541 lines
22 KiB
Bash
541 lines
22 KiB
Bash
# $OpenBSD: sshsig.sh,v 1.15 2023/10/12 03:51:08 djm Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="sshsig"
|
|
|
|
DATA2=$OBJ/${DATANAME}.2
|
|
cat ${DATA} ${DATA} > ${DATA2}
|
|
|
|
rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
|
|
|
|
sig_namespace="test-$$"
|
|
sig_principal="user-$$@example.com"
|
|
|
|
# Make a "wrong key"
|
|
${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
|
|
-C "wrong trousers, Grommit" -N '' \
|
|
|| fatal "couldn't generate key"
|
|
WRONG=$OBJ/wrong-key.pub
|
|
|
|
# Make a CA key.
|
|
${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
|
|
|| fatal "couldn't generate key"
|
|
CA_PRIV=$OBJ/sigca-key
|
|
CA_PUB=$OBJ/sigca-key.pub
|
|
|
|
trace "start agent"
|
|
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
|
|
r=$?
|
|
if [ $r -ne 0 ]; then
|
|
fatal "could not start ssh-agent: exit code $r"
|
|
fi
|
|
|
|
SIGNKEYS="$SSH_KEYTYPES"
|
|
verbose "$tid: make certificates"
|
|
for t in $SSH_KEYTYPES ; do
|
|
${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
|
|
-I "regress signature key for $USER" \
|
|
-V "19840101:19860101" \
|
|
-n $sig_principal $OBJ/${t} || \
|
|
fatal "couldn't sign ${t}"
|
|
SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
|
|
done
|
|
|
|
for t in $SIGNKEYS; do
|
|
verbose "$tid: check signature for $t"
|
|
keybase=`basename $t .pub`
|
|
privkey=${OBJ}/`basename $t -cert.pub`
|
|
sigfile=${OBJ}/sshsig-${keybase}.sig
|
|
sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
|
|
pubkey=${OBJ}/${keybase}.pub
|
|
cert=${OBJ}/${keybase}-cert.pub
|
|
sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
|
|
|
|
trace "$tid: key type $t check bad hashlg"
|
|
${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
|
|
-Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \
|
|
fail "sign using $t with bad hash algorithm succeeded"
|
|
|
|
for h in default sha256 sha512 ; do
|
|
case "$h" in
|
|
default) hashalg_arg="" ;;
|
|
*) hashalg_arg="-Ohashalg=$h" ;;
|
|
esac
|
|
trace "$tid: key type $t sign with hash $h"
|
|
${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
|
|
$hashalg_arg < $DATA > $sigfile 2>/dev/null || \
|
|
fail "sign using $t / $h failed"
|
|
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
|
trace "$tid: key type $t verify with hash $h"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed signature for $t / $h key"
|
|
done
|
|
|
|
trace "$tid: key type $t verify with limited namespace"
|
|
(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed signature for $t key w/ limited namespace"
|
|
|
|
trace "$tid: key type $t print-pubkey"
|
|
(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-O print-pubkey \
|
|
< $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
|
|
fail "failed signature for $t key w/ print-pubkey"
|
|
cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
|
|
diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
|
|
fail "print-pubkey differs from signature key"
|
|
|
|
# Invalid option
|
|
trace "$tid: key type $t verify with bad signers"
|
|
(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with bad signers option"
