cert-hostkey.sh (225825) | cert-hostkey.sh (255670) |
---|---|
1# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ | 1# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ |
2# Placed in the Public Domain. 3 4tid="certified host keys" 5 6# used to disable ECC based tests on platforms without ECC 7ecdsa="" 8if test "x$TEST_SSH_ECC" = "xyes"; then 9 ecdsa=ecdsa 10fi 11 12rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 14 15HOSTS='localhost-with-alias,127.0.0.1,::1' 16 17# Create a CA key and add it to known hosts 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 19 fail "ssh-keygen of host_ca_key failed" 20( | 2# Placed in the Public Domain. 3 4tid="certified host keys" 5 6# used to disable ECC based tests on platforms without ECC 7ecdsa="" 8if test "x$TEST_SSH_ECC" = "xyes"; then 9 ecdsa=ecdsa 10fi 11 12rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 14 15HOSTS='localhost-with-alias,127.0.0.1,::1' 16 17# Create a CA key and add it to known hosts 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 19 fail "ssh-keygen of host_ca_key failed" 20( |
21 echon '@cert-authority ' 22 echon "$HOSTS " | 21 printf '@cert-authority ' 22 printf "$HOSTS " |
23 cat $OBJ/host_ca_key.pub 24) > $OBJ/known_hosts-cert 25 26# Generate and sign host keys 27for ktype in rsa dsa $ecdsa ; do 28 verbose "$tid: sign host ${ktype} cert" 29 # Generate and sign a host key 30 ${SSHKEYGEN} -q -N '' -t ${ktype} \ --- 30 unchanged lines hidden (view full) --- 61 if [ $? -ne 0 ]; then 62 fail "ssh cert connect failed" 63 fi 64 done 65done 66 67# Revoked certificates with key present 68( | 23 cat $OBJ/host_ca_key.pub 24) > $OBJ/known_hosts-cert 25 26# Generate and sign host keys 27for ktype in rsa dsa $ecdsa ; do 28 verbose "$tid: sign host ${ktype} cert" 29 # Generate and sign a host key 30 ${SSHKEYGEN} -q -N '' -t ${ktype} \ --- 30 unchanged lines hidden (view full) --- 61 if [ $? -ne 0 ]; then 62 fail "ssh cert connect failed" 63 fi 64 done 65done 66 67# Revoked certificates with key present 68( |
69 echon '@cert-authority ' 70 echon "$HOSTS " | 69 printf '@cert-authority ' 70 printf "$HOSTS " |
71 cat $OBJ/host_ca_key.pub | 71 cat $OBJ/host_ca_key.pub |
72 echon '@revoked ' 73 echon "* " | 72 printf '@revoked ' 73 printf "* " |
74 cat $OBJ/cert_host_key_rsa.pub 75 if test "x$TEST_SSH_ECC" = "xyes"; then | 74 cat $OBJ/cert_host_key_rsa.pub 75 if test "x$TEST_SSH_ECC" = "xyes"; then |
76 echon '@revoked ' 77 echon "* " | 76 printf '@revoked ' 77 printf "* " |
78 cat $OBJ/cert_host_key_ecdsa.pub 79 fi | 78 cat $OBJ/cert_host_key_ecdsa.pub 79 fi |
80 echon '@revoked ' 81 echon "* " | 80 printf '@revoked ' 81 printf "* " |
82 cat $OBJ/cert_host_key_dsa.pub | 82 cat $OBJ/cert_host_key_dsa.pub |
83 echon '@revoked ' 84 echon "* " | 83 printf '@revoked ' 84 printf "* " |
85 cat $OBJ/cert_host_key_rsa_v00.pub | 85 cat $OBJ/cert_host_key_rsa_v00.pub |
86 echon '@revoked ' 87 echon "* " | 86 printf '@revoked ' 87 printf "* " |
88 cat $OBJ/cert_host_key_dsa_v00.pub 89) > $OBJ/known_hosts-cert 90for privsep in yes no ; do 91 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 92 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 93 ( 94 cat $OBJ/sshd_proxy_bak 95 echo HostKey $OBJ/cert_host_key_${ktype} --- 7 unchanged lines hidden (view full) --- 103 if [ $? -eq 0 ]; then 104 fail "ssh cert connect succeeded unexpectedly" 105 fi 106 done 107done 108 109# Revoked CA 110( | 88 cat $OBJ/cert_host_key_dsa_v00.pub 89) > $OBJ/known_hosts-cert 90for privsep in yes no ; do 91 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 92 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 93 ( 94 cat $OBJ/sshd_proxy_bak 95 echo HostKey $OBJ/cert_host_key_${ktype} --- 7 unchanged lines hidden (view full) --- 103 if [ $? -eq 0 ]; then 104 fail "ssh cert connect succeeded unexpectedly" 105 fi 106 done 107done 108 109# Revoked CA 110( |
111 echon '@cert-authority ' 112 echon "$HOSTS " | 111 printf '@cert-authority ' 112 printf "$HOSTS " |
113 cat $OBJ/host_ca_key.pub | 113 cat $OBJ/host_ca_key.pub |
114 echon '@revoked ' 115 echon "* " | 114 printf '@revoked ' 115 printf "* " |
