cert-hostkey.sh revision 214979 
1#	$OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2#	Placed in the Public Domain.
3
4tid="certified host keys"
5
6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9HOSTS='localhost-with-alias,127.0.0.1,::1'
10
11# Create a CA key and add it to known hosts
12${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
13	fail "ssh-keygen of host_ca_key failed"
14(
15	echon '@cert-authority '
16	echon "$HOSTS "
17	cat $OBJ/host_ca_key.pub
18) > $OBJ/known_hosts-cert
19
20# Generate and sign host keys
21for ktype in rsa dsa ; do 
22	verbose "$tid: sign host ${ktype} cert"
23	# Generate and sign a host key
24	${SSHKEYGEN} -q -N '' -t ${ktype} \
25	    -f $OBJ/cert_host_key_${ktype} || \
26		fail "ssh-keygen of cert_host_key_${ktype} failed"
27	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
28	    -I "regress host key for $USER" \
29	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
30		fail "couldn't sign cert_host_key_${ktype}"
31	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
32	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
33	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
34	    -I "regress host key for $USER" \
35	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
36		fail "couldn't sign cert_host_key_${ktype}_v00"
37done
38
39# Basic connect tests
40for privsep in yes no ; do
41	for ktype in rsa dsa rsa_v00 dsa_v00; do 
42		verbose "$tid: host ${ktype} cert connect privsep $privsep"
43		(
44			cat $OBJ/sshd_proxy_bak
45			echo HostKey $OBJ/cert_host_key_${ktype}
46			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
47			echo UsePrivilegeSeparation $privsep
48		) > $OBJ/sshd_proxy
49
50		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
51		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
52			-F $OBJ/ssh_proxy somehost true
53		if [ $? -ne 0 ]; then
54			fail "ssh cert connect failed"
55		fi
56	done
57done
58
59# Revoked certificates with key present
60(
61	echon '@cert-authority '
62	echon "$HOSTS "
63	cat $OBJ/host_ca_key.pub
64	echon '@revoked '
65	echon "* "
66	cat $OBJ/cert_host_key_rsa.pub
67	echon '@revoked '
68	echon "* "
69	cat $OBJ/cert_host_key_dsa.pub
70	echon '@revoked '
71	echon "* "
72	cat $OBJ/cert_host_key_rsa_v00.pub
73	echon '@revoked '
74	echon "* "
75	cat $OBJ/cert_host_key_dsa_v00.pub
76) > $OBJ/known_hosts-cert
77for privsep in yes no ; do
78	for ktype in rsa dsa rsa_v00 dsa_v00; do 
79		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
80		(
81			cat $OBJ/sshd_proxy_bak
82			echo HostKey $OBJ/cert_host_key_${ktype}
83			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
84			echo UsePrivilegeSeparation $privsep
85		) > $OBJ/sshd_proxy
86
87		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
88		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
89			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
90		if [ $? -eq 0 ]; then
91			fail "ssh cert connect succeeded unexpectedly"
92		fi
93	done
94done
95
96# Revoked CA
97(
98	echon '@cert-authority '
99	echon "$HOSTS "
100	cat $OBJ/host_ca_key.pub
101	echon '@revoked '
102	echon "* "
103	cat $OBJ/host_ca_key.pub
104) > $OBJ/known_hosts-cert
105for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
106	verbose "$tid: host ${ktype} revoked cert"
107	(
108		cat $OBJ/sshd_proxy_bak
109		echo HostKey $OBJ/cert_host_key_${ktype}
110		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
111	) > $OBJ/sshd_proxy
112	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
113	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
114		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
115	if [ $? -eq 0 ]; then
116		fail "ssh cert connect succeeded unexpectedly"
117	fi
118done
119
120# Create a CA key and add it to known hosts
121(
122	echon '@cert-authority '
123	echon "$HOSTS "
124	cat $OBJ/host_ca_key.pub
125) > $OBJ/known_hosts-cert
126
127test_one() {
128	ident=$1
129	result=$2
130	sign_opts=$3
131
132	for kt in rsa rsa_v00 ; do
133		case $kt in
134		*_v00) args="-t v00" ;;
135		*) args="" ;;
136		esac
137
138		verbose "$tid: host cert connect $ident $kt expect $result"
139		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
140		    -I "regress host key for $USER" \
141		    $sign_opts $args \
142		    $OBJ/cert_host_key_${kt} ||
143			fail "couldn't sign cert_host_key_${kt}"
144		(
145			cat $OBJ/sshd_proxy_bak
146			echo HostKey $OBJ/cert_host_key_${kt}
147			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
148		) > $OBJ/sshd_proxy
149	
150		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
151		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
152		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153		rc=$?
154		if [ "x$result" = "xsuccess" ] ; then
155			if [ $rc -ne 0 ]; then
156				fail "ssh cert connect $ident failed unexpectedly"
157			fi
158		else
159			if [ $rc -eq 0 ]; then
160				fail "ssh cert connect $ident succeeded unexpectedly"
161			fi
162		fi
163	done
164}
165
166test_one "user-certificate"	failure "-n $HOSTS"
167test_one "empty principals"	success "-h"
168test_one "wrong principals"	failure "-h -n foo"
169test_one "cert not yet valid"	failure "-h -V20200101:20300101"
170test_one "cert expired"		failure "-h -V19800101:19900101"
171test_one "cert valid interval"	success "-h -V-1w:+2w"
172test_one "cert has constraints"	failure "-h -Oforce-command=false"
173
174# Check downgrade of cert to raw key when no CA found
175for v in v01 v00 ;  do 
176	for ktype in rsa dsa ; do 
177		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
178		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
179		# Generate and sign a host key
180		${SSHKEYGEN} -q -N '' -t ${ktype} \
181		    -f $OBJ/cert_host_key_${ktype} || \
182			fail "ssh-keygen of cert_host_key_${ktype} failed"
183		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
184		    -I "regress host key for $USER" \
185		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
186			fail "couldn't sign cert_host_key_${ktype}"
187		(
188			echon "$HOSTS "
189			cat $OBJ/cert_host_key_${ktype}.pub
190		) > $OBJ/known_hosts-cert
191		(
192			cat $OBJ/sshd_proxy_bak
193			echo HostKey $OBJ/cert_host_key_${ktype}
194			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
195		) > $OBJ/sshd_proxy
196		
197		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
198		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
199			-F $OBJ/ssh_proxy somehost true
200		if [ $? -ne 0 ]; then
201			fail "ssh cert connect failed"
202		fi
203	done
204done
205
206# Wrong certificate
207(
208	echon '@cert-authority '
209	echon "$HOSTS "
210	cat $OBJ/host_ca_key.pub
211) > $OBJ/known_hosts-cert
212for v in v01 v00 ;  do 
213	for kt in rsa dsa ; do 
214		rm -f $OBJ/cert_host_key*
215		# Self-sign key
216		${SSHKEYGEN} -q -N '' -t ${kt} \
217		    -f $OBJ/cert_host_key_${kt} || \
218			fail "ssh-keygen of cert_host_key_${kt} failed"
219		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
220		    -I "regress host key for $USER" \
221		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
222			fail "couldn't sign cert_host_key_${kt}"
223		verbose "$tid: host ${kt} connect wrong cert"
224		(
225			cat $OBJ/sshd_proxy_bak
226			echo HostKey $OBJ/cert_host_key_${kt}
227			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
228		) > $OBJ/sshd_proxy
229	
230		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
231		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
232			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
233		if [ $? -eq 0 ]; then
234			fail "ssh cert connect $ident succeeded unexpectedly"
235		fi
236	done
237done
238
239rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
240