cert-userkey.sh revision 1.5 
1#	$OpenBSD: cert-userkey.sh,v 1.5 2010/05/07 11:31:26 djm Exp $
2#	Placed in the Public Domain.
3
4tid="certified user keys"
5
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9# Create a CA key
10${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
11	fail "ssh-keygen of user_ca_key failed"
12
13# Generate and sign user keys
14for ktype in rsa dsa ; do 
15	verbose "$tid: sign user ${ktype} cert"
16	${SSHKEYGEN} -q -N '' -t ${ktype} \
17	    -f $OBJ/cert_user_key_${ktype} || \
18		fail "ssh-keygen of cert_user_key_${ktype} failed"
19	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
20	    "regress user key for $USER" \
21	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
22		fail "couldn't sign cert_user_key_${ktype}"
23	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26	    "regress user key for $USER" \
27	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
28		fail "couldn't sign cert_user_key_${ktype}_v00"
29done
30
31# Test explicitly-specified principals
32for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
33	for privsep in yes no ; do
34		_prefix="${ktype} privsep $privsep"
35
36		# Setup for AuthorizedPrincipalsFile
37		rm -f $OBJ/authorized_keys_$USER
38		(
39			cat $OBJ/sshd_proxy_bak
40			echo "UsePrivilegeSeparation $privsep"
41			echo "AuthorizedPrincipalsFile " \
42			    "$OBJ/authorized_principals_%u"
43			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
44		) > $OBJ/sshd_proxy
45
46		# Missing authorized_principals
47		verbose "$tid: ${_prefix} missing authorized_principals"
48		rm -f $OBJ/authorized_principals_$USER
49		${SSH} -2i $OBJ/cert_user_key_${ktype} \
50		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
51		if [ $? -eq 0 ]; then
52			fail "ssh cert connect succeeded unexpectedly"
53		fi
54
55		# Empty authorized_principals
56		verbose "$tid: ${_prefix} empty authorized_principals"
57		echo > $OBJ/authorized_principals_$USER
58		${SSH} -2i $OBJ/cert_user_key_${ktype} \
59		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60		if [ $? -eq 0 ]; then
61			fail "ssh cert connect succeeded unexpectedly"
62		fi
63	
64		# Wrong authorized_principals
65		verbose "$tid: ${_prefix} wrong authorized_principals"
66		echo gregorsamsa > $OBJ/authorized_principals_$USER
67		${SSH} -2i $OBJ/cert_user_key_${ktype} \
68		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69		if [ $? -eq 0 ]; then
70			fail "ssh cert connect succeeded unexpectedly"
71		fi
72
73		# Correct authorized_principals
74		verbose "$tid: ${_prefix} correct authorized_principals"
75		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
76		${SSH} -2i $OBJ/cert_user_key_${ktype} \
77		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78		if [ $? -ne 0 ]; then
79			fail "ssh cert connect failed"
80		fi
81
82		# Setup for principals= key option
83		rm -f $OBJ/authorized_principals_$USER
84		(
85			cat $OBJ/sshd_proxy_bak
86			echo "UsePrivilegeSeparation $privsep"
87		) > $OBJ/sshd_proxy
88
89		# Wrong principals list
90		verbose "$tid: ${_prefix} wrong principals key option"
91		(
92			echo -n 'cert-authority,principals="gregorsamsa" '
93			cat $OBJ/user_ca_key.pub
94		) > $OBJ/authorized_keys_$USER
95		${SSH} -2i $OBJ/cert_user_key_${ktype} \
96		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
97		if [ $? -eq 0 ]; then
98			fail "ssh cert connect succeeded unexpectedly"
99		fi
100
101		# Correct principals list
102		verbose "$tid: ${_prefix} correct principals key option"
103		(
104			echo -n 'cert-authority,principals="mekmitasdigoat" '
105			cat $OBJ/user_ca_key.pub
106		) > $OBJ/authorized_keys_$USER
107		${SSH} -2i $OBJ/cert_user_key_${ktype} \
108		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
109		if [ $? -ne 0 ]; then
110			fail "ssh cert connect failed"
111		fi
112	done
113done
114
115basic_tests() {
116	auth=$1
117	if test "x$auth" = "xauthorized_keys" ; then
118		# Add CA to authorized_keys
119		(
120			echo -n 'cert-authority '
121			cat $OBJ/user_ca_key.pub
122		) > $OBJ/authorized_keys_$USER
123	else
124		echo > $OBJ/authorized_keys_$USER
125		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
126	fi
127	
128	for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
129		for privsep in yes no ; do
130			_prefix="${ktype} privsep $privsep $auth"
131			# Simple connect
132			verbose "$tid: ${_prefix} connect"
133			(
134				cat $OBJ/sshd_proxy_bak
135				echo "UsePrivilegeSeparation $privsep"
136				echo "$extra_sshd"
137			) > $OBJ/sshd_proxy
138	
139			${SSH} -2i $OBJ/cert_user_key_${ktype} \
140			    -F $OBJ/ssh_proxy somehost true
141			if [ $? -ne 0 ]; then
142				fail "ssh cert connect failed"
143			fi
144
145			# Revoked keys
146			verbose "$tid: ${_prefix} revoked key"
147			(
148				cat $OBJ/sshd_proxy_bak
149				echo "UsePrivilegeSeparation $privsep"
