cert-hostkey.sh revision 218767
174462Salfred# $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ 274462Salfred# Placed in the Public Domain. 3258578Shrs 4258578Shrstid="certified host keys" 5258578Shrs 6258578Shrs# used to disable ECC based tests on platforms without ECC 7258578Shrsecdsa="" 8258578Shrsif test "x$TEST_SSH_ECC" = "xyes"; then 9258578Shrs ecdsa=ecdsa 10258578Shrsfi 11258578Shrs 12258578Shrsrm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 13258578Shrscp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 14258578Shrs 15258578ShrsHOSTS='localhost-with-alias,127.0.0.1,::1' 16258578Shrs 1774462Salfred# Create a CA key and add it to known hosts 18258578Shrs${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 19258578Shrs fail "ssh-keygen of host_ca_key failed" 20258578Shrs( 21258578Shrs echon '@cert-authority ' 22258578Shrs echon "$HOSTS " 23258578Shrs cat $OBJ/host_ca_key.pub 24258578Shrs) > $OBJ/known_hosts-cert 25258578Shrs 26258578Shrs# Generate and sign host keys 27258578Shrsfor ktype in rsa dsa $ecdsa ; do 28258578Shrs verbose "$tid: sign host ${ktype} cert" 2974462Salfred # Generate and sign a host key 3074462Salfred ${SSHKEYGEN} -q -N '' -t ${ktype} \ 3174462Salfred -f $OBJ/cert_host_key_${ktype} || \ 3274462Salfred fail "ssh-keygen of cert_host_key_${ktype} failed" 3374462Salfred ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 3474462Salfred -I "regress host key for $USER" \ 35136581Sobrien -n $HOSTS $OBJ/cert_host_key_${ktype} || 36136581Sobrien fail "couldn't sign cert_host_key_${ktype}" 3774462Salfred # v00 ecdsa certs do not exist 3874462Salfred test "${ktype}" = "ecdsa" && continue 3992990Sobrien cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 4092990Sobrien cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 4174462Salfred ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 4274462Salfred -I "regress host key for $USER" \ 4374462Salfred -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 4474462Salfred fail "couldn't sign cert_host_key_${ktype}_v00" 4574462Salfreddone 4674462Salfred 4775094Siedowse# Basic connect tests 4874462Salfredfor privsep in yes no ; do 4974462Salfred for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 5074462Salfred verbose "$tid: host ${ktype} cert connect privsep $privsep" 5174462Salfred ( 5274462Salfred cat $OBJ/sshd_proxy_bak 5374462Salfred echo HostKey $OBJ/cert_host_key_${ktype} 5474462Salfred echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 5574462Salfred echo UsePrivilegeSeparation $privsep 5674462Salfred ) > $OBJ/sshd_proxy 5774462Salfred 5874462Salfred ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 5974462Salfred -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 6074462Salfred -F $OBJ/ssh_proxy somehost true 6174462Salfred if [ $? -ne 0 ]; then 6274462Salfred fail "ssh cert connect failed" 63156090Sdeischen fi 6474462Salfred done 6592905Sobriendone 6674462Salfred 6774462Salfred# Revoked certificates with key present 6874462Salfred( 6974462Salfred echon '@cert-authority ' 7074462Salfred echon "$HOSTS " 7174462Salfred cat $OBJ/host_ca_key.pub 7274462Salfred echon '@revoked ' 7374462Salfred echon "* " 7474462Salfred cat $OBJ/cert_host_key_rsa.pub 75288113Srodrigc if test "x$TEST_SSH_ECC" = "xyes"; then 76288113Srodrigc echon '@revoked ' 77288113Srodrigc echon "* " 78288113Srodrigc cat $OBJ/cert_host_key_ecdsa.pub 7974462Salfred fi 8074462Salfred echon '@revoked ' 81288113Srodrigc echon "* " 82288113Srodrigc cat $OBJ/cert_host_key_dsa.pub 8374462Salfred echon '@revoked ' 8474462Salfred echon "* " 8574462Salfred cat $OBJ/cert_host_key_rsa_v00.pub 8674462Salfred echon '@revoked ' 8774462Salfred echon "* " 8874462Salfred cat $OBJ/cert_host_key_dsa_v00.pub 