fail "ssh-keygen of user_ca_key failed"
# Generate and sign user keys # Generate and sign user keys
@ -283,7 +294,7 @@ test_one() {
fi fi
for auth in $auth_choice ; do for auth in $auth_choice ; do
for ktype in rsa ed25519 ; do for ktype in $rsa ed25519 ; do
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys # Add CA to authorized_keys