cert-hostkey.sh (214979) | cert-hostkey.sh (218767) |
---|---|
1# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ | 1# $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ |
2# Placed in the Public Domain. 3 4tid="certified host keys" 5 | 2# Placed in the Public Domain. 3 4tid="certified host keys" 5 |
6# used to disable ECC based tests on platforms without ECC 7ecdsa="" 8if test "x$TEST_SSH_ECC" = "xyes"; then 9 ecdsa=ecdsa 10fi 11 |
|
6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9HOSTS='localhost-with-alias,127.0.0.1,::1' 10 11# Create a CA key and add it to known hosts 12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 13 fail "ssh-keygen of host_ca_key failed" 14( 15 echon '@cert-authority ' 16 echon "$HOSTS " 17 cat $OBJ/host_ca_key.pub 18) > $OBJ/known_hosts-cert 19 20# Generate and sign host keys | 12rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 14 15HOSTS='localhost-with-alias,127.0.0.1,::1' 16 17# Create a CA key and add it to known hosts 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 19 fail "ssh-keygen of host_ca_key failed" 20( 21 echon '@cert-authority ' 22 echon "$HOSTS " 23 cat $OBJ/host_ca_key.pub 24) > $OBJ/known_hosts-cert 25 26# Generate and sign host keys |
21for ktype in rsa dsa ; do | 27for ktype in rsa dsa $ecdsa ; do |
22 verbose "$tid: sign host ${ktype} cert" 23 # Generate and sign a host key 24 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 25 -f $OBJ/cert_host_key_${ktype} || \ 26 fail "ssh-keygen of cert_host_key_${ktype} failed" 27 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 28 -I "regress host key for $USER" \ 29 -n $HOSTS $OBJ/cert_host_key_${ktype} || 30 fail "couldn't sign cert_host_key_${ktype}" | 28 verbose "$tid: sign host ${ktype} cert" 29 # Generate and sign a host key 30 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 31 -f $OBJ/cert_host_key_${ktype} || \ 32 fail "ssh-keygen of cert_host_key_${ktype} failed" 33 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 34 -I "regress host key for $USER" \ 35 -n $HOSTS $OBJ/cert_host_key_${ktype} || 36 fail "couldn't sign cert_host_key_${ktype}" |
37 # v00 ecdsa certs do not exist 38 test "${ktype}" = "ecdsa" && continue |
|
31 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 32 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 33 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 34 -I "regress host key for $USER" \ 35 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 36 fail "couldn't sign cert_host_key_${ktype}_v00" 37done 38 39# Basic connect tests 40for privsep in yes no ; do | 39 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 40 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 41 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 42 -I "regress host key for $USER" \ 43 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 44 fail "couldn't sign cert_host_key_${ktype}_v00" 45done 46 47# Basic connect tests 48for privsep in yes no ; do |
41 for ktype in rsa dsa rsa_v00 dsa_v00; do | 49 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do |
42 verbose "$tid: host ${ktype} cert connect privsep $privsep" 43 ( 44 cat $OBJ/sshd_proxy_bak 45 echo HostKey $OBJ/cert_host_key_${ktype} 46 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 47 echo UsePrivilegeSeparation $privsep 48 ) > $OBJ/sshd_proxy 49 --- 9 unchanged lines hidden (view full) --- 59# Revoked certificates with key present 60( 61 echon '@cert-authority ' 62 echon "$HOSTS " 63 cat $OBJ/host_ca_key.pub 64 echon '@revoked ' 65 echon "* " 66 cat $OBJ/cert_host_key_rsa.pub | 50 verbose "$tid: host ${ktype} cert connect privsep $privsep" 51 ( 52 cat $OBJ/sshd_proxy_bak 53 echo HostKey $OBJ/cert_host_key_${ktype} 54 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 55 echo UsePrivilegeSeparation $privsep 56 ) > $OBJ/sshd_proxy 57 --- 9 unchanged lines hidden (view full) --- 67# Revoked certificates with key present 68( 69 echon '@cert-authority ' 70 echon "$HOSTS " 71 cat $OBJ/host_ca_key.pub 72 echon '@revoked ' 73 echon "* " 74 cat $OBJ/cert_host_key_rsa.pub |
75 if test "x$TEST_SSH_ECC" = "xyes"; then 76 echon '@revoked ' 77 echon "* " 78 cat $OBJ/cert_host_key_ecdsa.pub 79 fi |
|
67 echon '@revoked ' 68 echon "* " 69 cat $OBJ/cert_host_key_dsa.pub 70 echon '@revoked ' 71 echon "* " 72 cat $OBJ/cert_host_key_rsa_v00.pub 73 echon '@revoked ' 74 echon "* " 75 cat $OBJ/cert_host_key_dsa_v00.pub 76) > $OBJ/known_hosts-cert 77for privsep in yes no ; do | 80 echon '@revoked ' 81 echon "* " 82 cat $OBJ/cert_host_key_dsa.pub 83 echon '@revoked ' 84 echon "* " 85 cat $OBJ/cert_host_key_rsa_v00.pub 86 echon '@revoked ' 87 echon "* " 88 cat $OBJ/cert_host_key_dsa_v00.pub 89) > $OBJ/known_hosts-cert 90for privsep in yes no ; do |
78 for ktype in rsa dsa rsa_v00 dsa_v00; do | 91 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do |
