test_sshkey.c revision 294328
1/* $OpenBSD: test_sshkey.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */ 2/* 3 * Regress test for sshkey.h key management API 4 * 5 * Placed in the public domain 6 */ 7 8#include "includes.h" 9 10#include <sys/types.h> 11#include <sys/param.h> 12#include <stdio.h> 13#ifdef HAVE_STDINT_H 14#include <stdint.h> 15#endif 16#include <stdlib.h> 17#include <string.h> 18 19#include <openssl/bn.h> 20#include <openssl/rsa.h> 21#include <openssl/dsa.h> 22#ifdef OPENSSL_HAS_NISTP256 23# include <openssl/ec.h> 24#endif 25 26#include "../test_helper/test_helper.h" 27 28#include "ssherr.h" 29#include "sshbuf.h" 30#define SSHBUF_INTERNAL 1 /* access internals for testing */ 31#include "sshkey.h" 32 33#include "authfile.h" 34#include "common.h" 35#include "ssh2.h" 36 37void sshkey_tests(void); 38 39static void 40build_cert(struct sshbuf *b, const struct sshkey *k, const char *type, 41 const struct sshkey *sign_key, const struct sshkey *ca_key) 42{ 43 struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts; 44 u_char *sigblob; 45 size_t siglen; 46 47 ca_buf = sshbuf_new(); 48 ASSERT_INT_EQ(sshkey_to_blob_buf(ca_key, ca_buf), 0); 49 50 /* 51 * Get the public key serialisation by rendering the key and skipping 52 * the type string. This is a bit of a hack :/ 53 */ 54 pk = sshbuf_new(); 55 ASSERT_INT_EQ(sshkey_plain_to_blob_buf(k, pk), 0); 56 ASSERT_INT_EQ(sshbuf_skip_string(pk), 0); 57 58 principals = sshbuf_new(); 59 ASSERT_INT_EQ(sshbuf_put_cstring(principals, "gsamsa"), 0); 60 ASSERT_INT_EQ(sshbuf_put_cstring(principals, "gregor"), 0); 61 62 critopts = sshbuf_new(); 63 /* XXX fill this in */ 64 65 exts = sshbuf_new(); 66 /* XXX fill this in */ 67 68 ASSERT_INT_EQ(sshbuf_put_cstring(b, type), 0); 69 ASSERT_INT_EQ(sshbuf_put_cstring(b, "noncenoncenonce!"), 0); /* nonce */ 70 ASSERT_INT_EQ(sshbuf_putb(b, pk), 0); /* public key serialisation */ 71 ASSERT_INT_EQ(sshbuf_put_u64(b, 1234), 0); /* serial */ 72 ASSERT_INT_EQ(sshbuf_put_u32(b, SSH2_CERT_TYPE_USER), 0); /* type */ 73 ASSERT_INT_EQ(sshbuf_put_cstring(b, "gregor"), 0); /* key ID */ 74 ASSERT_INT_EQ(sshbuf_put_stringb(b, principals), 0); /* principals */ 75 ASSERT_INT_EQ(sshbuf_put_u64(b, 0), 0); /* start */ 76 ASSERT_INT_EQ(sshbuf_put_u64(b, 0xffffffffffffffffULL), 0); /* end */ 77 ASSERT_INT_EQ(sshbuf_put_stringb(b, critopts), 0); /* options */ 78 ASSERT_INT_EQ(sshbuf_put_stringb(b, exts), 0); /* extensions */ 79 ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */ 80 ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */ 81 ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen, 82 sshbuf_ptr(b), sshbuf_len(b), 0), 0); 83 ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ 84 85 free(sigblob); 86 