150				echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
151				echo "$extra_sshd"
152			) > $OBJ/sshd_proxy
153			${SSH} -2i $OBJ/cert_user_key_${ktype} \
154			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
155			if [ $? -eq 0 ]; then
156				fail "ssh cert connect succeeded unexpecedly"
157			fi
158		done
159	
160		# Revoked CA
161		verbose "$tid: ${ktype} $auth revoked CA key"
162		(
163			cat $OBJ/sshd_proxy_bak
164			echo "RevokedKeys $OBJ/user_ca_key.pub"
165			echo "$extra_sshd"
166		) > $OBJ/sshd_proxy
167		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
168		    somehost true >/dev/null 2>&1
169		if [ $? -eq 0 ]; then
170			fail "ssh cert connect succeeded unexpecedly"
171		fi
172	done
173	
174	verbose "$tid: $auth CA does not authenticate"
175	(
176		cat $OBJ/sshd_proxy_bak
177		echo "$extra_sshd"
178	) > $OBJ/sshd_proxy
179	verbose "$tid: ensure CA key does not authenticate user"
180	${SSH} -2i $OBJ/user_ca_key \
181	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
182	if [ $? -eq 0 ]; then
183		fail "ssh cert connect with CA key succeeded unexpectedly"
184	fi
185}
186
187basic_tests authorized_keys
188basic_tests TrustedUserCAKeys
189
190test_one() {
191	ident=$1
192	result=$2
193	sign_opts=$3
194	auth_choice=$4
195	auth_opt=$5
196
197	if test "x$auth_choice" = "x" ; then
198		auth_choice="authorized_keys TrustedUserCAKeys"
199	fi
200
201	for auth in $auth_choice ; do
202		for ktype in rsa rsa_v00 ; do
203			cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
204			if test "x$auth" = "xauthorized_keys" ; then
205				# Add CA to authorized_keys
206				(
207					echo -n "cert-authority${auth_opt} "
208					cat $OBJ/user_ca_key.pub
209				) > $OBJ/authorized_keys_$USER
210			else
211				echo > $OBJ/authorized_keys_$USER
212				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
213				    >> $OBJ/sshd_proxy
214				if test "x$auth_opt" != "x" ; then
215					echo $auth_opt >> $OBJ/sshd_proxy
216				fi
217			fi
218			
219			verbose "$tid: $ident auth $auth expect $result $ktype"
220			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
221			    -I "regress user key for $USER" \
222			    $sign_opts \
223			    $OBJ/cert_user_key_${ktype} ||
224				fail "couldn't sign cert_user_key_${ktype}"
225
226			${SSH} -2i $OBJ/cert_user_key_${ktype} \
227			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
228			rc=$?
229			if [ "x$result" = "xsuccess" ] ; then
230				if [ $rc -ne 0 ]; then
231					fail "$ident failed unexpectedly"
232				fi
233			else
234				if [ $rc -eq 0 ]; then
235					fail "$ident succeeded unexpectedly"
236				fi
237			fi
238		done
239	done
240}
241
242test_one "correct principal"	success "-n ${USER}"
243test_one "host-certificate"	failure "-n ${USER} -h"
244test_one "wrong principals"	failure "-n foo"
245test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
246test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
247test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
248test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
249test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
250
251# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
252test_one "empty principals"	success "" authorized_keys
253test_one "empty principals"	failure "" TrustedUserCAKeys
254
255# Check explicitly-specified principals: an empty principals list in the cert
256# should always be refused.
257
258# AuthorizedPrincipalsFile
259rm -f $OBJ/authorized_keys_$USER
260echo mekmitasdigoat > $OBJ/authorized_principals_$USER
261test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
262    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
263test_one "AuthorizedPrincipalsFile no principals" failure "" \
264    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
265
266# principals= key option
267rm -f $OBJ/authorized_principals_$USER
268test_one "principals key option principals" success "-n mekmitasdigoat" \
269    authorized_keys ',principals="mekmitasdigoat"'
270test_one "principals key option no principals" failure "" \
271    authorized_keys ',principals="mekmitasdigoat"'
272
273# Wrong certificate
274cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
275for ktype in rsa dsa rsa_v00 dsa_v00 ; do 
276	case $ktype in
277	*_v00) args="-t v00" ;;
278	*) args="" ;;
279	esac
280	# Self-sign
281	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
282	    "regress user key for $USER" \
283	    -n $USER $OBJ/cert_user_key_${ktype} ||
284		fail "couldn't sign cert_user_key_${ktype}"
285	verbose "$tid: user ${ktype} connect wrong cert"
286	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
287	    somehost true >/dev/null 2>&1
288	if [ $? -eq 0 ]; then
289		fail "ssh cert connect $ident succeeded unexpectedly"
290	fi
291done
292
293rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
294rm -f $OBJ/authorized_principals_$USER
295
296