cert-hostkey.sh revision 214979
1# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $ 2# Placed in the Public Domain. 3 4tid="certified host keys" 5 6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 8 9HOSTS='localhost-with-alias,127.0.0.1,::1' 10 11# Create a CA key and add it to known hosts 12${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 13 fail "ssh-keygen of host_ca_key failed" 14( 15 echon '@cert-authority ' 16 echon "$HOSTS " 17 cat $OBJ/host_ca_key.pub 18) > $OBJ/known_hosts-cert 19 20# Generate and sign host keys 21for ktype in rsa dsa ; do 22 verbose "$tid: sign host ${ktype} cert" 23 # Generate and sign a host key 24 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 25 -f $OBJ/cert_host_key_${ktype} || \ 26 fail "ssh-keygen of cert_host_key_${ktype} failed" 27 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 28 -I "regress host key for $USER" \ 29 -n $HOSTS $OBJ/cert_host_key_${ktype} || 30 fail "couldn't sign cert_host_key_${ktype}" 31 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 32 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 33 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 34 -I "regress host key for $USER" \ 35 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 36 fail "couldn't sign cert_host_key_${ktype}_v00" 37done 38 39# Basic connect tests 40for privsep in yes no ; do 41 for ktype in rsa dsa rsa_v00 dsa_v00; do 42 verbose "$tid: host ${ktype} cert connect privsep $privsep" 43 ( 44 cat $OBJ/sshd_proxy_bak 45 echo HostKey $OBJ/cert_host_key_${ktype} 46 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 47 echo UsePrivilegeSeparation $privsep 48 ) > $OBJ/sshd_proxy 49 50 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 51 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 52 -F $OBJ/ssh_proxy somehost true 53 if [ $? -ne 0 ]; then 54 fail "ssh cert connect failed" 55 fi 56 done 57done 58 59# Revoked certificates with key present 60( 61 echon '@cert-authority ' 62 echon "$HOSTS " 63 cat $OBJ/host_ca_key.pub 64 echon '@revoked ' 65 echon "* " 66 cat $OBJ/cert_host_key_rsa.pub 67 echon '@revoked ' 68 echon "* " 69 cat $OBJ/cert_host_key_dsa.pub 70 echon '@revoked ' 71 echon "* " 72 cat $OBJ/cert_host_key_rsa_v00.pub 73 echon '@revoked ' 74 echon "* " 75 cat $OBJ/cert_host_key_dsa_v00.pub 76) > $OBJ/known_hosts-cert 77for privsep in yes no ; do 78 for ktype in rsa dsa rsa_v00 dsa_v00; do 79 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 80 ( 81 cat $OBJ/sshd_proxy_bak 82 echo HostKey $OBJ/cert_host_key_${ktype} 83 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 84 echo UsePrivilegeSeparation $privsep 85 ) > $OBJ/sshd_proxy 86 87 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 88 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 89 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 90 if [ $? -eq 0 ]; then 91 fail "ssh cert connect succeeded unexpectedly" 92 fi 93 done 94done 95 96# Revoked CA 97( 98 echon '@cert-authority ' 99 echon "$HOSTS " 100 cat $OBJ/host_ca_key.pub 101 echon '@revoked ' 102 echon "* " 103 cat $OBJ/host_ca_key.pub 104) > $OBJ/known_hosts-cert 105for ktype in rsa dsa rsa_v00 dsa_v00 ; do 106 verbose "$tid: host ${ktype} revoked cert" 107 ( 108 cat $OBJ/sshd_proxy_bak 109 echo HostKey $OBJ/cert_host_key_${ktype} 110 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 111 ) > $OBJ/sshd_proxy 112 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 113 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 114 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 115 if [ $? -eq 0 ]; then 116 fail "ssh cert connect succeeded unexpectedly" 117 fi 118done 119 120# Create a CA key and add it to known hosts 121( 