upstream commit

unit and regress tests for SHA256/512; ok markus Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
2016-05-02 09:52:00 +00:00 · 2016-05-02 09:52:00 +00:00 · 67f1459efd
parent 0e8eeec8e7
commit 67f1459efd
3 changed files with 102 additions and 77 deletions
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

 HOSTS='localhost-with-alias,127.0.0.1,::1'

-# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
+kh_ca() {
+	for k in "$@" ; do
+		printf "@cert-authority $HOSTS "
+		cat $OBJ/$k || fatal "couldn't cat $k"
+	done
+}
+kh_revoke() {
+	for k in "$@" ; do
+		printf "@revoked * "
+		cat $OBJ/$k || fatal "couldn't cat $k"
+	done
+}
+
+# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
+# RSA for testing RSA/SHA2 signatures.
 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/host_ca_key ||\
 	fail "ssh-keygen of host_ca_key failed"
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key2 ||\
+	fail "ssh-keygen of host_ca_key failed"
+
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert

 # Plain text revocation files
 touch $OBJ/host_revoked_empty
 touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
-cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
+cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca

 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`

+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
+
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
-${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
+${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
 	|| fatal "KRL init failed"

 # Generate and sign host keys
 serial=1
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
 	verbose "$tid: sign host ${ktype} cert"
 	# Generate and sign a host key
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
 	${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
 	    $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
 	cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
-	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
+	case $ktype in
+	rsa-sha2-*)	tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+	*)		tflag=""; ca="$OBJ/host_ca_key" ;;
+	esac
+	${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
 		fatal "couldn't sign cert_host_key_${ktype}"
@ -100,7 +121,7 @@ attempt_connect() {

 # Basic connect and revocation tests.
 for privsep in yes no ; do
-	for ktype in $PLAIN_TYPES ; do 
+	for ktype in $PLAIN_TYPES ; do
 		verbose "$tid: host ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@ -131,18 +152,14 @@ for privsep in yes no ; do
 done

 # Revoked certificates with key present
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-	for ktype in $PLAIN_TYPES ; do
-		test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
-		printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
-	done
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
+for ktype in $PLAIN_TYPES ; do
+	test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
+	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
+done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-	for ktype in $PLAIN_TYPES ; do 
+	for ktype in $PLAIN_TYPES ; do
 		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@ -162,16 +179,10 @@ for privsep in yes no ; do
 done

 # Revoked CA
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
+kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
 	verbose "$tid: host ${ktype} revoked cert"
 	(
 		cat $OBJ/sshd_proxy_bak
@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
 done

 # Create a CA key and add it to known hosts
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert

 test_one() {
@ -201,16 +208,19 @@ test_one() {
 	sign_opts=$3

 	for kt in rsa ed25519 ; do
-		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-		    -I "regress host key for $USER" \
+		case $ktype in
+		rsa-sha2-*)	tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+		*)		tflag=""; ca="$OBJ/host_ca_key" ;;
+		esac
+		${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
 		    $sign_opts $OBJ/cert_host_key_${kt} ||
-			fail "couldn't sign cert_host_key_${kt}"
+			fatal "couldn't sign cert_host_key_${kt}"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/cert_host_key_${kt}
 			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
 		) > $OBJ/sshd_proxy
-	
+
 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@ -237,17 +247,20 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints"	failure "-h -Oforce-command=false"

 # Check downgrade of cert to raw key when no CA found
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
 	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
 	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
 	# Generate and sign a host key
-	${SSHKEYGEN} -q -N '' -t ${ktype} \
-	    -f $OBJ/cert_host_key_${ktype} || \
+	${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \
 		fail "ssh-keygen of cert_host_key_${ktype} failed"
-	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+	case $ktype in
+	rsa-sha2-*)	tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+	*)		tflag=""; ca="$OBJ/host_ca_key" ;;
+	esac
+	${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-		fail "couldn't sign cert_host_key_${ktype}"
+		fatal "couldn't sign cert_host_key_${ktype}"
 	(
 		printf "$HOSTS "
 		cat $OBJ/cert_host_key_${ktype}.pub
@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
 		echo HostKey $OBJ/cert_host_key_${ktype}
 		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
 	) > $OBJ/sshd_proxy
-	
+
 	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy somehost true
@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
 done