sshbuf_free(ca_buf); 87 sshbuf_free(exts); 88 sshbuf_free(critopts); 89 sshbuf_free(principals); 90 sshbuf_free(pk); 91} 92 93void 94sshkey_tests(void) 95{ 96 struct sshkey *k1, *k2, *k3, *k4, *kr, *kd, *ke, *kf; 97 struct sshbuf *b; 98 99 TEST_START("new invalid"); 100 k1 = sshkey_new(-42); 101 ASSERT_PTR_EQ(k1, NULL); 102 TEST_DONE(); 103 104 TEST_START("new/free KEY_UNSPEC"); 105 k1 = sshkey_new(KEY_UNSPEC); 106 ASSERT_PTR_NE(k1, NULL); 107 sshkey_free(k1); 108 TEST_DONE(); 109 110 TEST_START("new/free KEY_RSA1"); 111 k1 = sshkey_new(KEY_RSA1); 112 ASSERT_PTR_NE(k1, NULL); 113 ASSERT_PTR_NE(k1->rsa, NULL); 114 ASSERT_PTR_NE(k1->rsa->n, NULL); 115 ASSERT_PTR_NE(k1->rsa->e, NULL); 116 ASSERT_PTR_EQ(k1->rsa->p, NULL); 117 sshkey_free(k1); 118 TEST_DONE(); 119 120 TEST_START("new/free KEY_RSA"); 121 k1 = sshkey_new(KEY_RSA); 122 ASSERT_PTR_NE(k1, NULL); 123 ASSERT_PTR_NE(k1->rsa, NULL); 124 ASSERT_PTR_NE(k1->rsa->n, NULL); 125 ASSERT_PTR_NE(k1->rsa->e, NULL); 126 ASSERT_PTR_EQ(k1->rsa->p, NULL); 127 sshkey_free(k1); 128 TEST_DONE(); 129 130 TEST_START("new/free KEY_DSA"); 131 k1 = sshkey_new(KEY_DSA); 132 ASSERT_PTR_NE(k1, NULL); 133 ASSERT_PTR_NE(k1->dsa, NULL); 134 ASSERT_PTR_NE(k1->dsa->g, NULL); 135 ASSERT_PTR_EQ(k1->dsa->priv_key, NULL); 136 sshkey_free(k1); 137 TEST_DONE(); 138 139 TEST_START("new/free KEY_ECDSA"); 140 k1 = sshkey_new(KEY_ECDSA); 141 ASSERT_PTR_NE(k1, NULL); 142 ASSERT_PTR_EQ(k1->ecdsa, NULL); /* Can't allocate without NID */ 143 sshkey_free(k1); 144 TEST_DONE(); 145 146 TEST_START("new/free KEY_ED25519"); 147 k1 = sshkey_new(KEY_ED25519); 148 ASSERT_PTR_NE(k1, NULL); 149 /* These should be blank until key loaded or generated */ 150 ASSERT_PTR_EQ(k1->ed25519_sk, NULL); 151 ASSERT_PTR_EQ(k1->ed25519_pk, NULL); 152 sshkey_free(k1); 153 TEST_DONE(); 154 155 TEST_START("new_private KEY_RSA"); 156 k1 = sshkey_new_private(KEY_RSA); 157 ASSERT_PTR_NE(k1, NULL); 158 ASSERT_PTR_NE(k1->rsa, NULL); 159 ASSERT_PTR_NE(k1->rsa->n, NULL); 160 ASSERT_PTR_NE(k1->rsa->e, NULL); 161 ASSERT_PTR_NE(k1->rsa->p, NULL); 162 ASSERT_INT_EQ(sshkey_add_private(k1), 0); 163 sshkey_free(k1); 164 TEST_DONE(); 165 166 TEST_START("new_private KEY_DSA"); 167 k1 = sshkey_new_private(KEY_DSA); 168 ASSERT_PTR_NE(k1, NULL); 169 ASSERT_PTR_NE(k1->dsa, NULL); 170 ASSERT_PTR_NE(k1->dsa->g, NULL); 171 ASSERT_PTR_NE(k1->dsa->priv_key, NULL); 172 ASSERT_INT_EQ(sshkey_add_private(k1), 0); 173 sshkey_free(k1); 174 TEST_DONE(); 175 176 TEST_START("generate KEY_RSA too small modulus"); 177 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1), 178 SSH_ERR_INVALID_ARGUMENT); 179 ASSERT_PTR_EQ(k1, NULL); 180 TEST_DONE(); 181 182 TEST_START("generate KEY_RSA too large modulus"); 183 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1), 