122 echon '@cert-authority ' 123 echon "$HOSTS " 124 cat $OBJ/host_ca_key.pub 125) > $OBJ/known_hosts-cert 126 127test_one() { 128 ident=$1 129 result=$2 130 sign_opts=$3 131 132 for kt in rsa rsa_v00 ; do 133 case $kt in 134 *_v00) args="-t v00" ;; 135 *) args="" ;; 136 esac 137 138 verbose "$tid: host cert connect $ident $kt expect $result" 139 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 140 -I "regress host key for $USER" \ 141 $sign_opts $args \ 142 $OBJ/cert_host_key_${kt} || 143 fail "couldn't sign cert_host_key_${kt}" 144 ( 145 cat $OBJ/sshd_proxy_bak 146 echo HostKey $OBJ/cert_host_key_${kt} 147 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 148 ) > $OBJ/sshd_proxy 149 150 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 151 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 153 rc=$? 154 if [ "x$result" = "xsuccess" ] ; then 155 if [ $rc -ne 0 ]; then 156 fail "ssh cert connect $ident failed unexpectedly" 157 fi 158 else 159 if [ $rc -eq 0 ]; then 160 fail "ssh cert connect $ident succeeded unexpectedly" 161 fi 162 fi 163 done 164} 165 166test_one "user-certificate" failure "-n $HOSTS" 167test_one "empty principals" success "-h" 168test_one "wrong principals" failure "-h -n foo" 169test_one "cert not yet valid" failure "-h -V20200101:20300101" 170test_one "cert expired" failure "-h -V19800101:19900101" 171test_one "cert valid interval" success "-h -V-1w:+2w" 172test_one "cert has constraints" failure "-h -Oforce-command=false" 173 174# Check downgrade of cert to raw key when no CA found 175for v in v01 v00 ; do 176 for ktype in rsa dsa ; do 177 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 178 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 179 # Generate and sign a host key 180 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 181 -f $OBJ/cert_host_key_${ktype} || \ 182 fail "ssh-keygen of cert_host_key_${ktype} failed" 183 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 184 -I "regress host key for $USER" \ 185 -n $HOSTS $OBJ/cert_host_key_${ktype} || 186 fail "couldn't sign cert_host_key_${ktype}" 187 ( 188 echon "$HOSTS " 189 cat $OBJ/cert_host_key_${ktype}.pub 190 ) > $OBJ/known_hosts-cert 191 ( 192 cat $OBJ/sshd_proxy_bak 193 echo HostKey $OBJ/cert_host_key_${ktype} 194 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 195 ) > $OBJ/sshd_proxy 196 197 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 198 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 199 -F $OBJ/ssh_proxy somehost true 200 if [ $? -ne 0 ]; then 201 fail "ssh cert connect failed" 202 fi 203 done 204done 205 206# Wrong certificate 207( 208 echon '@cert-authority ' 209 echon "$HOSTS " 210 cat $OBJ/host_ca_key.pub 211) > $OBJ/known_hosts-cert 212for v in v01 v00 ; do 213 for kt in rsa dsa ; do 214 rm -f $OBJ/cert_host_key* 215 # Self-sign key 216 ${SSHKEYGEN} -q -N '' -t ${kt} \ 217 -f $OBJ/cert_host_key_${kt} || \ 218 fail "ssh-keygen of cert_host_key_${kt} failed" 219 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 220 -I "regress host key for $USER" \ 221 -n $HOSTS $OBJ/cert_host_key_${kt} || 222 fail "couldn't sign cert_host_key_${kt}" 223 verbose "$tid: host ${kt} connect wrong cert" 224 ( 225 cat $OBJ/sshd_proxy_bak 226 echo HostKey $OBJ/cert_host_key_${kt} 227 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 228 ) > $OBJ/sshd_proxy 229 230 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 231 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 232 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 233 if [ $? -eq 0 ]; then 234 fail "ssh cert connect $ident succeeded unexpectedly" 235 fi 236 done 237done 238 239rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 240