sshsig.sh revision 1.1 
1#	$OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
16	|| fatal "couldn't generate key"
17WRONG=$OBJ/wrong-key.pub
18
19# Make a CA key.
20${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
21	|| fatal "couldn't generate key"
22CA_PRIV=$OBJ/sigca-key
23CA_PUB=$OBJ/sigca-key.pub
24
25SIGNKEYS="$SSH_KEYTYPES"
26verbose "$tid: make certificates"
27for t in $SSH_KEYTYPES ; do
28	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
29	    -I "regress signature key for $USER" \
30	    -n $sig_principal $OBJ/${t} || \
31		fatal "couldn't sign ${t}"
32	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
33done
34
35for t in $SIGNKEYS; do
36	verbose "$tid: check signature for $t"
37	keybase=`basename $t .pub`
38	sigfile=${OBJ}/sshsig-${keybase}.sig
39	pubkey=${OBJ}/${keybase}.pub
40
41	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
42		< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
43
44	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
45	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
46		-I $sig_principal -f $OBJ/allowed_signers \
47		< $DATA >/dev/null 2>&1 || \
48		fail "failed signature for $t key"
49
50	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
51	 cat $pubkey) > $OBJ/allowed_signers
52	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
53		-I $sig_principal -f $OBJ/allowed_signers \
54		< $DATA >/dev/null 2>&1 || \
55		fail "failed signature for $t key w/ limited namespace"
56
57	# Invalid option
58	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
59	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
60		-I $sig_principal -f $OBJ/allowed_signers \
61		< $DATA >/dev/null 2>&1 && \
62		fail "accepted signature for $t key with bad signers option"
63
64	# Wrong key trusted.
65	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
66	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
67		-I $sig_principal -f $OBJ/allowed_signers \
68		< $DATA >/dev/null 2>&1 && \
69		fail "accepted signature for $t key with wrong key trusted"
70
71	# incorrect data
72	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
73	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
74		-I $sig_principal -f $OBJ/allowed_signers \
75		< $DATA2 >/dev/null 2>&1 && \
76		fail "passed signature for wrong data with $t key"
77
78	# wrong principal in signers
79	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
80	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
81		-I $sig_principal -f $OBJ/allowed_signers \
82		< $DATA >/dev/null 2>&1 && \
83		fail "accepted signature for $t key with wrong principal"
84
85	# wrong namespace
86	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
87	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
88		-I $sig_principal -f $OBJ/allowed_signers \
89		< $DATA >/dev/null 2>&1 && \
90		fail "accepted signature for $t key with wrong namespace"
91
92	# namespace excluded by option
93	(printf "$sig_principal namespaces=\"whatever\" " ;
94	 cat $pubkey) > $OBJ/allowed_signers
95	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
96		-I $sig_principal -f $OBJ/allowed_signers \
97		< $DATA >/dev/null 2>&1 && \
98		fail "accepted signature for $t key with excluded namespace"
99
100	# Remaining tests are for certificates only.
101	case "$keybase" in
102		*-cert) ;;
103		*) continue ;;
104	esac
105
106	# correct CA key
107	(printf "$sig_principal cert-authority " ;
108	 cat $CA_PUB) > $OBJ/allowed_signers
109	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
110		-I $sig_principal -f $OBJ/allowed_signers \
111		< $DATA >/dev/null 2>&1 || \
112		fail "failed signature for $t cert"
113
114	# signing key listed as cert-authority
115	(printf "$sig_principal cert-authority" ;
116	 cat $pubkey) > $OBJ/allowed_signers
117	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
118		-I $sig_principal -f $OBJ/allowed_signers \
119		< $DATA >/dev/null 2>&1 && \
120		fail "accepted signature with $t key listed as CA"
121
122	# CA key not flagged cert-authority
123	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
124	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
125		-I $sig_principal -f $OBJ/allowed_signers \
126		< $DATA >/dev/null 2>&1 && \
127		fail "accepted signature for $t cert with CA not marked"
128
129	# mismatch between cert principal and file
130	(printf "josef.k@example.com cert-authority" ;
131	 cat $CA_PUB) > $OBJ/allowed_signers
132	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
133		-I $sig_principal -f $OBJ/allowed_signers \
134		< $DATA >/dev/null 2>&1 && \
135		fail "accepted signature for $t cert with wrong principal"
136done
137
138# XXX test keys in agent.
139# XXX test revocation
140
141