upstream: test FIDO2/U2F key types; ok markus@

OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
2019-11-26 23:43:10 +00:00 · 2019-11-26 23:43:10 +00:00 · ad44ca81be
parent c6efa8a91a
commit ad44ca81be
18 changed files with 142 additions and 74 deletions
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $
+#	$OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="disallow agent attach from other uid"
@ -26,7 +26,7 @@ case "x$SUDO" in
 esac

 trace "start agent"
-eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fail "could not start ssh-agent: exit code $r"
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $
+#	$OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="pkcs11 agent test"
@ -75,7 +75,7 @@ openssl pkcs8 -nocrypt -in $EC |\
    softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin

 trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fail "could not start ssh-agent: exit code $r"
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@ -41,7 +41,7 @@ else
 fi

 trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fail "could not start ssh-agent: exit code $r"
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $
+#	$OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="agent timeout test"
@ -6,7 +6,7 @@ tid="agent timeout test"
 SSHAGENT_TIMEOUT=10

 trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fail "could not start ssh-agent: exit code $r"
--- a/regress/agent.sh
+++ b/regress/agent.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $
+#	$OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="simple agent test"
@ -8,8 +8,8 @@ if [ $? -ne 2 ]; then
 	fail "ssh-add -l did not fail with exit code 2"
 fi

-trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fatal "could not start ssh-agent: exit code $r"
@ -39,9 +39,9 @@ for t in ${SSH_KEYTYPES}; do
 	# add to authorized keys
 	cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
 	# add privat key to agent
-	${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
+	${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
 	if [ $? -ne 0 ]; then
-		fail "ssh-add did succeed exit code 0"
+		fail "ssh-add failed exit code $?"
 	fi
 	# Remove private key to ensure that we aren't accidentally using it.
 	rm -f $OBJ/$t-agent
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $
+#	$OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="ssh with certificates"
@ -120,7 +120,7 @@ if [ $? -ne 2 ]; then
 fi

 trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fatal "could not start ssh-agent: exit code $r"
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.19 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.20 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
 # Allow all hostkey/pubkey types, prefer certs for the client
 rsa=0
 types=""
-for i in `$SSH -Q key | grep -v ^sk-`; do
+for i in `$SSH -Q key | filter_sk`; do
 	if [ -z "$types" ]; then
 		types="$i"
 		continue
@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
 cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca

-PLAIN_TYPES=`$SSH -Q key-plain  | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain  | filter_sk | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`

 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
 	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.22 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.23 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak

-PLAIN_TYPES=`$SSH -Q key-plain | grep -v ^sk- | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 EXTRA_TYPES=""
 rsa=""

@ -17,8 +17,10 @@ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
 fi

 kname() {
-	case $ktype in
-	rsa-sha2-*) n="$ktype" ;;
+	case $1 in
+	rsa-sha2-*) n="$1" ;;
+	sk-ecdsa-*) n="sk-ecdsa" ;;
+	sk-ssh-ed25519*) n="sk-ssh-ed25519" ;;
 	# subshell because some seds will add a newline
 	*) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
 	esac
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.8 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="hostkey agent"
@ -6,7 +6,7 @@ tid="hostkey agent"
 rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig

 trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
 r=$?
 [ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r"

@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
 echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig

 trace "load hostkeys"
-for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do
+for k in `${SSH} -Q key-plain | filter_sk` ; do
 	${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
 	(
 		printf 'localhost-with-alias,127.0.0.1,::1 '
@ -31,7 +31,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
 unset SSH_AUTH_SOCK

 for ps in no yes; do
-	for k in `${SSH} -Q key-plain | grep -v ^sk-` ; do
+	for k in `${SSH} -Q key-plain | filter_sk` ; do
 		verbose "key type $k privsep=$ps"
 		cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
 		echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@ -1,11 +1,8 @@
-#	$OpenBSD: hostkey-rotate.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="hostkey rotate"

