cert-userkey.sh revision 1.4 
1#	$OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2#	Placed in the Public Domain.
3
4tid="certified user keys"
5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9# Create a CA key
10${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
11	fail "ssh-keygen of user_ca_key failed"
12
13# Generate and sign user keys
14for ktype in rsa dsa ; do 
15	verbose "$tid: sign user ${ktype} cert"
16	${SSHKEYGEN} -q -N '' -t ${ktype} \
17	    -f $OBJ/cert_user_key_${ktype} || \
18		fail "ssh-keygen of cert_user_key_${ktype} failed"
19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20	    "regress user key for $USER" \
21	    -n $USER $OBJ/cert_user_key_${ktype} ||
22		fail "couldn't sign cert_user_key_${ktype}"
23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26	    "regress user key for $USER" \
27	    -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
28		fail "couldn't sign cert_user_key_${ktype}_v00"
29done
30
31basic_tests() {
32	auth=$1
33	if test "x$auth" = "xauthorized_keys" ; then
34		# Add CA to authorized_keys
35		(
36			echo -n 'cert-authority '
37			cat $OBJ/user_ca_key.pub
38		) > $OBJ/authorized_keys_$USER
39	else
40		echo > $OBJ/authorized_keys_$USER
41		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
42	fi
43	
44	for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
45		for privsep in yes no ; do
46			_prefix="${ktype} privsep $privsep $auth"
47			# Simple connect
48			verbose "$tid: ${_prefix} connect"
49			(
50				cat $OBJ/sshd_proxy_bak
51				echo "UsePrivilegeSeparation $privsep"
52				echo "$extra_sshd"
53			) > $OBJ/sshd_proxy
54	
55			${SSH} -2i $OBJ/cert_user_key_${ktype} \
56			    -F $OBJ/ssh_proxy somehost true
57			if [ $? -ne 0 ]; then
58				fail "ssh cert connect failed"
59			fi
60
61			# Revoked keys
62			verbose "$tid: ${_prefix} revoked key"
63			(
64				cat $OBJ/sshd_proxy_bak
65				echo "UsePrivilegeSeparation $privsep"
66				echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
67				echo "$extra_sshd"
68			) > $OBJ/sshd_proxy
69			${SSH} -2i $OBJ/cert_user_key_${ktype} \
70			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
71			if [ $? -eq 0 ]; then
72				fail "ssh cert connect succeeded unexpecedly"
73			fi
74		done
75	
76		# Revoked CA
77		verbose "$tid: ${ktype} $auth revoked CA key"
78		(
79			cat $OBJ/sshd_proxy_bak
80			echo "RevokedKeys $OBJ/user_ca_key.pub"
81			echo "$extra_sshd"
82		) > $OBJ/sshd_proxy
83		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
84		    somehost true >/dev/null 2>&1
85		if [ $? -eq 0 ]; then
86			fail "ssh cert connect succeeded unexpecedly"
87		fi
88	done
89	
90	verbose "$tid: $auth CA does not authenticate"
91	(
92		cat $OBJ/sshd_proxy_bak
93		echo "$extra_sshd"
94	) > $OBJ/sshd_proxy
95	verbose "$tid: ensure CA key does not authenticate user"
96	${SSH} -2i $OBJ/user_ca_key \
97	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
98	if [ $? -eq 0 ]; then
99		fail "ssh cert connect with CA key succeeded unexpectedly"
100	fi
101}
102
103basic_tests authorized_keys
104basic_tests TrustedUserCAKeys
105
106test_one() {
107	ident=$1
108	result=$2
109	sign_opts=$3
110	auth_choice=$4
111
112	if test "x$auth_choice" = "x" ; then
113		auth_choice="authorized_keys TrustedUserCAKeys"
114	fi
115
116	for auth in $auth_choice ; do
117		for ktype in rsa rsa_v00 ; do
118			cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
119			if test "x$auth" = "xauthorized_keys" ; then
120				# Add CA to authorized_keys
121				(
122					echo -n 'cert-authority '
123					cat $OBJ/user_ca_key.pub
124				) > $OBJ/authorized_keys_$USER
125			else
126				echo > $OBJ/authorized_keys_$USER
127				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
128				    >> $OBJ/sshd_proxy
129	
130			fi
131			
132			verbose "$tid: $ident auth $auth expect $result $ktype"
133			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
134			    -I "regress user key for $USER" \
135			    $sign_opts \
136			    $OBJ/cert_user_key_${ktype} ||
137				fail "couldn't sign cert_user_key_${ktype}"
138
139			${SSH} -2i $OBJ/cert_user_key_${ktype} \
140			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
141			rc=$?
142			if [ "x$result" = "xsuccess" ] ; then
143				if [ $rc -ne 0 ]; then
144					fail "$ident failed unexpectedly"
145				fi
146			else
147				if [ $rc -eq 0 ]; then
148					fail "$ident succeeded unexpectedly"
149				fi
150			fi
151		done
152	done
153}
154
155test_one "correct principal"	success "-n ${USER}"
156test_one "host-certificate"	failure "-n ${USER} -h"
157test_one "wrong principals"	failure "-n foo"
158test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
159test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
160test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
161test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
162test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
163
164# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
165test_one "empty principals"	success "" authorized_keys
166test_one "empty principals"	failure "" TrustedUserCAKeys
167
168# Wrong certificate
169for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
170	case $ktype in
171	*_v00) args="-t v00" ;;
172	*) args="" ;;
173	esac
174	# Self-sign
175	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
176	    "regress user key for $USER" \
177	    -n $USER $OBJ/cert_user_key_${ktype} ||
178		fail "couldn't sign cert_user_key_${ktype}"
179	verbose "$tid: user ${ktype} connect wrong cert"
180	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
181	    somehost true >/dev/null 2>&1
182	if [ $? -eq 0 ]; then
183		fail "ssh cert connect $ident succeeded unexpectedly"
184	fi
185done
186
187rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
188
189