116 cat $OBJ/host_ca_key.pub 117) > $OBJ/known_hosts-cert 118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 119 verbose "$tid: host ${ktype} revoked cert" 120 ( 121 cat $OBJ/sshd_proxy_bak 122 echo HostKey $OBJ/cert_host_key_${ktype} 123 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 124 ) > $OBJ/sshd_proxy 125 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 126 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 127 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 128 if [ $? -eq 0 ]; then 129 fail "ssh cert connect succeeded unexpectedly" 130 fi 131done 132 133# Create a CA key and add it to known hosts 134( | 116 cat $OBJ/host_ca_key.pub 117) > $OBJ/known_hosts-cert 118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 119 verbose "$tid: host ${ktype} revoked cert" 120 ( 121 cat $OBJ/sshd_proxy_bak 122 echo HostKey $OBJ/cert_host_key_${ktype} 123 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 124 ) > $OBJ/sshd_proxy 125 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 126 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 127 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 128 if [ $? -eq 0 ]; then 129 fail "ssh cert connect succeeded unexpectedly" 130 fi 131done 132 133# Create a CA key and add it to known hosts 134( |
135 echon '@cert-authority ' 136 echon "$HOSTS " | 135 printf '@cert-authority ' 136 printf "$HOSTS " |
137 cat $OBJ/host_ca_key.pub 138) > $OBJ/known_hosts-cert 139 140test_one() { 141 ident=$1 142 result=$2 143 sign_opts=$3 144 --- 50 unchanged lines hidden (view full) --- 195 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 196 -f $OBJ/cert_host_key_${ktype} || \ 197 fail "ssh-keygen of cert_host_key_${ktype} failed" 198 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 199 -I "regress host key for $USER" \ 200 -n $HOSTS $OBJ/cert_host_key_${ktype} || 201 fail "couldn't sign cert_host_key_${ktype}" 202 ( | 137 cat $OBJ/host_ca_key.pub 138) > $OBJ/known_hosts-cert 139 140test_one() { 141 ident=$1 142 result=$2 143 sign_opts=$3 144 --- 50 unchanged lines hidden (view full) --- 195 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 196 -f $OBJ/cert_host_key_${ktype} || \ 197 fail "ssh-keygen of cert_host_key_${ktype} failed" 198 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 199 -I "regress host key for $USER" \ 200 -n $HOSTS $OBJ/cert_host_key_${ktype} || 201 fail "couldn't sign cert_host_key_${ktype}" 202 ( |
203 echon "$HOSTS " | 203 printf "$HOSTS " |
204 cat $OBJ/cert_host_key_${ktype}.pub 205 ) > $OBJ/known_hosts-cert 206 ( 207 cat $OBJ/sshd_proxy_bak 208 echo HostKey $OBJ/cert_host_key_${ktype} 209 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 210 ) > $OBJ/sshd_proxy 211 212 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 213 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 214 -F $OBJ/ssh_proxy somehost true 215 if [ $? -ne 0 ]; then 216 fail "ssh cert connect failed" 217 fi 218 done 219done 220 221# Wrong certificate 222( | 204 cat $OBJ/cert_host_key_${ktype}.pub 205 ) > $OBJ/known_hosts-cert 206 ( 207 cat $OBJ/sshd_proxy_bak 208 echo HostKey $OBJ/cert_host_key_${ktype} 209 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 210 ) > $OBJ/sshd_proxy 211 212 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 213 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 214 -F $OBJ/ssh_proxy somehost true 215 if [ $? -ne 0 ]; then 216 fail "ssh cert connect failed" 217 fi 218 done 219done 220 221# Wrong certificate 222( |
223 echon '@cert-authority ' 224 echon "$HOSTS " | 223 printf '@cert-authority ' 224 printf "$HOSTS " |
225 cat $OBJ/host_ca_key.pub 226) > $OBJ/known_hosts-cert 227for v in v01 v00 ; do 228 for kt in rsa dsa $ecdsa ; do 229 # v00 ecdsa certs do not exist. 230 test "${v}${ktype}" = "v00ecdsa" && continue 231 rm -f $OBJ/cert_host_key* 232 # Self-sign key --- 24 unchanged lines hidden --- | 225 cat $OBJ/host_ca_key.pub 226) > $OBJ/known_hosts-cert 227for v in v01 v00 ; do 228 for kt in rsa dsa $ecdsa ; do 229 # v00 ecdsa certs do not exist. 230 test "${v}${ktype}" = "v00ecdsa" && continue 231 rm -f $OBJ/cert_host_key* 232 # Self-sign key --- 24 unchanged lines hidden --- |