- OpenBSD CVS Sync

- djm@cvs.openbsd.org 2010/04/16 01:58:45
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     regression tests for v01 certificate format
     includes interop tests for v00 certs

ChangeLog

@@ -9,6 +9,10 @@
    - djm@cvs.openbsd.org 2010/04/16 21:14:27
      [sshconnect.c]
      oops, %r => remote username, not %u
+   - djm@cvs.openbsd.org 2010/04/16 01:58:45
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     regression tests for v01 certificate format
+     includes interop tests for v00 certs
 
 20100416
  - (djm) Release openssh-5.5p1

regress/cert-hostkey.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
 		fail "couldn't sign cert_host_key_${ktype}"
+	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
+	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
+		fail "couldn't sign cert_host_key_${ktype}_v00"
 done
 
 # Basic connect tests
 for privsep in yes no ; do
-	for ktype in rsa dsa ; do 
+	for ktype in rsa dsa rsa_v00 dsa_v00; do 
 		verbose "$tid: host ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
 	echon '@revoked '
 	echon "* "
 	cat $OBJ/cert_host_key_dsa.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_rsa_v00.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_dsa_v00.pub
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
-	for ktype in rsa dsa ; do 
+	for ktype in rsa dsa rsa_v00 dsa_v00; do 
 		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
 	echon "* "
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
 	verbose "$tid: host ${ktype} revoked cert"
 	(
 		cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
 	ident=$1
 	result=$2
 	sign_opts=$3
+
+	for kt in rsa rsa_v00 ; do
+		case $kt in
+		*_v00) args="-t v00" ;;
+		*) args="" ;;
+		esac
+
+		verbose "$tid: host cert connect $ident $kt expect $result"
+		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
+		    -I "regress host key for $USER" \
+		    $sign_opts $args \
+		    $OBJ/cert_host_key_${kt} ||
+			fail "couldn't sign cert_host_key_${kt}"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${kt}
+			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+		) > $OBJ/sshd_proxy
 	
-	verbose "$tid: test host cert connect $ident expect $result"
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-	${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	    $sign_opts \
+		rc=$?
-	    $OBJ/cert_host_key_rsa ||
+		if [ "x$result" = "xsuccess" ] ; then
-		fail "couldn't sign cert_host_key_rsa"
+			if [ $rc -ne 0 ]; then
-	(
+				fail "ssh cert connect $ident failed unexpectedly"
-		cat $OBJ/sshd_proxy_bak
+			fi
-		echo HostKey $OBJ/cert_host_key_rsa
+		else
-		echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
+			if [ $rc -eq 0 ]; then
-	) > $OBJ/sshd_proxy
+				fail "ssh cert connect $ident succeeded unexpectedly"
-
+			fi
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-	rc=$?
-	if [ "x$result" = "xsuccess" ] ; then
-		if [ $rc -ne 0 ]; then
-			fail "ssh cert connect $ident failed unexpectedly"
 		fi
-	else
+	done
-		if [ $rc -eq 0 ]; then
-			fail "ssh cert connect $ident succeeded unexpectedly"
-		fi
-	fi
 }
 
 test_one "user-certificate"	failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints"	failure "-h -Oforce-command=false"
 
 # Check downgrade of cert to raw key when no CA found
-rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+for v in v01 v00 ;  do 
-for ktype in rsa dsa ; do 
+	for ktype in rsa dsa ; do 
-	verbose "$tid: host ${ktype} cert downgrade to raw key"
+		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-	# Generate and sign a host key
+		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-	${SSHKEYGEN} -q -N '' -t ${ktype} \
+		# Generate and sign a host key
-	    -f $OBJ/cert_host_key_${ktype} || \
+		${SSHKEYGEN} -q -N '' -t ${ktype} \
-		fail "ssh-keygen of cert_host_key_${ktype} failed"
+		    -f $OBJ/cert_host_key_${ktype} || \
-	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
+			fail "ssh-keygen of cert_host_key_${ktype} failed"
-	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-		fail "couldn't sign cert_host_key_${ktype}"
+		    -I "regress host key for $USER" \
-	(
+		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-		echon "$HOSTS "
+			fail "couldn't sign cert_host_key_${ktype}"
-		cat $OBJ/cert_host_key_${ktype}.pub
+		(
-	) > $OBJ/known_hosts-cert
+			echon "$HOSTS "
-	(
+			cat $OBJ/cert_host_key_${ktype}.pub
-		cat $OBJ/sshd_proxy_bak
+		) > $OBJ/known_hosts-cert
-		echo HostKey $OBJ/cert_host_key_${ktype}
+		(
-		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			cat $OBJ/sshd_proxy_bak
-	) > $OBJ/sshd_proxy
+			echo HostKey $OBJ/cert_host_key_${ktype}
-	
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		) > $OBJ/sshd_proxy
-	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		
-		-F $OBJ/ssh_proxy somehost true
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-	if [ $? -ne 0 ]; then
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-		fail "ssh cert connect failed"
+			-F $OBJ/ssh_proxy somehost true
-	fi
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
 done
 
