upstream: test revocation by explicit hash and by fingerprint
OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8
This commit is contained in:
parent
2de78bc7da
commit
f803b26829
|
@ -1,4 +1,4 @@
|
||||||
# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
|
# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $
|
||||||
# Placed in the Public Domain.
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
tid="key revocation lists"
|
tid="key revocation lists"
|
||||||
|
@ -85,6 +85,15 @@ for n in $UNREVOKED_SERIALS ; do
|
||||||
UCERTS="$UCERTS ${f}-cert.pub"
|
UCERTS="$UCERTS ${f}-cert.pub"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Specifications that revoke keys by hash.
|
||||||
|
touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
|
||||||
|
for rkey in $RKEYS; do
|
||||||
|
(printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
|
||||||
|
(printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
|
||||||
|
(printf "hash: "; $SSHKEYGEN -lf $rkey | \
|
||||||
|
awk '{ print $2 }') >> $OBJ/revoked-hash
|
||||||
|
done
|
||||||
|
|
||||||
genkrls() {
|
genkrls() {
|
||||||
OPTS=$1
|
OPTS=$1
|
||||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
|
||||||
|
@ -97,6 +106,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
|
||||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
|
||||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
|
||||||
|
>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
|
||||||
|
>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
|
||||||
|
>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
|
||||||
# This should fail as KRLs from serial/key-id spec need the CA specified.
|
# This should fail as KRLs from serial/key-id spec need the CA specified.
|
||||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
|
||||||
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||||
|
@ -131,9 +146,9 @@ check_krl() {
|
||||||
TAG=$4
|
TAG=$4
|
||||||
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
|
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
|
||||||
result=$?
|
result=$?
|
||||||
if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
|
if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
|
||||||
fatal "key $KEY not revoked by KRL $KRL: $TAG"
|
fatal "key $KEY not revoked by KRL $KRL: $TAG"
|
||||||
elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
|
elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
|
||||||
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
|
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -142,17 +157,21 @@ test_rev() {
|
||||||
TAG=$2
|
TAG=$2
|
||||||
KEYS_RESULT=$3
|
KEYS_RESULT=$3
|
||||||
ALL_RESULT=$4
|
ALL_RESULT=$4
|
||||||
SERIAL_RESULT=$5
|
HASH_RESULT=$5
|
||||||
KEYID_RESULT=$6
|
SERIAL_RESULT=$6
|
||||||
CERTS_RESULT=$7
|
KEYID_RESULT=$7
|
||||||
CA_RESULT=$8
|
CERTS_RESULT=$8
|
||||||
SERIAL_WRESULT=$9
|
CA_RESULT=$9
|
||||||
KEYID_WRESULT=$10
|
SERIAL_WRESULT=$10
|
||||||
|
KEYID_WRESULT=$11
|
||||||
verbose "$tid: checking revocations for $TAG"
|
verbose "$tid: checking revocations for $TAG"
|
||||||
for f in $FILES ; do
|
for f in $FILES ; do
|
||||||
check_krl $f $OBJ/krl-empty no "$TAG"
|
check_krl $f $OBJ/krl-empty no "$TAG"
|
||||||
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
|
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
|
||||||
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
|
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
|
||||||
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
|
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
|
||||||
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
|
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
|
||||||
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
|
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
|
||||||
|
@ -164,11 +183,11 @@ test_rev() {
|
||||||
|
|
||||||
test_all() {
|
test_all() {
|
||||||
# wildcard
|
# wildcard
|
||||||
# keys all sr# k.ID cert CA sr.# k.ID
|
# keys all hash sr# ID cert CA srl ID
|
||||||
test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
|
test_rev "$RKEYS" "revoked keys" y y y n n n n n n
|
||||||
test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
|
test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
|
||||||
test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
|
test_rev "$RCERTS" "revoked certs" y y y y y y y y y
|
||||||
test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
|
test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
|
||||||
}
|
}
|
||||||
|
|
||||||
test_all
|
test_all
|
||||||
|
|
Loading…
Reference in New Issue