184 SSH_ERR_INVALID_ARGUMENT); 185 ASSERT_PTR_EQ(k1, NULL); 186 TEST_DONE(); 187 188 TEST_START("generate KEY_DSA wrong bits"); 189 ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), 190 SSH_ERR_INVALID_ARGUMENT); 191 ASSERT_PTR_EQ(k1, NULL); 192 sshkey_free(k1); 193 TEST_DONE(); 194 195 TEST_START("generate KEY_ECDSA wrong bits"); 196 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), 197 SSH_ERR_INVALID_ARGUMENT); 198 ASSERT_PTR_EQ(k1, NULL); 199 sshkey_free(k1); 200 TEST_DONE(); 201 202 TEST_START("generate KEY_RSA"); 203 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 768, &kr), 0); 204 ASSERT_PTR_NE(kr, NULL); 205 ASSERT_PTR_NE(kr->rsa, NULL); 206 ASSERT_PTR_NE(kr->rsa->n, NULL); 207 ASSERT_PTR_NE(kr->rsa->e, NULL); 208 ASSERT_PTR_NE(kr->rsa->p, NULL); 209 ASSERT_INT_EQ(BN_num_bits(kr->rsa->n), 768); 210 TEST_DONE(); 211 212 TEST_START("generate KEY_DSA"); 213 ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0); 214 ASSERT_PTR_NE(kd, NULL); 215 ASSERT_PTR_NE(kd->dsa, NULL); 216 ASSERT_PTR_NE(kd->dsa->g, NULL); 217 ASSERT_PTR_NE(kd->dsa->priv_key, NULL); 218 TEST_DONE(); 219 220#ifdef OPENSSL_HAS_ECC 221 TEST_START("generate KEY_ECDSA"); 222 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &ke), 0); 223 ASSERT_PTR_NE(ke, NULL); 224 ASSERT_PTR_NE(ke->ecdsa, NULL); 225 ASSERT_PTR_NE(EC_KEY_get0_public_key(ke->ecdsa), NULL); 226 ASSERT_PTR_NE(EC_KEY_get0_private_key(ke->ecdsa), NULL); 227 TEST_DONE(); 228#endif 229 230 TEST_START("generate KEY_ED25519"); 231 ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &kf), 0); 232 ASSERT_PTR_NE(kf, NULL); 233 ASSERT_INT_EQ(kf->type, KEY_ED25519); 234 ASSERT_PTR_NE(kf->ed25519_pk, NULL); 235 ASSERT_PTR_NE(kf->ed25519_sk, NULL); 236 TEST_DONE(); 237 238 TEST_START("demote KEY_RSA"); 239 ASSERT_INT_EQ(sshkey_demote(kr, &k1), 0); 240 ASSERT_PTR_NE(k1, NULL); 241 ASSERT_PTR_NE(kr, k1); 242 ASSERT_INT_EQ(k1->type, KEY_RSA); 243 ASSERT_PTR_NE(k1->rsa, NULL); 244 ASSERT_PTR_NE(k1->rsa->n, NULL); 245 ASSERT_PTR_NE(k1->rsa->e, NULL); 246 ASSERT_PTR_EQ(k1->rsa->p, NULL); 247 TEST_DONE(); 248 249 TEST_START("equal KEY_RSA/demoted KEY_RSA"); 250 ASSERT_INT_EQ(sshkey_equal(kr, k1), 1); 251 sshkey_free(k1); 252 TEST_DONE(); 253 254 TEST_START("demote KEY_DSA"); 255 ASSERT_INT_EQ(sshkey_demote(kd, &k1), 0); 256 ASSERT_PTR_NE(k1, NULL); 257 ASSERT_PTR_NE(kd, k1); 258 ASSERT_INT_EQ(k1->type, KEY_DSA); 259 ASSERT_PTR_NE(k1->dsa, NULL); 260 ASSERT_PTR_NE(k1->dsa->g, NULL); 261 ASSERT_PTR_EQ(k1->dsa->priv_key, NULL); 262 TEST_DONE(); 263 264 TEST_START("equal KEY_DSA/demoted KEY_DSA"); 265 ASSERT_INT_EQ(sshkey_equal(kd, k1), 1); 266 sshkey_free(k1); 267 TEST_DONE(); 268 269#ifdef OPENSSL_HAS_ECC 270 TEST_START("demote