|
|
|
|
# Wrong key trusted.
|
|
trace "$tid: key type $t verify with wrong key"
|
|
(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with wrong key trusted"
|
|
|
|
# incorrect data
|
|
trace "$tid: key type $t verify with wrong data"
|
|
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA2 >/dev/null 2>&1 && \
|
|
fail "passed signature for wrong data with $t key"
|
|
|
|
# wrong principal in signers
|
|
trace "$tid: key type $t verify with wrong principal"
|
|
(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with wrong principal"
|
|
|
|
# wrong namespace
|
|
trace "$tid: key type $t verify with wrong namespace"
|
|
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with wrong namespace"
|
|
|
|
# namespace excluded by option
|
|
trace "$tid: key type $t verify with excluded namespace"
|
|
(printf "$sig_principal namespaces=\"whatever\" " ;
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with excluded namespace"
|
|
|
|
( printf "$sig_principal " ;
|
|
printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
|
|
# key lifespan valid
|
|
trace "$tid: key type $t verify with valid lifespan"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19850101 \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed signature for $t key with valid expiry interval"
|
|
# key not yet valid
|
|
trace "$tid: key type $t verify with not-yet-valid lifespan"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19790101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "failed signature for $t not-yet-valid key"
|
|
# key expired
|
|
trace "$tid: key type $t verify with expired lifespan"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19910101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "failed signature for $t with expired key"
|
|
# NB. assumes we're not running this test in the 1980s
|
|
trace "$tid: key type $t verify with expired lifespan (now)"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "failed signature for $t with expired key"
|
|
|
|
# key lifespan valid
|
|
trace "$tid: key type $t find-principals with valid lifespan"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19850101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed find-principals for $t key with valid expiry interval"
|
|
# key not yet valid
|
|
trace "$tid: key type $t find principals with not-yet-valid lifespan"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19790101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "failed find-principals for $t not-yet-valid key"
|
|
# key expired
|
|
trace "$tid: key type $t find-principals with expired lifespan"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19990101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "failed find-principals for $t with expired key"
|
|
# NB. assumes we're not running this test in the 1980s
|
|
trace "$tid: key type $t find-principals with expired lifespan (now)"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "failed find-principals for $t with expired key"
|
|
|
|
# public key in revoked keys file
|
|
trace "$tid: key type $t verify with revoked key"
|
|
cat $pubkey > $OBJ/revoked_keys
|
|
(printf "$sig_principal namespaces=\"whatever\" " ;
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-r $OBJ/revoked_keys \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key, but key is in revoked_keys"
|
|
|
|
# public key not revoked, but others are present in revoked_keysfile
|
|
trace "$tid: key type $t verify with unrevoked key"
|
|
cat $WRONG > $OBJ/revoked_keys
|
|
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-r $OBJ/revoked_keys \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "couldn't verify signature for $t key, but key not in revoked_keys"
|
|
|
|
# check-novalidate with valid data
|
|
trace "$tid: key type $t check-novalidate with valid data"
|
|
${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed to check valid signature for $t key"
|
|
|
|
# check-novalidate with invalid data
|
|
trace "$tid: key type $t check-novalidate with invalid data"
|
|
${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
|
|
< $DATA2 >/dev/null 2>&1 && \
|
|
fail "succeeded checking signature for $t key with invalid data"
|
|
|
|
# find-principals with valid public key
|
|
trace "$tid: key type $t find-principals with valid key"
|
|
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed to find valid principals in allowed_signers"
|
|
|
|
# find-principals with wrong key not in allowed_signers
|
|
trace "$tid: key type $t find-principals with wrong key"
|
|
(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "succeeded finding principal with invalid signers file"
|
|
|
|
# find-principals with a configured namespace but none on command-line
|
|
trace "$tid: key type $t find-principals with missing namespace"
|
|
(printf "$sig_principal " ;
|
|
printf "namespaces=\"test1,test2\" ";
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed finding principal when namespaces are configured"
