]> CyberLeo.Net >> Repos - FreeBSD/releng/10.2.git/blob - crypto/openssh/regress/cert-hostkey.sh
projects / FreeBSD / releng / 10.2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- Copy stable/10@285827 to releng/10.2 in preparation for 10.2-RC1
[FreeBSD/releng/10.2.git] / crypto / openssh / regress / cert-hostkey.sh
1 #       $OpenBSD: cert-hostkey.sh,v 1.9 2014/01/26 10:22:10 djm Exp $
2 #       Placed in the Public Domain.
3
4 tid="certified host keys"
5
6 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
7 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9 HOSTS='localhost-with-alias,127.0.0.1,::1'
10
11 # Create a CA key and add it to known hosts
12 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
13         fail "ssh-keygen of host_ca_key failed"
14 (
15         printf '@cert-authority '
16         printf "$HOSTS "
17         cat $OBJ/host_ca_key.pub
18 ) > $OBJ/known_hosts-cert
19
20 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
21
22 type_has_legacy() {
23         case $1 in
24                 ed25519*|ecdsa*) return 1 ;;
25         esac
26         return 0
27 }
28
29 # Generate and sign host keys
30 for ktype in $PLAIN_TYPES ; do 
31         verbose "$tid: sign host ${ktype} cert"
32         # Generate and sign a host key
33         ${SSHKEYGEN} -q -N '' -t ${ktype} \
34             -f $OBJ/cert_host_key_${ktype} || \
35                 fail "ssh-keygen of cert_host_key_${ktype} failed"
36         ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
37             -I "regress host key for $USER" \
38             -n $HOSTS $OBJ/cert_host_key_${ktype} ||
39                 fail "couldn't sign cert_host_key_${ktype}"
40         type_has_legacy $ktype || continue
41         cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
42         cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
43         verbose "$tid: sign host ${ktype}_v00 cert"
44         ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
45             -I "regress host key for $USER" \
46             -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
47                 fail "couldn't sign cert_host_key_${ktype}_v00"
48 done
49
50 # Basic connect tests
51 for privsep in yes no ; do
52         for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
53                 verbose "$tid: host ${ktype} cert connect privsep $privsep"
54                 (
55                         cat $OBJ/sshd_proxy_bak
56                         echo HostKey $OBJ/cert_host_key_${ktype}
57                         echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
58                         echo UsePrivilegeSeparation $privsep
59                 ) > $OBJ/sshd_proxy
60
61                 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
62                     -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
63                         -F $OBJ/ssh_proxy somehost true
64                 if [ $? -ne 0 ]; then
65                         fail "ssh cert connect failed"
66                 fi
67         done
68 done
69
70 # Revoked certificates with key present
71 (
72         printf '@cert-authority '
73         printf "$HOSTS "
74         cat $OBJ/host_ca_key.pub
75         for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
76                 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
77                 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
78         done
79 ) > $OBJ/known_hosts-cert
80 for privsep in yes no ; do
81         for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
82                 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
83                 (
84                         cat $OBJ/sshd_proxy_bak
85                         echo HostKey $OBJ/cert_host_key_${ktype}
86                         echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
87                         echo UsePrivilegeSeparation $privsep
88                 ) > $OBJ/sshd_proxy
89
90                 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
91                     -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
92                         -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
93                 if [ $? -eq 0 ]; then
94                         fail "ssh cert connect succeeded unexpectedly"
95                 fi
96         done
97 done
98
99 # Revoked CA
100 (
101         printf '@cert-authority '
102         printf "$HOSTS "
103         cat $OBJ/host_ca_key.pub
104         printf '@revoked '
105         printf "* "
106         cat $OBJ/host_ca_key.pub
107 ) > $OBJ/known_hosts-cert
108 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
109         verbose "$tid: host ${ktype} revoked cert"
110         (
111                 cat $OBJ/sshd_proxy_bak
112                 echo HostKey $OBJ/cert_host_key_${ktype}
113                 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
114         ) > $OBJ/sshd_proxy
115         ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
116             -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
117                 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
118         if [ $? -eq 0 ]; then
119                 fail "ssh cert connect succeeded unexpectedly"
120         fi
121 done
122
123 # Create a CA key and add it to known hosts
124 (
125         printf '@cert-authority '
126         printf "$HOSTS "
127         cat $OBJ/host_ca_key.pub
128 ) > $OBJ/known_hosts-cert
129
130 test_one() {
131         ident=$1
132         result=$2
133         sign_opts=$3
134
135         for kt in rsa rsa_v00 ; do
136                 case $kt in
137                 *_v00) args="-t v00" ;;
138                 *) args="" ;;
139                 esac
140
141                 verbose "$tid: host cert connect $ident $kt expect $result"
142                 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
143                     -I "regress host key for $USER" \
144                     $sign_opts $args \
145                     $OBJ/cert_host_key_${kt} ||
146                         fail "couldn't sign cert_host_key_${kt}"
147                 (
148                         cat $OBJ/sshd_proxy_bak
149                         echo HostKey $OBJ/cert_host_key_${kt}
150                         echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
151                 ) > $OBJ/sshd_proxy
152         
153                 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
154                     -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
155                     -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
156                 rc=$?