KEY_ECDSA"); 271 ASSERT_INT_EQ(sshkey_demote(ke, &k1), 0); 272 ASSERT_PTR_NE(k1, NULL); 273 ASSERT_PTR_NE(ke, k1); 274 ASSERT_INT_EQ(k1->type, KEY_ECDSA); 275 ASSERT_PTR_NE(k1->ecdsa, NULL); 276 ASSERT_INT_EQ(k1->ecdsa_nid, ke->ecdsa_nid); 277 ASSERT_PTR_NE(EC_KEY_get0_public_key(ke->ecdsa), NULL); 278 ASSERT_PTR_EQ(EC_KEY_get0_private_key(k1->ecdsa), NULL); 279 TEST_DONE(); 280 281 TEST_START("equal KEY_ECDSA/demoted KEY_ECDSA"); 282 ASSERT_INT_EQ(sshkey_equal(ke, k1), 1); 283 sshkey_free(k1); 284 TEST_DONE(); 285#endif 286 287 TEST_START("demote KEY_ED25519"); 288 ASSERT_INT_EQ(sshkey_demote(kf, &k1), 0); 289 ASSERT_PTR_NE(k1, NULL); 290 ASSERT_PTR_NE(kf, k1); 291 ASSERT_INT_EQ(k1->type, KEY_ED25519); 292 ASSERT_PTR_NE(k1->ed25519_pk, NULL); 293 ASSERT_PTR_EQ(k1->ed25519_sk, NULL); 294 TEST_DONE(); 295 296 TEST_START("equal KEY_ED25519/demoted KEY_ED25519"); 297 ASSERT_INT_EQ(sshkey_equal(kf, k1), 1); 298 sshkey_free(k1); 299 TEST_DONE(); 300 301 TEST_START("equal mismatched key types"); 302 ASSERT_INT_EQ(sshkey_equal(kd, kr), 0); 303#ifdef OPENSSL_HAS_ECC 304 ASSERT_INT_EQ(sshkey_equal(kd, ke), 0); 305 ASSERT_INT_EQ(sshkey_equal(kr, ke), 0); 306 ASSERT_INT_EQ(sshkey_equal(ke, kf), 0); 307#endif 308 ASSERT_INT_EQ(sshkey_equal(kd, kf), 0); 309 TEST_DONE(); 310 311 TEST_START("equal different keys"); 312 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 768, &k1), 0); 313 ASSERT_INT_EQ(sshkey_equal(kr, k1), 0); 314 sshkey_free(k1); 315 ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0); 316 ASSERT_INT_EQ(sshkey_equal(kd, k1), 0); 317 sshkey_free(k1); 318#ifdef OPENSSL_HAS_ECC 319 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0); 320 ASSERT_INT_EQ(sshkey_equal(ke, k1), 0); 321 sshkey_free(k1); 322#endif 323 ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &k1), 0); 324 ASSERT_INT_EQ(sshkey_equal(kf, k1), 0); 325 sshkey_free(k1); 326 TEST_DONE(); 327 328 sshkey_free(kr); 329 sshkey_free(kd); 330#ifdef OPENSSL_HAS_ECC 331 sshkey_free(ke); 332#endif 333 sshkey_free(kf); 334 335/* XXX certify test */ 336/* XXX sign test */ 337/* XXX verify test */ 338 339 TEST_START("nested certificate"); 340 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0); 341 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, 342 NULL), 0); 343 b = load_file("rsa_2"); 344 ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", "rsa_1", 345 &k3, NULL), 0); 346 sshbuf_reset(b); 347 build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1); 348 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), 349 SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); 350 ASSERT_PTR_EQ(k4, NULL); 351 sshbuf_free(b); 352 sshkey_free(k1); 353 sshkey_free(k2); 354 sshkey_free(k3); 355 TEST_DONE(); 356 357} 358