|
|
|
|
# Check signing keys using ssh-agent.
|
|
trace "$tid: key type $t prepare agent"
|
|
${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
|
|
${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
|
|
|
|
# Move private key to ensure agent key is used
|
|
mv ${privkey} ${privkey}.tmp
|
|
|
|
trace "$tid: key type $t sign with agent"
|
|
${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
|
|
< $DATA > $sigfile_agent 2>/dev/null || \
|
|
fail "ssh-agent based sign using $pubkey failed"
|
|
trace "$tid: key type $t check signature w/ agent"
|
|
${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
|
|
-n $sig_namespace < $DATA >/dev/null 2>&1 || \
|
|
fail "failed to check valid signature for $t key"
|
|
(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile_agent -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed signature for $t key w/ limited namespace"
|
|
|
|
# Move private key back
|
|
mv ${privkey}.tmp ${privkey}
|
|
|
|
# Duplicate principals & keys in allowed_signers but with different validities
|
|
( printf "$sig_principal " ;
|
|
printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
|
|
cat $pubkey;
|
|
printf "${sig_principal} " ;
|
|
printf "valid-after=\"19850101\",valid-before=\"20000101\" " ;
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
|
|
# find-principals outside of any validity lifespan
|
|
trace "$tid: key type $t find principals outside multiple validities"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="20100101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "succeeded find-principals for $t verify-time outside of validity"
|
|
# find-principals matching only the first lifespan
|
|
trace "$tid: key type $t find principals matching one validity (1st)"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19830101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed find-principals for $t verify-time within first span"
|
|
# find-principals matching both lifespans
|
|
trace "$tid: key type $t find principals matching two validities"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19880101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed find-principals for $t verify-time within both spans"
|
|
# find-principals matching only the second lifespan
|
|
trace "$tid: key type $t find principals matching one validity (2nd)"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19950101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed find-principals for $t verify-time within second span"
|
|
|
|
# verify outside of any validity lifespan
|
|
trace "$tid: key type $t verify outside multiple validities"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-Overify-time="20100101" -I $sig_principal \
|
|
-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "succeeded verify for $t verify-time outside of validity"
|
|
# verify matching only the first lifespan
|
|
trace "$tid: key type $t verify matching one validity (1st)"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-Overify-time="19830101" -I $sig_principal \
|
|
-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed verify for $t verify-time within first span"
|
|
# verify matching both lifespans
|
|
trace "$tid: key type $t verify matching two validities"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-Overify-time="19880101" -I $sig_principal \
|
|
-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed verify for $t verify-time within both spans"
|
|
# verify matching only the second lifespan
|
|
trace "$tid: key type $t verify matching one validity (2nd)"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-Overify-time="19950101" -I $sig_principal \
|
|
-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed verify for $t verify-time within second span"
|
|
|
|
# Remaining tests are for certificates only.
|
|
case "$keybase" in
|
|
*-cert) ;;
|
|
*) continue ;;
|
|
esac
|
|
|
|
# Check key lifespan on find-principals when using the CA
|
|
( printf "$sig_principal " ;
|
|
printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" ";
|
|
cat $CA_PUB) > $OBJ/allowed_signers
|
|
# key lifespan valid
|
|
trace "$tid: key type $t find-principals cert lifetime valid"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19850101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed find-principals for $t key with valid expiry interval"
|
|
# key not yet valid
|
|
trace "$tid: key type $t find-principals cert lifetime not-yet-valid"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19790101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "failed find-principals for $t not-yet-valid key"
|
|
# key expired
|
|
trace "$tid: key type $t find-principals cert lifetime expired"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time="19990101" \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "failed find-principals for $t with expired key"
|
|
# NB. assumes we're not running this test in the 1980s
|
|
trace "$tid: key type $t find-principals cert lifetime expired (now)"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 && \
|
|
fail "failed find-principals for $t with expired key"
|
|
|
|
# correct CA key
|
|
trace "$tid: key type $t verify cert good CA"
|
|
(printf "$sig_principal cert-authority " ;
|
|
cat $CA_PUB) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19850101 \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed signature for $t cert"