8974462Salfred) > $OBJ/known_hosts-cert 9074462Salfredfor privsep in yes no ; do 9174462Salfred for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 9274462Salfred verbose "$tid: host ${ktype} revoked cert privsep $privsep" 9374462Salfred ( 9474462Salfred cat $OBJ/sshd_proxy_bak 9574462Salfred echo HostKey $OBJ/cert_host_key_${ktype} 9674462Salfred echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 9774462Salfred echo UsePrivilegeSeparation $privsep 9874462Salfred ) > $OBJ/sshd_proxy 9974462Salfred 10074462Salfred ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 10174462Salfred -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 10274462Salfred -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 10374462Salfred if [ $? -eq 0 ]; then 10474462Salfred fail "ssh cert connect succeeded unexpectedly" 10574462Salfred fi 10674462Salfred done 10774462Salfreddone 10874462Salfred 10974462Salfred# Revoked CA 11074462Salfred( 11174462Salfred echon '@cert-authority ' 11274462Salfred echon "$HOSTS " 11374462Salfred cat $OBJ/host_ca_key.pub 11474462Salfred echon '@revoked ' 11574462Salfred echon "* " 11674462Salfred cat $OBJ/host_ca_key.pub 11774462Salfred) > $OBJ/known_hosts-cert 11874462Salfredfor ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 11974462Salfred verbose "$tid: host ${ktype} revoked cert" 12074462Salfred ( 12174462Salfred cat $OBJ/sshd_proxy_bak 12274462Salfred echo HostKey $OBJ/cert_host_key_${ktype} 12374462Salfred echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 12474462Salfred ) > $OBJ/sshd_proxy 12574462Salfred ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 12674462Salfred -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 12774462Salfred -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 12874462Salfred if [ $? -eq 0 ]; then 12974462Salfred fail "ssh cert connect succeeded unexpectedly" 13074462Salfred fi 13174462Salfreddone 13274462Salfred 13374462Salfred# Create a CA key and add it to known hosts 13474462Salfred( 13574462Salfred echon '@cert-authority ' 13674462Salfred echon "$HOSTS " 13774462Salfred cat $OBJ/host_ca_key.pub 13874462Salfred) > $OBJ/known_hosts-cert 13974462Salfred 14074462Salfredtest_one() { 14174462Salfred ident=$1 14274462Salfred result=$2 14374462Salfred sign_opts=$3 14474462Salfred 14574462Salfred for kt in rsa rsa_v00 ; do 14674462Salfred case $kt in 147288113Srodrigc *_v00) args="-t v00" ;; 148288113Srodrigc *) args="" ;; 149288113Srodrigc esac 150288113Srodrigc 15174462Salfred verbose "$tid: host cert connect $ident $kt expect $result" 15274462Salfred ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 153288113Srodrigc -I "regress host key for $USER" \ 154288113Srodrigc $sign_opts $args \ 15574462Salfred $OBJ/cert_host_key_${kt} || 15674462Salfred fail "couldn't sign cert_host_key_${kt}" 15774462Salfred ( 15874462Salfred cat $OBJ/sshd_proxy_bak 15974462Salfred echo HostKey $OBJ/cert_host_key_${kt} 16074462Salfred echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 16174462Salfred ) > $OBJ/sshd_proxy 16274462Salfred 16374462Salfred ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 16474462Salfred -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 16574462Salfred -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 16674462Salfred rc=$? 