-# Need full names here since they are used in HostKeyAlgorithms
-HOSTKEY_TYPES="`${SSH} -Q key-plain | grep -v ^sk-`"
-
 rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig

 grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
@ -20,7 +17,7 @@ secondary="$primary"
 trace "prepare hostkeys"
 nkeys=0
 all_algs=""
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
 	${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
 	echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
 	nkeys=`expr $nkeys + 1`
@ -67,12 +64,12 @@ verbose "learn additional hostkeys"
 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
 # Check that other keys learned
 expect_nkeys $nkeys "learn hostkeys"
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
 	check_key_present $k || fail "didn't learn keytype $k"
 done

 # Check each key type
-for k in $HOSTKEY_TYPES; do
+for k in $SSH_HOSTKEY_TYPES; do
 	verbose "learn additional hostkeys, type=$k"
 	dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
 	expect_nkeys $nkeys "learn hostkeys $k"
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: keygen-change.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: keygen-change.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="change passphrase for key"
@ -6,10 +6,9 @@ tid="change passphrase for key"
 S1="secret1"
 S2="2secret"

-KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-`
+KEYTYPES=`${SSH} -Q key-plain | maybe_filter_sk`

 for t in $KEYTYPES; do
-	# generate user key for agent
 	trace "generating $t key"
 	rm -f $OBJ/$t-key
 	${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@ -1,9 +1,9 @@
-#	$OpenBSD: keyscan.sh,v 1.10 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: keyscan.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="keyscan"

-KEYTYPES=`${SSH} -Q key-plain | grep -v ^sk-`
+KEYTYPES=`${SSH} -Q key-plain | filter_sk`
 for i in $KEYTYPES; do
 	if [ -z "$algs" ]; then
 		algs="$i"
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $
+#	$OpenBSD: keytype.sh,v 1.9 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="login with different key types"
@ -16,43 +16,60 @@ for i in ${SSH_KEYTYPES}; do
 		ecdsa-sha2-nistp256)	ktypes="$ktypes ecdsa-256" ;;
 		ecdsa-sha2-nistp384)	ktypes="$ktypes ecdsa-384" ;;
 		ecdsa-sha2-nistp521)	ktypes="$ktypes ecdsa-521" ;;
+		sk-ssh-ed25519*)	ktypes="$ktypes ed25519-sk" ;;
+		sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;;
 	esac
 done

 for kt in $ktypes; do
 	rm -f $OBJ/key.$kt
-	bits=`echo ${kt} | awk -F- '{print $2}'`
-	type=`echo ${kt}  | awk -F- '{print $1}'`
+	xbits=`echo ${kt} | awk -F- '{print $2}'`
+	xtype=`echo ${kt}  | awk -F- '{print $1}'`
+	case "$kt" in
+	*sk)	type="$kt"; bits="n/a"; bits_arg="";;
+	*)	type=$xtype; bits=$xbits; bits_arg="-b $bits";;
+	esac
 	verbose "keygen $type, $bits bits"
-	${SSHKEYGEN} -b $bits -q -N '' -t $type  -f $OBJ/key.$kt ||\
+	${SSHKEYGEN} $bits_arg -q -N '' -t $type  -f $OBJ/key.$kt || \
 		fail "ssh-keygen for type $type, $bits bits failed"
 done

