- djm@cvs.openbsd.org 2010/03/04 10:38:23

[regress/cert-hostkey.sh regress/cert-userkey.sh] additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 21:58:01 +11:00 · 2010-03-04 21:58:01 +11:00 · 700dcfa3e0
parent 017d1e777e
commit 700dcfa3e0
3 changed files with 185 additions and 47 deletions
--- a/3
+++ b/3
@ -39,6 +39,9 @@
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
+   - djm@cvs.openbsd.org 2010/03/04 10:38:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     additional regression tests for revoked keys and TrustedUserCAKeys

 20100303
 - (djm) [PROTOCOL.certkeys] Add RCS Ident
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -50,6 +50,68 @@ for privsep in yes no ; do
 	done
 done

+# Revoked certificates with key present
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_rsa.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/cert_host_key_dsa.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+	for ktype in rsa dsa ; do 
+		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			echo UsePrivilegeSeparation $privsep
+		) > $OBJ/sshd_proxy
+
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+	done
+done
+
+# Revoked CA
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echon '@revoked '
+	echon "* "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ; do 
+	verbose "$tid: host ${ktype} revoked cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+done
+
+# Create a CA key and add it to known hosts
+(
+	echon '@cert-authority '
+	echon "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+
 test_one() {
 	ident=$1
 	result=$2
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -6,13 +6,9 @@ tid="certified user keys"
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

-# Create a CA key and add it to authorized_keys
+# Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
-(
-	echon 'cert-authority '
-	cat $OBJ/user_ca_key.pub
-) > $OBJ/authorized_keys_$USER

 # Generate and sign user keys
 for ktype in rsa dsa ; do 
@ -26,64 +22,140 @@ for ktype in rsa dsa ; do
 		fail "couldn't sign cert_user_key_${ktype}"
 done

-# Basic connect tests
-for privsep in yes no ; do
+basic_tests() {
+	auth=$1
+	if test "x$auth" = "xauthorized_keys" ; then
+		# Add CA to authorized_keys
+		(
+			echon 'cert-authority '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+	else
+		echo > $OBJ/authorized_keys_$USER
+		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
+	fi
+	
 	for ktype in rsa dsa ; do 
-		verbose "$tid: user ${ktype} cert connect privsep $privsep"
+		for privsep in yes no ; do
+			_prefix="${ktype} privsep $privsep $auth"
+			# Simple connect
+			verbose "$tid: ${_prefix} connect"
+			(
+				cat $OBJ/sshd_proxy_bak
+				echo "UsePrivilegeSeparation $privsep"
+				echo "$extra_sshd"
+			) > $OBJ/sshd_proxy
+	
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true
+			if [ $? -ne 0 ]; then
+				fail "ssh cert connect failed"
+			fi
+
+			# Revoked keys
+			verbose "$tid: ${_prefix} revoked key"
+			(
+				cat $OBJ/sshd_proxy_bak
+				echo "UsePrivilegeSeparation $privsep"
+				echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+				echo "$extra_sshd"
+			) > $OBJ/sshd_proxy
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			if [ $? -eq 0 ]; then
+				fail "ssh cert connect succeeded unexpecedly"
+			fi
+		done
+	
+		# Revoked CA
+		verbose "$tid: ${ktype} $auth revoked CA key"
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
+			echo "RevokedKeys $OBJ/user_ca_key.pub"
+			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-
 		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
-		    somehost true
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
+		    somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpecedly"
 		fi
 	done
-done
+	
+	verbose "$tid: $auth CA does not authenticate"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "$extra_sshd"
+	) > $OBJ/sshd_proxy
+	verbose "$tid: ensure CA key does not authenticate user"
+	${SSH} -2i $OBJ/user_ca_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect with CA key succeeded unexpectedly"
+	fi
+}

-verbose "$tid: ensure CA key does not authenticate user"
-${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-	fail "ssh cert connect with CA key succeeded unexpectedly"
-fi
+basic_tests authorized_keys
+basic_tests TrustedUserCAKeys

 test_one() {
 	ident=$1
 	result=$2
 	sign_opts=$3
-	
-	verbose "$tid: test user cert connect $ident expect $result"
+	auth_choice=$4

-	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-	    $sign_opts \
-	    $OBJ/cert_user_key_rsa ||
-		fail "couldn't sign cert_user_key_rsa"
-
-	${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
-	    somehost true >/dev/null 2>&1
-	rc=$?
-	if [ "x$result" = "xsuccess" ] ; then
-		if [ $rc -ne 0 ]; then
-			fail "ssh cert connect $ident failed unexpectedly"
-		fi
-	else
-		if [ $rc -eq 0 ]; then
-			fail "ssh cert connect $ident succeeded unexpectedly"
-		fi
+	if test "x$auth_choice" = "x" ; then
+		auth_choice="authorized_keys TrustedUserCAKeys"
 	fi
-	cleanup
+
+	for auth in $auth_choice ; do
+		cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+		if test "x$auth" = "xauthorized_keys" ; then
+			# Add CA to authorized_keys
+			(
+				echon 'cert-authority '
+				cat $OBJ/user_ca_key.pub
+			) > $OBJ/authorized_keys_$USER
+		else
+			echo > $OBJ/authorized_keys_$USER
+			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
+			    $OBJ/sshd_proxy
+
+		fi
+		
+		verbose "$tid: $ident auth $auth expect $result"
+		${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+		    -I "regress user key for $USER" \
+		    $sign_opts \
+		    $OBJ/cert_user_key_rsa ||
+			fail "couldn't sign cert_user_key_rsa"
+	
+		${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
+		    somehost true >/dev/null 2>&1
+		rc=$?
+		if [ "x$result" = "xsuccess" ] ; then
+			if [ $rc -ne 0 ]; then
+				fail "$ident failed unexpectedly"
+			fi
+		else
+			if [ $rc -eq 0 ]; then
+				fail "$ident succeeded unexpectedly"
+			fi
+		fi
+	done
 }

-test_one "host-certificate"	failure "-h"
-test_one "empty principals"	success ""
+test_one "correct principal"	success "-n ${USER}"
+test_one "host-certificate"	failure "-n ${USER} -h"
 test_one "wrong principals"	failure "-n foo"
-test_one "cert not yet valid"	failure "-V20200101:20300101"
-test_one "cert expired"		failure "-V19800101:19900101"
-test_one "cert valid interval"	success "-V-1w:+2w"
-test_one "wrong source-address"	failure "-Osource-address=10.0.0.0/8"
-test_one "force-command"	failure "-Oforce-command=false"
+test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
+test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
+test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
+test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
+test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
+
+# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
+test_one "empty principals"	success "" authorized_keys
+test_one "empty principals"	failure "" TrustedUserCAKeys

 # Wrong certificate
 for ktype in rsa dsa ; do 
@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
 done

 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+