16774462Salfred if [ "x$result" = "xsuccess" ] ; then 16874462Salfred if [ $rc -ne 0 ]; then 16974462Salfred fail "ssh cert connect $ident failed unexpectedly" 17074462Salfred fi 17174462Salfred else 17274462Salfred if [ $rc -eq 0 ]; then 17374462Salfred fail "ssh cert connect $ident succeeded unexpectedly" 17474462Salfred fi 17574462Salfred fi 17674462Salfred done 17774462Salfred} 17874462Salfred 17974462Salfredtest_one "user-certificate" failure "-n $HOSTS" 18074462Salfredtest_one "empty principals" success "-h" 18174462Salfredtest_one "wrong principals" failure "-h -n foo" 18274462Salfredtest_one "cert not yet valid" failure "-h -V20200101:20300101" 18374462Salfredtest_one "cert expired" failure "-h -V19800101:19900101" 18474462Salfredtest_one "cert valid interval" success "-h -V-1w:+2w" 18574462Salfredtest_one "cert has constraints" failure "-h -Oforce-command=false" 18674462Salfred 18774462Salfred# Check downgrade of cert to raw key when no CA found 18874462Salfredfor v in v01 v00 ; do 189288113Srodrigc for ktype in rsa dsa $ecdsa ; do 190288113Srodrigc # v00 ecdsa certs do not exist. 191288113Srodrigc test "${v}${ktype}" = "v00ecdsa" && continue 192288113Srodrigc rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 193288113Srodrigc verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 194288113Srodrigc # Generate and sign a host key 19574462Salfred ${SSHKEYGEN} -q -N '' -t ${ktype} \ 19674462Salfred -f $OBJ/cert_host_key_${ktype} || \ 197288113Srodrigc fail "ssh-keygen of cert_host_key_${ktype} failed" 198288113Srodrigc ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 19974462Salfred -I "regress host key for $USER" \ 20074462Salfred -n $HOSTS $OBJ/cert_host_key_${ktype} || 20174462Salfred fail "couldn't sign cert_host_key_${ktype}" 20274462Salfred ( 20374462Salfred echon "$HOSTS " 20474462Salfred cat $OBJ/cert_host_key_${ktype}.pub 20574462Salfred ) > $OBJ/known_hosts-cert 20674462Salfred ( 20774462Salfred cat $OBJ/sshd_proxy_bak 20874462Salfred echo HostKey $OBJ/cert_host_key_${ktype} 20974462Salfred echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 21074462Salfred ) > $OBJ/sshd_proxy 21174462Salfred 21274462Salfred ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 21374462Salfred -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 21474462Salfred -F $OBJ/ssh_proxy somehost true 21574462Salfred if [ $? -ne 0 ]; then 21674462Salfred fail "ssh cert connect failed" 21774462Salfred fi 21874462Salfred done 21974462Salfreddone 22074462Salfred 22174462Salfred# Wrong certificate 22274462Salfred( 22374462Salfred echon '@cert-authority ' 22474462Salfred echon "$HOSTS " 22574462Salfred cat $OBJ/host_ca_key.pub 22674462Salfred) > $OBJ/known_hosts-cert 22774462Salfredfor v in v01 v00 ; do 22874462Salfred for kt in rsa dsa $ecdsa ; do 22974462Salfred # v00 ecdsa certs do not exist. 23074462Salfred test "${v}${ktype}" = "v00ecdsa" && continue 23174462Salfred rm -f $OBJ/cert_host_key* 23274462Salfred # Self-sign key 23374462Salfred ${SSHKEYGEN} -q -N '' -t ${kt} \ 23474462Salfred -f $OBJ/cert_host_key_${kt} || \ 23574462Salfred fail "ssh-keygen of cert_host_key_${kt} failed" 23674462Salfred ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 23774462Salfred -I "regress host key for $USER" \ 23874462Salfred -n $HOSTS $OBJ/cert_host_key_${kt} || 23974462Salfred fail "couldn't sign cert_host_key_${kt}" 24074462Salfred verbose "$tid: host ${kt} connect wrong cert" 24174462Salfred ( 24274462Salfred cat $OBJ/sshd_proxy_bak 24374462Salfred echo HostKey $OBJ/cert_host_key_${kt} 24474462Salfred echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 24574462Salfred ) > $OBJ/sshd_proxy 24674462Salfred 24774462Salfred ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 24874462Salfred -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 24974462Salfred -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 250115133Smbr if [ $? -eq 0 ]; then 25174462Salfred fail "ssh cert connect $ident succeeded unexpectedly" 25274462Salfred fi 25374462Salfred done 25474462Salfreddone 25574462Salfred 25674462Salfredrm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 25774462Salfred