+kname_to_ktype() {
+	case $1 in
+	dsa-1024)	echo ssh-dss;;
+	ecdsa-256)	echo ecdsa-sha2-nistp256;;
+	ecdsa-384)	echo ecdsa-sha2-nistp384;;
+	ecdsa-521)	echo ecdsa-sha2-nistp521;;
+	ed25519-512)	echo ssh-ed25519;;
+	rsa-*)		echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
+	ed25519-sk)	echo sk-ssh-ed25519@openssh.com;;
+	ecdsa-sk)	echo sk-ecdsa-sha2-nistp256@openssh.com;;
+	esac
+}
+
 tries="1 2 3"
 for ut in $ktypes; do
-	htypes=$ut
+	user_type=`kname_to_ktype "$ut"`
+	# SK keys are not supported for hostkeys.
+	case "$ut" in
+	*sk)	htypes=ed25519-512;;
+	*)	htypes="$ut";;
+	esac
 	#htypes=$ktypes
 	for ht in $htypes; do
-		case $ht in
-		dsa-1024)	t=ssh-dss;;
-		ecdsa-256)	t=ecdsa-sha2-nistp256;;
-		ecdsa-384)	t=ecdsa-sha2-nistp384;;
-		ecdsa-521)	t=ecdsa-sha2-nistp521;;
-		ed25519-512)	t=ssh-ed25519;;
-		rsa-*)		t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
-		esac
+		host_type=`kname_to_ktype "$ht"`
 		trace "ssh connect, userkey $ut, hostkey $ht"
 		(
 			grep -v HostKey $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/key.$ht
-			echo PubkeyAcceptedKeyTypes $t
-			echo HostKeyAlgorithms $t
+			echo PubkeyAcceptedKeyTypes $user_type
+			echo HostKeyAlgorithms $host_type
 		) > $OBJ/sshd_proxy
 		(
 			grep -v IdentityFile $OBJ/ssh_proxy_bak
 			echo IdentityFile $OBJ/key.$ut
-			echo PubkeyAcceptedKeyTypes $t
-			echo HostKeyAlgorithms $t
+			echo PubkeyAcceptedKeyTypes $user_type
+			echo HostKeyAlgorithms $host_type
 		) > $OBJ/ssh_proxy
 		(
 			printf 'localhost-with-alias,127.0.0.1,::1 '
--- a/regress/krl.sh
+++ b/regress/krl.sh
@ -1,16 +1,19 @@
-#	$OpenBSD: krl.sh,v 1.9 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: krl.sh,v 1.10 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="key revocation lists"

 # Use ed25519 by default since it's fast and it's supported when building
 # w/out OpenSSL.  Populate ktype[2-4] with the other types if supported.
-ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519
-for t in `${SSH} -Q key-plain | grep -v ^sk-`; do
+ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
+ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
+for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
 	case "$t" in
 		ecdsa*)		ktype2=ecdsa ;;
 		ssh-rsa)	ktype3=rsa ;;
 		ssh-dss)	ktype4=dsa ;;
+		sk-ssh-ed25519@openssh.com)		ktype5=ed25519-sk ;;
+		sk-ecdsa-sha2-nistp256@openssh.com)	ktype6=ecdsa-sk ;;
 	esac
 done

@ -34,6 +37,7 @@ serial: 10
 serial: 15
 serial: 30
 serial: 50
+serial: 90
 serial: 999
 # The following sum to 500-799
 serial: 500
@ -51,7 +55,7 @@ EOF

 # A specification that revokes some certificated by key ID.
 touch $OBJ/revoked-keyid
-for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do
 	test "x$n" = "x499" && continue
 	# Fill in by-ID revocation spec.
 	echo "id: revoked $n" >> $OBJ/revoked-keyid
@ -64,9 +68,11 @@ keygen() {
 	# supported.
 	keytype=$ktype1
 	case $N in
-	2 | 10 | 510 | 1001)	keytype=$ktype2 ;;
-	4 | 30 | 520 | 1002)	keytype=$ktype3 ;;
-	8 | 50 | 530 | 1003)	keytype=$ktype4 ;;
+	2  | 10 | 510 | 1001)	keytype=$ktype2 ;;
+	4  | 30 | 520 | 1002)	keytype=$ktype3 ;;
+	8  | 50 | 530 | 1003)	keytype=$ktype4 ;;
+	16 | 70 | 540 | 1004)	keytype=$ktype5 ;;
+	32 | 90 | 550 | 1005)	keytype=$ktype6 ;;
 	esac
 	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
 		|| fatal "$SSHKEYGEN failed"
@ -78,7 +84,7 @@ keygen() {

 # Generate some keys.
 verbose "$tid: generating test keys"
-REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
+REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999"
 for n in $REVOKED_SERIALS ; do
 	f=`keygen $n`
 	RKEYS="$RKEYS ${f}.pub"
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@ -1,20 +1,25 @@
-#	$OpenBSD: limit-keytype.sh,v 1.7 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: limit-keytype.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="restrict pubkey type"

