1296619Sdes#	$OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $
2296619Sdes#	Placed in the Public Domain.
3296619Sdes
4296619Sdestid="ssh with certificates"
5296619Sdes
6296619Sdesrm -f $OBJ/user_ca_key* $OBJ/user_key*
7296619Sdesrm -f $OBJ/cert_user_key*
8296619Sdes
9296619Sdes# Create a CA key
10296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\
11296619Sdes	fatal "ssh-keygen failed"
12296619Sdes${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key2 ||\
13296619Sdes	fatal "ssh-keygen failed"
14296619Sdes
15296619Sdes# Make some keys and certificates.
16296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
17296619Sdes	fatal "ssh-keygen failed"
18296619Sdes${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \
19296619Sdes	fatal "ssh-keygen failed"
20296619Sdes# Move the certificate to a different address to better control
21296619Sdes# when it is offered.
22296619Sdes${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \
23296619Sdes	-z $$ -n ${USER} $OBJ/user_key1 ||
24296619Sdes		fail "couldn't sign user_key1 with user_ca_key1"
25296619Sdesmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub
26296619Sdes${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
27296619Sdes	-z $$ -n ${USER} $OBJ/user_key1 ||
28296619Sdes		fail "couldn't sign user_key1 with user_ca_key2"
29296619Sdesmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub
30296619Sdes
31296619Sdestrace 'try with identity files'
32296619Sdesopts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
33296619Sdesopts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2"
34296619Sdesecho "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
35296619Sdes
36296619Sdesfor p in ${SSH_PROTOCOLS}; do
37296619Sdes	# Just keys should fail
38296619Sdes	${SSH} $opts2 somehost exit 5$p
39296619Sdes	r=$?
40296619Sdes	if [ $r -eq 5$p ]; then
41296619Sdes		fail "ssh succeeded with no certs in protocol $p"
42296619Sdes	fi
43296619Sdes
44296619Sdes	# Keys with untrusted cert should fail.
45296619Sdes	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
46296619Sdes	${SSH} $opts3 somehost exit 5$p
47296619Sdes	r=$?
48296619Sdes	if [ $r -eq 5$p ]; then
49296619Sdes		fail "ssh succeeded with bad cert in protocol $p"
50296619Sdes	fi
51296619Sdes
52296619Sdes	# Good cert with bad key should fail.
53296619Sdes	opts3="$opts -i $OBJ/user_key2"
54296619Sdes	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
55296619Sdes	${SSH} $opts3 somehost exit 5$p
56296619Sdes	r=$?
57296619Sdes	if [ $r -eq 5$p ]; then
58296619Sdes		fail "ssh succeeded with no matching key in protocol $p"
59296619Sdes	fi
60296619Sdes
61296619Sdes	# Keys with one trusted cert, should succeed.
62296619Sdes	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
63296619Sdes	${SSH} $opts3 somehost exit 5$p
64296619Sdes	r=$?
65296619Sdes	if [ $r -ne 5$p ]; then
66296619Sdes		fail "ssh failed with trusted cert and key in protocol $p"
67296619Sdes	fi
68296619Sdes
69296619Sdes	# Multiple certs and keys, with one trusted cert, should succeed.
70296619Sdes	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
71296619Sdes	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
72296619Sdes	${SSH} $opts3 somehost exit 5$p
73296619Sdes	r=$?
74296619Sdes	if [ $r -ne 5$p ]; then
75296619Sdes		fail "ssh failed with multiple certs in protocol $p"
76296619Sdes	fi
77296619Sdes
78296619Sdes	#Keys with trusted certificate specified in config options, should succeed.
79296619Sdes	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
80296619Sdes	${SSH} $opts3 somehost exit 5$p
81296619Sdes	r=$?
82296619Sdes	if [ $r -ne 5$p ]; then
83296619Sdes		fail "ssh failed with trusted cert in config in protocol $p"
84296619Sdes	fi
85296619Sdesdone
86296619Sdes
87296619Sdes#next, using an agent in combination with the keys
88296619SdesSSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
89296619Sdesif [ $? -ne 2 ]; then
90296619Sdes	fatal "ssh-add -l did not fail with exit code 2"
91296619Sdesfi
92296619Sdes
93296619Sdestrace "start agent"
94296619Sdeseval `${SSHAGENT} -s` > /dev/null
95296619Sdesr=$?
96296619Sdesif [ $r -ne 0 ]; then
97296619Sdes	fatal "could not start ssh-agent: exit code $r"
98296619Sdesfi
99296619Sdes
100296619Sdes# add private keys to agent
101296619Sdes${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1
102296619Sdesif [ $? -ne 0 ]; then
103296619Sdes	fatal "ssh-add did not succeed with exit code 0"
104296619Sdesfi
105296619Sdes${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1
106296619Sdesif [ $? -ne 0 ]; then
107296619Sdes	fatal "ssh-add did not succeed with exit code 0"
108296619Sdesfi
109296619Sdes
110296619Sdes# try ssh with the agent and certificates
111296619Sdes# note: ssh agent only uses certificates in protocol 2
112296619Sdesopts="-F $OBJ/ssh_proxy"
113296619Sdes# with no certificates, shoud fail
114296619Sdes${SSH} -2 $opts somehost exit 52
115296619Sdesif [ $? -eq 52 ]; then
116296619Sdes	fail "ssh connect with agent in protocol 2 succeeded with no cert"
117296619Sdesfi
118296619Sdes
119296619Sdes#with an untrusted certificate, should fail
120296619Sdesopts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
121296619Sdes${SSH} -2 $opts somehost exit 52
122296619Sdesif [ $? -eq 52 ]; then
123296619Sdes	fail "ssh connect with agent in protocol 2 succeeded with bad cert"
124296619Sdesfi
125296619Sdes
126296619Sdes#with an additional trusted certificate, should succeed
127296619Sdesopts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
128296619Sdes${SSH} -2 $opts somehost exit 52
129296619Sdesif [ $? -ne 52 ]; then
130296619Sdes	fail "ssh connect with agent in protocol 2 failed with good cert"
131296619Sdesfi
132296619Sdes
133296619Sdestrace "kill agent"
134296619Sdes${SSHAGENT} -k > /dev/null
135296619Sdes
136296619Sdes#cleanup
137296619Sdesrm -f $OBJ/user_ca_key* $OBJ/user_key*
138296619Sdesrm -f $OBJ/cert_user_key*
139