tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-28 16:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream commit

Browse Source 
legacy v00 certificates are gone; adapt and don't try to
 test them; "sure" markus@ dtucker@

Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
This commit is contained in:
djm@openbsd.org 2015-07-03 04:39:23 +00:00 committed by Damien Miller
parent 0c4123ad5e
commit 6a977a4b68
3 changed files with 67 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
regress/cert-hostkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ # $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified host keys" tid="certified host keys"
@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
type_has_legacy() {
case $1 in
ed25519*|ecdsa*) return 1 ;;
esac
return 0
}
# Prepare certificate, plain key and CA KRLs # Prepare certificate, plain key and CA KRLs
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
fatal "KRL update failed" fatal "KRL update failed"
cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
serial=`expr $serial + 1` serial=`expr $serial + 1`
type_has_legacy $ktype || continue
cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
verbose "$tid: sign host ${ktype}_v00 cert"
${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \
-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
fatal "couldn't sign cert_host_key_${ktype}_v00"
${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
$OBJ/cert_host_key_${ktype}_v00-cert.pub || \
fatal "KRL update failed"
cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
done done
attempt_connect() { attempt_connect() {
@ -98,7 +79,7 @@ attempt_connect() {
# Basic connect and revocation tests. # Basic connect and revocation tests.
for privsep in yes no ; do for privsep in yes no ; do
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do for ktype in $PLAIN_TYPES ; do
verbose "$tid: host ${ktype} cert connect privsep $privsep" verbose "$tid: host ${ktype} cert connect privsep $privsep"
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
@ -133,14 +114,14 @@ done
printf '@cert-authority ' printf '@cert-authority '
printf "$HOSTS " printf "$HOSTS "
cat $OBJ/host_ca_key.pub cat $OBJ/host_ca_key.pub
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do for ktype in $PLAIN_TYPES ; do
test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
done done
) > $OBJ/known_hosts-cert.orig ) > $OBJ/known_hosts-cert.orig
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for privsep in yes no ; do for privsep in yes no ; do
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do for ktype in $PLAIN_TYPES ; do
verbose "$tid: host ${ktype} revoked cert privsep $privsep" verbose "$tid: host ${ktype} revoked cert privsep $privsep"
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
@ -169,7 +150,7 @@ done
cat $OBJ/host_ca_key.pub cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert.orig ) > $OBJ/known_hosts-cert.orig
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for ktype in $PLAIN_TYPES ; do
verbose "$tid: host ${ktype} revoked cert" verbose "$tid: host ${ktype} revoked cert"
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
@ -198,17 +179,10 @@ test_one() {
result=$2 result=$2
sign_opts=$3 sign_opts=$3
for kt in rsa rsa_v00 ; do for kt in rsa ed25519 ; do
case $kt in
*_v00) args="-t v00" ;;
*) args="" ;;
esac
verbose "$tid: host cert connect $ident $kt expect $result"
${SSHKEYGEN} -q -s $OBJ/host_ca_key \ ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \ -I "regress host key for $USER" \
$sign_opts $args \ $sign_opts $OBJ/cert_host_key_${kt} ||
$OBJ/cert_host_key_${kt} ||
fail "couldn't sign cert_host_key_${kt}" fail "couldn't sign cert_host_key_${kt}"
( (
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
@ -242,36 +216,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
test_one "cert has constraints" failure "-h -Oforce-command=false" test_one "cert has constraints" failure "-h -Oforce-command=false"
# Check downgrade of cert to raw key when no CA found # Check downgrade of cert to raw key when no CA found
for v in v01 v00 ; do for ktype in $PLAIN_TYPES ; do
for ktype in $PLAIN_TYPES ; do rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
type_has_legacy $ktype || continue verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* # Generate and sign a host key
verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" ${SSHKEYGEN} -q -N '' -t ${ktype} \
# Generate and sign a host key -f $OBJ/cert_host_key_${ktype} || \
${SSHKEYGEN} -q -N '' -t ${ktype} \ fail "ssh-keygen of cert_host_key_${ktype} failed"
-f $OBJ/cert_host_key_${ktype} || \ ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
fail "ssh-keygen of cert_host_key_${ktype} failed" -I "regress host key for $USER" \
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-I "regress host key for $USER" \ fail "couldn't sign cert_host_key_${ktype}"
-n $HOSTS $OBJ/cert_host_key_${ktype} || (
fail "couldn't sign cert_host_key_${ktype}" printf "$HOSTS "
( cat $OBJ/cert_host_key_${ktype}.pub
printf "$HOSTS " ) > $OBJ/known_hosts-cert
cat $OBJ/cert_host_key_${ktype}.pub (
) > $OBJ/known_hosts-cert cat $OBJ/sshd_proxy_bak
( echo HostKey $OBJ/cert_host_key_${ktype}
cat $OBJ/sshd_proxy_bak echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
echo HostKey $OBJ/cert_host_key_${ktype} ) > $OBJ/sshd_proxy
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy somehost true
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ if [ $? -ne 0 ]; then
-F $OBJ/ssh_proxy somehost true fail "ssh cert connect failed"
if [ $? -ne 0 ]; then fi
fail "ssh cert connect failed"
fi
done
done done
# Wrong certificate # Wrong certificate
@ -281,33 +252,30 @@ done
cat $OBJ/host_ca_key.pub cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert.orig ) > $OBJ/known_hosts-cert.orig
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for v in v01 v00 ; do for kt in $PLAIN_TYPES ; do
for kt in $PLAIN_TYPES ; do rm -f $OBJ/cert_host_key*
type_has_legacy $kt || continue # Self-sign key
rm -f $OBJ/cert_host_key* ${SSHKEYGEN} -q -N '' -t ${kt} \
# Self-sign key -f $OBJ/cert_host_key_${kt} || \
${SSHKEYGEN} -q -N '' -t ${kt} \ fail "ssh-keygen of cert_host_key_${kt} failed"
-f $OBJ/cert_host_key_${kt} || \ ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
fail "ssh-keygen of cert_host_key_${kt} failed" -I "regress host key for $USER" \
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ -n $HOSTS $OBJ/cert_host_key_${kt} ||
-I "regress host key for $USER" \ fail "couldn't sign cert_host_key_${kt}"
-n $HOSTS $OBJ/cert_host_key_${kt} || verbose "$tid: host ${kt} connect wrong cert"
fail "couldn't sign cert_host_key_${kt}" (
verbose "$tid: host ${kt} connect wrong cert" cat $OBJ/sshd_proxy_bak
( echo HostKey $OBJ/cert_host_key_${kt}
cat $OBJ/sshd_proxy_bak echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
echo HostKey $OBJ/cert_host_key_${kt} ) > $OBJ/sshd_proxy
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
) > $OBJ/sshd_proxy cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ if [ $? -eq 0 ]; then
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 fail "ssh cert connect $ident succeeded unexpectedly"
if [ $? -eq 0 ]; then fi
fail "ssh cert connect $ident succeeded unexpectedly"
fi
done
done done
rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*