 # Wrong certificate
@@ -187,25 +209,31 @@ done
 	echon "$HOSTS "
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa ; do 
+for v in v01 v00 ;  do 
-	# Self-sign key
+	for kt in rsa dsa ; do 
-	${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \
+		rm -f $OBJ/cert_host_key*
-	    -I "regress host key for $USER" \
+		# Self-sign key
-	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		${SSHKEYGEN} -q -N '' -t ${kt} \
-		fail "couldn't sign cert_host_key_${ktype}"
+		    -f $OBJ/cert_host_key_${kt} || \
-	verbose "$tid: host ${ktype} connect wrong cert"
+			fail "ssh-keygen of cert_host_key_${kt} failed"
-	(
+		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-		cat $OBJ/sshd_proxy_bak
+		    -I "regress host key for $USER" \
-		echo HostKey $OBJ/cert_host_key_${ktype}
+		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			fail "couldn't sign cert_host_key_${kt}"
-	) > $OBJ/sshd_proxy
+		verbose "$tid: host ${kt} connect wrong cert"
-
+		(
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+			cat $OBJ/sshd_proxy_bak
-	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			echo HostKey $OBJ/cert_host_key_${kt}
-		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-	if [ $? -eq 0 ]; then
+		) > $OBJ/sshd_proxy
-		fail "ssh cert connect $ident succeeded unexpectedly"
+	
-	fi
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect $ident succeeded unexpectedly"
+		fi
+	done
 done
 
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*

regress/cert-userkey.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
+	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
+	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
+	    "regress user key for $USER" \
+	    -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
+		fail "couldn't sign cert_user_key_${ktype}_v00"
 done
 
 basic_tests() {
@@ -35,7 +41,7 @@ basic_tests() {
 		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
 	fi
 	
-	for ktype in rsa dsa ; do 
+	for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
 			# Simple connect
@@ -108,39 +114,41 @@ test_one() {
 	fi
 
 	for auth in $auth_choice ; do
-		cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+		for ktype in rsa rsa_v00 ; do
-		if test "x$auth" = "xauthorized_keys" ; then
+			cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-			# Add CA to authorized_keys
+			if test "x$auth" = "xauthorized_keys" ; then
-			(
+				# Add CA to authorized_keys
-				echon 'cert-authority '
+				(
-				cat $OBJ/user_ca_key.pub
+					echon 'cert-authority '
-			) > $OBJ/authorized_keys_$USER
+					cat $OBJ/user_ca_key.pub
-		else
+				) > $OBJ/authorized_keys_$USER
-			echo > $OBJ/authorized_keys_$USER
+			else
-			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+				echo > $OBJ/authorized_keys_$USER
-			    $OBJ/sshd_proxy
+				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
-
+				    >> $OBJ/sshd_proxy
-		fi
-		
-		verbose "$tid: $ident auth $auth expect $result"
-		${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-		    -I "regress user key for $USER" \
-		    $sign_opts \
-		    $OBJ/cert_user_key_rsa ||
-			fail "couldn't sign cert_user_key_rsa"
 	
-		${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-		    somehost true >/dev/null 2>&1
-		rc=$?
-		if [ "x$result" = "xsuccess" ] ; then
-			if [ $rc -ne 0 ]; then
-				fail "$ident failed unexpectedly"
 			fi
-		else
+			
-			if [ $rc -eq 0 ]; then
+			verbose "$tid: $ident auth $auth expect $result $ktype"
-				fail "$ident succeeded unexpectedly"
+			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+			    -I "regress user key for $USER" \
+			    $sign_opts \
+			    $OBJ/cert_user_key_${ktype} ||
+				fail "couldn't sign cert_user_key_${ktype}"
+
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			rc=$?
+			if [ "x$result" = "xsuccess" ] ; then
+				if [ $rc -ne 0 ]; then
+					fail "$ident failed unexpectedly"
+				fi
+			else
+				if [ $rc -eq 0 ]; then
+					fail "$ident succeeded unexpectedly"
+				fi
 			fi
-		fi
+		done
 	done
 }
 
@@ -158,9 +166,13 @@ test_one "empty principals"	success "" authorized_keys
 test_one "empty principals"	failure "" TrustedUserCAKeys
 
 # Wrong certificate
-for ktype in rsa dsa ; do 
+for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
+	case $ktype in
+	*_v00) args="-t v00" ;;
+	*) args="" ;;
+	esac
 	# Self-sign
-	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
+	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"