+# XXX sk-* keys aren't actually tested ATM.
+
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
 rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*

 mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig

-ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1
-for t in `${SSH} -Q key-plain | grep -v ^sk-`; do
+ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
+ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
+for t in `${SSH} -Q key-plain | maybe_filter_sk`; do
 	case "$t" in
 		ssh-rsa)	ktype2=rsa ;;
 		ecdsa*)		ktype3=ecdsa ;;  # unused
 		ssh-dss)	ktype4=dsa ;;
+		sk-ssh-ed25519@openssh.com)		ktype5=ed25519-sk ;;
+		sk-ecdsa-sha2-nistp256@openssh.com)	ktype6=ecdsa-sk ;;
 	esac
 done

@ -31,6 +36,10 @@ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \
 	fatal "ssh-keygen failed"
 ${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \
 	fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \
+	fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \
+	fatal "ssh-keygen failed"
 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
 	-z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
 		fatal "couldn't sign user_key1"
@ -68,6 +77,8 @@ keytype() {
 		ed25519)	printf "ssh-ed25519" ;;
 		dsa)		printf "ssh-dss" ;;
 		rsa)		printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;;
+		sk-ecdsa)	printf "sk-ecdsa-*" ;;
+		sk-ssh-ed25519)	printf "sk-ssh-ed25519-*" ;;
 	esac
 }

--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
 	exit 0
 fi

-case "`${SSH} -Q key-plain | grep -v ^sk-`" in
+case "`${SSH} -Q key-plain`" in
 	*ssh-rsa*)	userkeytype=rsa ;;
 	*)		userkeytype=ed25519 ;;
 esac
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
+#	$OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 tid="sshsig"
@ -23,7 +23,7 @@ CA_PRIV=$OBJ/sigca-key
 CA_PUB=$OBJ/sigca-key.pub

 trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
+eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
 	fatal "could not start ssh-agent: exit code $r"
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.67 2019/11/01 01:55:41 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.68 2019/11/26 23:43:10 djm Exp $
 #	Placed in the Public Domain.

 #SUDO=sudo
@ -128,6 +128,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
 	*) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
 	esac
 fi
+if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
+	SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
+fi
+if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
+	SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
+fi

 # Path to sshd must be absolute for rexec
 case "$SSHD" in
@ -252,6 +258,7 @@ increase_datafile_size()

 # these should be used in tests
 export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
+export SSH_PKCS11_HELPER SSH_SK_HELPER
 #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP

 # Portable specific functions
@ -475,8 +482,35 @@ fi

 rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER

-SSH_KEYTYPES=`$SSH -Q key-plain | grep -v ^sk`
+SSH_SK_PROVIDER=
+if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
+	SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
+elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
+	SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
+fi
+export SSH_SK_PROVIDER

+if ! test -z "$SSH_SK_PROVIDER"; then
+	EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
+	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
+fi
+export EXTRA_AGENT_ARGS
+
+filter_sk() {
+	grep -v ^sk
+}
+
+maybe_filter_sk() {
+	if test -z "$SSH_SK_PROVIDER" ; then
+		filter_sk
+	else
+		cat
+	fi
+}
+
+SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | filter_sk`
+ 
 for t in ${SSH_KEYTYPES}; do
 	# generate user key
 	trace "generating key type $t"
@ -486,16 +520,18 @@ for t in ${SSH_KEYTYPES}; do
 			fail "ssh-keygen for $t failed"
 	fi

+	# setup authorized keys
+	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
+done
+
+for t in ${SSH_HOSTKEY_TYPES}; do
 	# known hosts file for client
 	(
 		printf 'localhost-with-alias,127.0.0.1,::1 '
 		cat $OBJ/$t.pub
 	) >> $OBJ/known_hosts

-	# setup authorized keys
-	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
-	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
-
 	# use key as host key, too
 	$SUDO cp $OBJ/$t $OBJ/host.$t
 	echo HostKey $OBJ/host.$t >> $OBJ/sshd_config