157                 if [ "x$result" = "xsuccess" ] ; then
158                         if [ $rc -ne 0 ]; then
159                                 fail "ssh cert connect $ident failed unexpectedly"
160                         fi
161                 else
162                         if [ $rc -eq 0 ]; then
163                                 fail "ssh cert connect $ident succeeded unexpectedly"
164                         fi
165                 fi
166         done
167 }
168
169 test_one "user-certificate"     failure "-n $HOSTS"
170 test_one "empty principals"     success "-h"
171 test_one "wrong principals"     failure "-h -n foo"
172 test_one "cert not yet valid"   failure "-h -V20200101:20300101"
173 test_one "cert expired"         failure "-h -V19800101:19900101"
174 test_one "cert valid interval"  success "-h -V-1w:+2w"
175 test_one "cert has constraints" failure "-h -Oforce-command=false"
176
177 # Check downgrade of cert to raw key when no CA found
178 for v in v01 v00 ;  do 
179         for ktype in $PLAIN_TYPES ; do 
180                 type_has_legacy $ktype || continue
181                 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
182                 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
183                 # Generate and sign a host key
184                 ${SSHKEYGEN} -q -N '' -t ${ktype} \
185                     -f $OBJ/cert_host_key_${ktype} || \
186                         fail "ssh-keygen of cert_host_key_${ktype} failed"
187                 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
188                     -I "regress host key for $USER" \
189                     -n $HOSTS $OBJ/cert_host_key_${ktype} ||
190                         fail "couldn't sign cert_host_key_${ktype}"
191                 (
192                         printf "$HOSTS "
193                         cat $OBJ/cert_host_key_${ktype}.pub
194                 ) > $OBJ/known_hosts-cert
195                 (
196                         cat $OBJ/sshd_proxy_bak
197                         echo HostKey $OBJ/cert_host_key_${ktype}
198                         echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
199                 ) > $OBJ/sshd_proxy
200                 
201                 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
202                     -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
203                         -F $OBJ/ssh_proxy somehost true
204                 if [ $? -ne 0 ]; then
205                         fail "ssh cert connect failed"
206                 fi
207         done
208 done
209
210 # Wrong certificate
211 (
212         printf '@cert-authority '
213         printf "$HOSTS "
214         cat $OBJ/host_ca_key.pub
215 ) > $OBJ/known_hosts-cert
216 for v in v01 v00 ;  do 
217         for kt in $PLAIN_TYPES ; do 
218                 type_has_legacy $kt || continue
219                 rm -f $OBJ/cert_host_key*
220                 # Self-sign key
221                 ${SSHKEYGEN} -q -N '' -t ${kt} \
222                     -f $OBJ/cert_host_key_${kt} || \
223                         fail "ssh-keygen of cert_host_key_${kt} failed"
224                 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
225                     -I "regress host key for $USER" \
226                     -n $HOSTS $OBJ/cert_host_key_${kt} ||
227                         fail "couldn't sign cert_host_key_${kt}"
228                 verbose "$tid: host ${kt} connect wrong cert"
229                 (
230                         cat $OBJ/sshd_proxy_bak
231                         echo HostKey $OBJ/cert_host_key_${kt}
232                         echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
233                 ) > $OBJ/sshd_proxy
234         
235                 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
236                     -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
237                         -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
238                 if [ $? -eq 0 ]; then
239                         fail "ssh cert connect $ident succeeded unexpectedly"
240                 fi
241         done
242 done
243
244 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
10.2-RELEASE