- OpenBSD CVS Sync

- djm@cvs.openbsd.org 2010/04/16 01:58:45 [regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for v01 certificate format includes interop tests for v00 certs
2010-04-18 08:15:14 +10:00 · 2010-04-18 08:15:14 +10:00 · 53f4bb6599
parent c617aa9ff5
commit 53f4bb6599
3 changed files with 151 additions and 107 deletions
--- a/4
+++ b/4
@ -9,6 +9,10 @@
   - djm@cvs.openbsd.org 2010/04/16 21:14:27
     [sshconnect.c]
     oops, %r => remote username, not %u
+   - djm@cvs.openbsd.org 2010/04/16 01:58:45
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     regression tests for v01 certificate format
+     includes interop tests for v00 certs

 20100416
 - (djm) Release openssh-5.5p1
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
 		fail "couldn't sign cert_host_key_${ktype}"
+	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
+	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
+		fail "couldn't sign cert_host_key_${ktype}_v00"
 done

 # Basic connect tests
 for privsep in yes no ; do
-	for ktype in rsa dsa ; do 
+	for ktype in rsa dsa rsa_v00 dsa_v00; do 
 		verbose "$tid: host ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@ -61,9 +67,15 @@ done
 	echon '@revoked '
 	echon "* "
 	cat $OBJ/cert_host_key_dsa.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_rsa_v00.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_dsa_v00.pub
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
-	for ktype in rsa dsa ; do 
+	for ktype in rsa dsa rsa_v00 dsa_v00; do 
 		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@ -90,7 +102,7 @@ done
 	echon "* "
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
 	verbose "$tid: host ${ktype} revoked cert"
 	(
 		cat $OBJ/sshd_proxy_bak
@ -116,32 +128,39 @@ test_one() {
 	ident=$1
 	result=$2
 	sign_opts=$3
+
+	for kt in rsa rsa_v00 ; do
+		case $kt in
+		*_v00) args="-t v00" ;;
+		*) args="" ;;
+		esac
+
+		verbose "$tid: host cert connect $ident $kt expect $result"
+		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
+		    -I "regress host key for $USER" \
+		    $sign_opts $args \
+		    $OBJ/cert_host_key_${kt} ||
+			fail "couldn't sign cert_host_key_${kt}"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${kt}
+			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+		) > $OBJ/sshd_proxy
 	
-	verbose "$tid: test host cert connect $ident expect $result"
-
-	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
-	    $sign_opts \
-	    $OBJ/cert_host_key_rsa ||
-		fail "couldn't sign cert_host_key_rsa"
-	(
-		cat $OBJ/sshd_proxy_bak
-		echo HostKey $OBJ/cert_host_key_rsa
-		echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
-	) > $OBJ/sshd_proxy
-
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	rc=$?
-	if [ "x$result" = "xsuccess" ] ; then
-		if [ $rc -ne 0 ]; then
-			fail "ssh cert connect $ident failed unexpectedly"
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		rc=$?
+		if [ "x$result" = "xsuccess" ] ; then
+			if [ $rc -ne 0 ]; then
+				fail "ssh cert connect $ident failed unexpectedly"
+			fi
+		else
+			if [ $rc -eq 0 ]; then
+				fail "ssh cert connect $ident succeeded unexpectedly"
+			fi
 		fi
-	else
-		if [ $rc -eq 0 ]; then
-			fail "ssh cert connect $ident succeeded unexpectedly"
-		fi
-	fi
+	done
 }

 test_one "user-certificate"	failure "-n $HOSTS"
@ -153,32 +172,35 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints"	failure "-h -Oforce-command=false"

 # Check downgrade of cert to raw key when no CA found
-rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-for ktype in rsa dsa ; do 
-	verbose "$tid: host ${ktype} cert downgrade to raw key"
-	# Generate and sign a host key
-	${SSHKEYGEN} -q -N '' -t ${ktype} \
-	    -f $OBJ/cert_host_key_${ktype} || \
-		fail "ssh-keygen of cert_host_key_${ktype} failed"
-	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
-	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-		fail "couldn't sign cert_host_key_${ktype}"
-	(
-		echon "$HOSTS "
-		cat $OBJ/cert_host_key_${ktype}.pub
-	) > $OBJ/known_hosts-cert
-	(
-		cat $OBJ/sshd_proxy_bak
-		echo HostKey $OBJ/cert_host_key_${ktype}
-		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-	) > $OBJ/sshd_proxy
-	
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-		-F $OBJ/ssh_proxy somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh cert connect failed"
-	fi
+for v in v01 v00 ;  do 
+	for ktype in rsa dsa ; do 
+		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+		# Generate and sign a host key
+		${SSHKEYGEN} -q -N '' -t ${ktype} \
+		    -f $OBJ/cert_host_key_${ktype} || \
+			fail "ssh-keygen of cert_host_key_${ktype} failed"
+		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+		    -I "regress host key for $USER" \
+		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+			fail "couldn't sign cert_host_key_${ktype}"
+		(
+			echon "$HOSTS "
+			cat $OBJ/cert_host_key_${ktype}.pub
+		) > $OBJ/known_hosts-cert
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+		) > $OBJ/sshd_proxy
+		
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
 done