39
regress/cert-userkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ # $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="certified user keys" tid="certified user keys"
@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
type_has_legacy() {
case $1 in
ed25519*|ecdsa*) return 1 ;;
esac
return 0
}
# Create a CA key # Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed" fail "ssh-keygen of user_ca_key failed"
@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}" fail "couldn't sign cert_user_key_${ktype}"
type_has_legacy $ktype || continue
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
verbose "$tid: sign host ${ktype}_v00 cert"
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
"regress user key for $USER" \
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
fatal "couldn't sign cert_user_key_${ktype}_v00"
done done
# Test explicitly-specified principals # Test explicitly-specified principals
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for ktype in $PLAIN_TYPES ; do
for privsep in yes no ; do for privsep in yes no ; do
_prefix="${ktype} privsep $privsep" _prefix="${ktype} privsep $privsep"
@ -165,7 +150,7 @@ basic_tests() {
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi fi
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for ktype in $PLAIN_TYPES ; do
for privsep in yes no ; do for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth" _prefix="${ktype} privsep $privsep $auth"
# Simple connect # Simple connect
@ -257,12 +242,7 @@ test_one() {
fi fi
for auth in $auth_choice ; do for auth in $auth_choice ; do
for ktype in rsa rsa_v00 ; do for ktype in rsa ed25519 ; do
case $ktype in
*_v00) keyv="-t v00" ;;
*) keyv="" ;;
esac
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys # Add CA to authorized_keys
@ -282,8 +262,7 @@ test_one() {
verbose "$tid: $ident auth $auth expect $result $ktype" verbose "$tid: $ident auth $auth expect $result $ktype"
${SSHKEYGEN} -q -s $OBJ/user_ca_key \ ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-I "regress user key for $USER" \ -I "regress user key for $USER" \
$sign_opts $keyv \ $sign_opts $OBJ/cert_user_key_${ktype} ||
$OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}" fail "couldn't sign cert_user_key_${ktype}"
${SSH} -2i $OBJ/cert_user_key_${ktype} \ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
# Wrong certificate # Wrong certificate
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for ktype in $PLAIN_TYPES ; do
case $ktype in
*_v00) args="-t v00" ;;
*) args="" ;;
esac
# Self-sign # Self-sign
${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
"regress user key for $USER" \ "regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} || -n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}" fail "couldn't sign cert_user_key_${ktype}"

4
regress/unittests/sshkey/test_sshkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */ /* $OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
/* /*
* Regress test for sshkey.h key management API * Regress test for sshkey.h key management API
* *
@ -424,7 +424,7 @@ sshkey_tests(void)
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"), ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
&k1, NULL), 0); &k1, NULL), 0);
k2 = get_private("ed25519_2"); k2 = get_private("ed25519_2");
ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0); ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
ASSERT_PTR_NE(k1->cert, NULL); ASSERT_PTR_NE(k1->cert, NULL);
k1->cert->type = SSH2_CERT_TYPE_USER; k1->cert->type = SSH2_CERT_TYPE_USER;
k1->cert->serial = 1234; k1->cert->serial = 1234;