79 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 80 ( 81 cat $OBJ/sshd_proxy_bak 82 echo HostKey $OBJ/cert_host_key_${ktype} 83 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 84 echo UsePrivilegeSeparation $privsep 85 ) > $OBJ/sshd_proxy 86 --- 10 unchanged lines hidden (view full) --- 97( 98 echon '@cert-authority ' 99 echon "$HOSTS " 100 cat $OBJ/host_ca_key.pub 101 echon '@revoked ' 102 echon "* " 103 cat $OBJ/host_ca_key.pub 104) > $OBJ/known_hosts-cert | 92 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 93 ( 94 cat $OBJ/sshd_proxy_bak 95 echo HostKey $OBJ/cert_host_key_${ktype} 96 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 97 echo UsePrivilegeSeparation $privsep 98 ) > $OBJ/sshd_proxy 99 --- 10 unchanged lines hidden (view full) --- 110( 111 echon '@cert-authority ' 112 echon "$HOSTS " 113 cat $OBJ/host_ca_key.pub 114 echon '@revoked ' 115 echon "* " 116 cat $OBJ/host_ca_key.pub 117) > $OBJ/known_hosts-cert |
105for ktype in rsa dsa rsa_v00 dsa_v00 ; do | 118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do |
106 verbose "$tid: host ${ktype} revoked cert" 107 ( 108 cat $OBJ/sshd_proxy_bak 109 echo HostKey $OBJ/cert_host_key_${ktype} 110 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 111 ) > $OBJ/sshd_proxy 112 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 113 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ --- 54 unchanged lines hidden (view full) --- 168test_one "wrong principals" failure "-h -n foo" 169test_one "cert not yet valid" failure "-h -V20200101:20300101" 170test_one "cert expired" failure "-h -V19800101:19900101" 171test_one "cert valid interval" success "-h -V-1w:+2w" 172test_one "cert has constraints" failure "-h -Oforce-command=false" 173 174# Check downgrade of cert to raw key when no CA found 175for v in v01 v00 ; do | 119 verbose "$tid: host ${ktype} revoked cert" 120 ( 121 cat $OBJ/sshd_proxy_bak 122 echo HostKey $OBJ/cert_host_key_${ktype} 123 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 124 ) > $OBJ/sshd_proxy 125 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 126 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ --- 54 unchanged lines hidden (view full) --- 181test_one "wrong principals" failure "-h -n foo" 182test_one "cert not yet valid" failure "-h -V20200101:20300101" 183test_one "cert expired" failure "-h -V19800101:19900101" 184test_one "cert valid interval" success "-h -V-1w:+2w" 185test_one "cert has constraints" failure "-h -Oforce-command=false" 186 187# Check downgrade of cert to raw key when no CA found 188for v in v01 v00 ; do |
176 for ktype in rsa dsa ; do | 189 for ktype in rsa dsa $ecdsa ; do 190 # v00 ecdsa certs do not exist. 191 test "${v}${ktype}" = "v00ecdsa" && continue |
177 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 178 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 179 # Generate and sign a host key 180 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 181 -f $OBJ/cert_host_key_${ktype} || \ 182 fail "ssh-keygen of cert_host_key_${ktype} failed" 183 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 184 -I "regress host key for $USER" \ --- 20 unchanged lines hidden (view full) --- 205 206# Wrong certificate 207( 208 echon '@cert-authority ' 209 echon "$HOSTS " 210 cat $OBJ/host_ca_key.pub 211) > $OBJ/known_hosts-cert 212for v in v01 v00 ; do | 192 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 193 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 194 # Generate and sign a host key 195 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 196 -f $OBJ/cert_host_key_${ktype} || \ 197 fail "ssh-keygen of cert_host_key_${ktype} failed" 198 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 199 -I "regress host key for $USER" \ --- 20 unchanged lines hidden (view full) --- 220 221# Wrong certificate 222( 223 echon '@cert-authority ' 224 echon "$HOSTS " 225 cat $OBJ/host_ca_key.pub 226) > $OBJ/known_hosts-cert 227for v in v01 v00 ; do |
213 for kt in rsa dsa ; do | 228 for kt in rsa dsa $ecdsa ; do 229 # v00 ecdsa certs do not exist. 230 test "${v}${ktype}" = "v00ecdsa" && continue |
214 rm -f $OBJ/cert_host_key* 215 # Self-sign key 216 ${SSHKEYGEN} -q -N '' -t ${kt} \ 217 -f $OBJ/cert_host_key_${kt} || \ 218 fail "ssh-keygen of cert_host_key_${kt} failed" 219 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 220 -I "regress host key for $USER" \ 221 -n $HOSTS $OBJ/cert_host_key_${kt} || --- 18 unchanged lines hidden --- | 231 rm -f $OBJ/cert_host_key* 232 # Self-sign key 233 ${SSHKEYGEN} -q -N '' -t ${kt} \ 234 -f $OBJ/cert_host_key_${kt} || \ 235 fail "ssh-keygen of cert_host_key_${kt} failed" 236 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 237 -I "regress host key for $USER" \ 238 -n $HOSTS $OBJ/cert_host_key_${kt} || --- 18 unchanged lines hidden --- |