 # Wrong certificate
@ -187,25 +209,31 @@ done
 	echon "$HOSTS "
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
-	# Self-sign key
-	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
-	    -I "regress host key for $USER" \
-	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-		fail "couldn't sign cert_host_key_${ktype}"
-	verbose "$tid: host ${ktype} connect wrong cert"
-	(
-		cat $OBJ/sshd_proxy_bak
-		echo HostKey $OBJ/cert_host_key_${ktype}
-		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-	) > $OBJ/sshd_proxy
-
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		fail "ssh cert connect $ident succeeded unexpectedly"
-	fi
+for v in v01 v00 ;  do 
+	for kt in rsa dsa ; do 
+		rm -f $OBJ/cert_host_key*
+		# Self-sign key
+		${SSHKEYGEN} -q -N '' -t ${kt} \
+		    -f $OBJ/cert_host_key_${kt} || \
+			fail "ssh-keygen of cert_host_key_${kt} failed"
+		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+		    -I "regress host key for $USER" \
+		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+			fail "couldn't sign cert_host_key_${kt}"
+		verbose "$tid: host ${kt} connect wrong cert"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${kt}
+			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+		) > $OBJ/sshd_proxy
+	
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect $ident succeeded unexpectedly"
+		fi
+	done
 done

 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
+	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
+	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
+	    "regress user key for $USER" \
+	    -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+		fail "couldn't sign cert_user_key_${ktype}_v00"
 done

 basic_tests() {
@ -35,7 +41,7 @@ basic_tests() {
 		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
 	fi
 	
-	for ktype in rsa dsa ; do 
+	for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
 			# Simple connect
@ -108,39 +114,41 @@ test_one() {
 	fi

 	for auth in $auth_choice ; do
-		cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-		if test "x$auth" = "xauthorized_keys" ; then
-			# Add CA to authorized_keys
-			(
-				echon 'cert-authority '
-				cat $OBJ/user_ca_key.pub
-			) > $OBJ/authorized_keys_$USER
-		else
-			echo > $OBJ/authorized_keys_$USER
-			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
-			    $OBJ/sshd_proxy
-
-		fi
-		
-		verbose "$tid: $ident auth $auth expect $result"
-		${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-		    -I "regress user key for $USER" \
-		    $sign_opts \
-		    $OBJ/cert_user_key_rsa ||
-			fail "couldn't sign cert_user_key_rsa"
+		for ktype in rsa rsa_v00 ; do
+			cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+			if test "x$auth" = "xauthorized_keys" ; then
+				# Add CA to authorized_keys
+				(
+					echon 'cert-authority '
+					cat $OBJ/user_ca_key.pub
+				) > $OBJ/authorized_keys_$USER
+			else
+				echo > $OBJ/authorized_keys_$USER
+				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
+				    >> $OBJ/sshd_proxy
 	
-		${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-		    somehost true >/dev/null 2>&1
-		rc=$?
-		if [ "x$result" = "xsuccess" ] ; then
-			if [ $rc -ne 0 ]; then
-				fail "$ident failed unexpectedly"
 			fi
-		else
-			if [ $rc -eq 0 ]; then
-				fail "$ident succeeded unexpectedly"
+			
+			verbose "$tid: $ident auth $auth expect $result $ktype"
+			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+			    -I "regress user key for $USER" \
+			    $sign_opts \
+			    $OBJ/cert_user_key_${ktype} ||
+				fail "couldn't sign cert_user_key_${ktype}"
+
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			rc=$?
+			if [ "x$result" = "xsuccess" ] ; then
+				if [ $rc -ne 0 ]; then
+					fail "$ident failed unexpectedly"
+				fi
+			else
+				if [ $rc -eq 0 ]; then
+					fail "$ident succeeded unexpectedly"
+				fi
 			fi
-		fi
+		done
 	done
 }

@ -158,9 +166,13 @@ test_one "empty principals"	success "" authorized_keys
 test_one "empty principals"	failure "" TrustedUserCAKeys

 # Wrong certificate
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+	case $ktype in
+	*_v00) args="-t v00" ;;
+	*) args="" ;;
+	esac
 	# Self-sign
-	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"