|
|
|
|
# find-principals
|
|
trace "$tid: key type $t find-principals cert good CA"
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time=19850101 \
|
|
-f $OBJ/allowed_signers >/dev/null 2>&1 || \
|
|
fail "failed find-principals for $t with ca key"
|
|
|
|
# CA with wildcard principal
|
|
trace "$tid: key type $t find-principals cert good wildcard CA"
|
|
(printf "*@example.com cert-authority " ;
|
|
cat $CA_PUB) > $OBJ/allowed_signers
|
|
# find-principals CA with wildcard principal
|
|
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
|
|
-Overify-time=19850101 \
|
|
-f $OBJ/allowed_signers 2>/dev/null | \
|
|
fgrep "$sig_principal" >/dev/null || \
|
|
fail "failed find-principals for $t with ca key using wildcard principal"
|
|
|
|
# verify CA with wildcard principal
|
|
trace "$tid: key type $t verify cert good wildcard CA"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19850101 \
|
|
< $DATA >/dev/null 2>&1 || \
|
|
fail "failed signature for $t cert using wildcard principal"
|
|
|
|
# signing key listed as cert-authority
|
|
trace "$tid: key type $t verify signing key listed as CA"
|
|
(printf "$sig_principal cert-authority " ;
|
|
cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature with $t key listed as CA"
|
|
|
|
# CA key not flagged cert-authority
|
|
trace "$tid: key type $t verify key not marked as CA"
|
|
(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t cert with CA not marked"
|
|
|
|
# mismatch between cert principal and file
|
|
trace "$tid: key type $t verify cert with wrong principal"
|
|
(printf "josef.k@example.com cert-authority " ;
|
|
cat $CA_PUB) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t cert with wrong principal"
|
|
|
|
# Cert valid but CA revoked
|
|
trace "$tid: key type $t verify cert with revoked CA"
|
|
cat $CA_PUB > $OBJ/revoked_keys
|
|
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-r $OBJ/revoked_keys \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key, but CA key in revoked_keys"
|
|
|
|
# Set lifespan of CA key and verify signed user certs behave accordingly
|
|
( printf "$sig_principal " ;
|
|
printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ;
|
|
cat $CA_PUB) > $OBJ/allowed_signers
|
|
|
|
# CA key lifespan valid
|
|
trace "$tid: key type $t verify cert valid CA lifespan"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19850101 \
|
|
< $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \
|
|
fail "failed signature for $t key with valid CA expiry interval"
|
|
# CA lifespan is valid but user key not yet valid
|
|
trace "$tid: key type $t verify cert valid CA lifespan, not-yet-valid cert"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19810101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
|
|
# CA lifespan is valid but user key expired
|
|
trace "$tid: key type $t verify cert valid CA lifespan, expired cert"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19890101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with valid CA expiry interval but expired cert"
|
|
# CA key not yet valid
|
|
trace "$tid: key type $t verify cert CA not-yet-valid"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19790101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t not-yet-valid CA key"
|
|
# CA key expired
|
|
trace "$tid: key type $t verify cert CA expired"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19910101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t with expired CA key"
|
|
# NB. assumes we're not running this test in the 1980s
|
|
trace "$tid: key type $t verify cert CA expired (now)"
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t with expired CA key"
|
|
|
|
# Set lifespan of CA outside of the cert validity
|
|
trace "$tid: key type $t verify CA/cert lifespan mismatch"
|
|
( printf "$sig_principal " ;
|
|
printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
|
|
cat $CA_PUB) > $OBJ/allowed_signers
|
|
# valid cert validity but expired CA
|
|
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
|
-I $sig_principal -f $OBJ/allowed_signers \
|
|
-Overify-time=19840101 \
|
|
< $DATA >/dev/null 2>&1 && \
|
|
fail "accepted signature for $t key with expired CA but valid cert"
|
|
|
|
done
|
|
|
|
# Test key independant match-principals
|
|
(
|
|
printf "principal1 " ; cat $pubkey;
|
|
printf "princi* " ; cat $pubkey;
|
|
printf "unique " ; cat $pubkey;
|
|
) > $OBJ/allowed_signers
|
|
|
|
verbose "$tid: match principals"
|
|
${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \
|
|
fgrep "unique" >/dev/null || \
|
|
fail "failed to match static principal"
|
|
|
|
trace "$tid: match principals wildcard"
|
|
${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \
|
|
fgrep "princi*" >/dev/null || \
|
|
fail "failed to match wildcard principal"
|
|
|
|
trace "$tid: match principals static/wildcard"
|
|
${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \
|
|
fgrep -e "principal1" -e "princi*" >/dev/null || \
|
|
fail "failed to match static and wildcard principal"
|
|
verbose "$tid: nomatch principals"
|
|
for x in princ prince unknown ; do
|
|
${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \
|
|
-I $x >/dev/null 2>&1 && \
|
|
fail "succeeded to match unknown principal \"$x\""
|
|
done
|
|
|
|
trace "kill agent"
|
|
${SSHAGENT} -k > /dev/null
|
|
|