 # Wrong certificate
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for kt in $PLAIN_TYPES ; do 
+for kt in $PLAIN_TYPES ; do
+	verbose "$tid: host ${kt} connect wrong cert"
 	rm -f $OBJ/cert_host_key*
 	# Self-sign key
-	${SSHKEYGEN} -q -N '' -t ${kt} \
-	    -f $OBJ/cert_host_key_${kt} || \
+	${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \
 		fail "ssh-keygen of cert_host_key_${kt} failed"
-	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+	case $kt in
+	rsa-sha2-*)	tflag="-t $kt" ;;
+	*)		tflag="" ;;
+	esac
+	${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-		fail "couldn't sign cert_host_key_${kt}"
-	verbose "$tid: host ${kt} connect wrong cert"
+		fatal "couldn't sign cert_host_key_${kt}"
 	(
 		cat $OBJ/sshd_proxy_bak
 		echo HostKey $OBJ/cert_host_key_${kt}
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.15 2016/05/02 09:52:00 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -9,9 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak

 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`

+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
+
 kname() {
-	n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
-	echo "$n*,ssh-rsa*,ssh-ed25519*"
+	case $ktype in
+	rsa-sha2-*) ;;
+	*) printf $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' ;;
+	esac
+ 	echo "*,ssh-rsa*,ssh-ed25519*"
 }

 # Create a CA key
@ -19,18 +26,24 @@ ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"

 # Generate and sign user keys
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
 	verbose "$tid: sign user ${ktype} cert"
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
 	    -f $OBJ/cert_user_key_${ktype} || \
-		fail "ssh-keygen of cert_user_key_${ktype} failed"
-	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-	    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
-		fail "couldn't sign cert_user_key_${ktype}"
+		fatal "ssh-keygen of cert_user_key_${ktype} failed"
+	# Generate RSA/SHA2 certs for rsa-sha2* keys.
+	case $ktype in
+	rsa-sha2-*)	tflag="-t $ktype" ;;
+	*)		tflag="" ;;
+	esac
+	${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
+	    -I "regress user key for $USER" \
+	    -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \
+		fatal "couldn't sign cert_user_key_${ktype}"
 done

 # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
 	for privsep in yes no ; do
 		_prefix="${ktype} privsep $privsep"
@ -67,7 +80,7 @@ for ktype in $PLAIN_TYPES ; do
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
 		fi
-	
+
 		# Wrong authorized_principals
 		verbose "$tid: ${_prefix} wrong authorized_principals"
 		echo gregorsamsa > $OBJ/authorized_principals_$USER
@ -166,8 +179,8 @@ basic_tests() {
 		echo > $OBJ/authorized_keys_$USER
 		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
 	fi
-	
-	for ktype in $PLAIN_TYPES ; do 
+
+	for ktype in $PLAIN_TYPES ; do
 		t=$(kname $ktype)
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
@ -183,7 +196,7 @@ basic_tests() {
 				cat $OBJ/ssh_proxy_bak
 				echo "PubkeyAcceptedKeyTypes ${t}"
 			) > $OBJ/ssh_proxy
-	
+
 			${SSH} -2i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true
 			if [ $? -ne 0 ]; then
@ -223,7 +236,7 @@ basic_tests() {
 				fail "ssh cert connect failed"
 			fi
 		done
-	
+
 		# Revoked CA
 		verbose "$tid: ${ktype} $auth revoked CA key"
 		(
@ -238,7 +251,7 @@ basic_tests() {
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
 	done
-	
+
 	verbose "$tid: $auth CA does not authenticate"
 	(
 		cat $OBJ/sshd_proxy_bak
@ -286,7 +299,7 @@ test_one() {
 					echo $auth_opt >> $OBJ/sshd_proxy
 				fi
 			fi
-			
+
 			verbose "$tid: $ident auth $auth expect $result $ktype"
 			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
 			    -I "regress user key for $USER" \
@ -342,13 +355,13 @@ test_one "principals key option no principals" failure "" \

 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES ; do
 	t=$(kname $ktype)
 	# Self-sign
 	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
-		fail "couldn't sign cert_user_key_${ktype}"
+		fatal "couldn't sign cert_user_key_${ktype}"
 	verbose "$tid: user ${ktype} connect wrong cert"
 	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 	    somehost true >/dev/null 2>&1
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */
+/* 	$OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */
 /*
 * Regress test for sshkey.h key management API
 *
@ -455,7 +455,7 @@ sshkey_tests(void)
 	put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);
 	put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);
 	ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);
-	ASSERT_INT_EQ(sshkey_certify(k1, k2), 0);
+	ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL), 0);
 	b = sshbuf_new();
 	ASSERT_PTR_NE(b, NULL);
 	ASSERT_INT_EQ(sshkey_putb(k1, b), 0);