- djm@cvs.openbsd.org 2013/01/18 00:45:29
[regress/Makefile regress/cert-userkey.sh regress/krl.sh] Tests for Key Revocation Lists (KRLs)
This commit is contained in:
parent
f3747bf401
commit
ebafebda85
|
@ -8,6 +8,10 @@
|
|||
a single bit of incremental cost to revoke a certificate by serial number.
|
||||
KRLs are loaded via the existing RevokedKeys sshd_config option.
|
||||
feedback and ok markus@
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2013/01/18 00:45:29
|
||||
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
|
||||
Tests for Key Revocation Lists (KRLs)
|
||||
|
||||
20130117
|
||||
- (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $
|
||||
# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
|
||||
|
||||
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
|
||||
tests: prereq $(REGRESS_TARGETS)
|
||||
|
@ -60,7 +60,8 @@ LTESTS= connect \
|
|||
host-expand \
|
||||
keys-command \
|
||||
forward-control \
|
||||
integrity
|
||||
integrity \
|
||||
krl
|
||||
|
||||
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
|
||||
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
|
||||
|
@ -77,11 +78,11 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
|
|||
ls.copy banner.in banner.out empty.in \
|
||||
scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
|
||||
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
|
||||
known_hosts-cert host_ca_key* cert_host_key* \
|
||||
known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
|
||||
putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
|
||||
key.rsa-* key.dsa-* key.ecdsa-* \
|
||||
authorized_principals_${USER} expect actual ready \
|
||||
sshd_proxy.* authorized_keys_${USER}.* modpipe
|
||||
sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
|
||||
|
||||
|
||||
# Enable all malloc(3) randomisations and checks
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $
|
||||
# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified user keys"
|
||||
|
@ -184,14 +184,32 @@ basic_tests() {
|
|||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
|
||||
echo "RevokedKeys $OBJ/cert_user_key_revoked"
|
||||
echo "$extra_sshd"
|
||||
) > $OBJ/sshd_proxy
|
||||
cp $OBJ/cert_user_key_${ktype}.pub \
|
||||
$OBJ/cert_user_key_revoked
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpecedly"
|
||||
fi
|
||||
verbose "$tid: ${_prefix} revoked via KRL"
|
||||
rm $OBJ/cert_user_key_revoked
|
||||
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
|
||||
$OBJ/cert_user_key_${ktype}.pub
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpecedly"
|
||||
fi
|
||||
verbose "$tid: ${_prefix} empty KRL"
|
||||
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
done
|
||||
|
||||
# Revoked CA
|
||||
|
|
|
@ -0,0 +1,151 @@
|
|||
# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="key revocation lists"
|
||||
|
||||
# Do most testing with ssh-keygen; it uses the same verification code as sshd.
|
||||
|
||||
# Old keys will interfere with ssh-keygen.
|
||||
rm -f $OBJ/revoked-* $OBJ/krl-*
|
||||
|
||||
# Generate a CA key
|
||||
$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
|
||||
fatal "$SSHKEYGEN CA failed"
|
||||
|
||||
# A specification that revokes some certificates by serial numbers
|
||||
# The serial pattern is chosen to ensure the KRL includes list, range and
|
||||
# bitmap sections.
|
||||
cat << EOF >> $OBJ/revoked-serials
|
||||
serial: 1-4
|
||||
serial: 10
|
||||
serial: 15
|
||||
serial: 30
|
||||
serial: 50
|
||||
serial: 999
|
||||
# The following sum to 500-799
|
||||
serial: 500
|
||||
serial: 501
|
||||
serial: 502
|
||||
serial: 503-600
|
||||
serial: 700-797
|
||||
serial: 798
|
||||
serial: 799
|
||||
serial: 599-701
|
||||
EOF
|
||||
|
||||
# A specification that revokes some certificated by key ID.
|
||||
touch $OBJ/revoked-keyid
|
||||
for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
|
||||
# Fill in by-ID revocation spec.
|
||||
echo "id: revoked $n" >> $OBJ/revoked-keyid
|
||||
done
|
||||
|
||||
keygen() {
|
||||
N=$1
|
||||
f=$OBJ/revoked-`printf "%04d" $N`
|
||||
# Vary the keytype. We use mostly ECDSA since this is fastest by far.
|
||||
keytype=ecdsa
|
||||
case $N in
|
||||
2 | 10 | 510 | 1001) keytype=rsa;;
|
||||
4 | 30 | 520 | 1002) keytype=dsa;;
|
||||
esac
|
||||
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|
||||
|| fatal "$SSHKEYGEN failed"
|
||||
# Sign cert
|
||||
$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
|
||||
|| fatal "$SSHKEYGEN sign failed"
|
||||
echo $f
|
||||
}
|
||||
|
||||
# Generate some keys.
|
||||
verbose "$tid: generating test keys"
|
||||
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
|
||||
for n in $REVOKED_SERIALS ; do
|
||||
f=`keygen $n`
|
||||
REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
|
||||
REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
|
||||
done
|
||||
NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
|
||||
NOTREVOKED=""
|
||||
for n in $NOTREVOKED_SERIALS ; do
|
||||
NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
|
||||
NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
|
||||
done
|
||||
|
||||
genkrls() {
|
||||
OPTS=$1
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
# KRLs from serial/key-id spec need the CA specified.
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
|
||||
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
|
||||
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
}
|
||||
|
||||
verbose "$tid: generating KRLs"
|
||||
genkrls
|
||||
|
||||
check_krl() {
|
||||
KEY=$1
|
||||
KRL=$2
|
||||
EXPECT_REVOKED=$3
|
||||
TAG=$4
|
||||
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
|
||||
result=$?
|
||||
if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
|
||||
fatal "key $KEY not revoked by KRL $KRL: $TAG"
|
||||
elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
|
||||
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
|
||||
fi
|
||||
}
|
||||
test_all() {
|
||||
FILES=$1
|
||||
TAG=$2
|
||||
KEYS_RESULT=$3
|
||||
ALL_RESULT=$4
|
||||
SERIAL_RESULT=$5
|
||||
KEYID_RESULT=$6
|
||||
CERTS_RESULT=$7
|
||||
CA_RESULT=$8
|
||||
verbose "$tid: checking revocations for $TAG"
|
||||
for f in $FILES ; do
|
||||
check_krl $f $OBJ/krl-empty no "$TAG"
|
||||
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
|
||||
done
|
||||
}
|
||||
# keys all serial keyid certs CA
|
||||
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
|
||||
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
|
||||
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
|
||||
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
|
||||
|
||||
# Check update. Results should be identical.
|
||||
verbose "$tid: testing KRL update"
|
||||
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
|
||||
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
|
||||
cp -f $OBJ/krl-empty $f
|
||||
genkrls -u
|
||||
done
|
||||
# keys all serial keyid certs CA
|
||||
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
|
||||
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
|
||||
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
|
||||
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
|
Loading…
Reference in New Issue