sshsig.sh revision 1.3 
1#	$OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
16	|| fatal "couldn't generate key"
17WRONG=$OBJ/wrong-key.pub
18
19# Make a CA key.
20${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
21	|| fatal "couldn't generate key"
22CA_PRIV=$OBJ/sigca-key
23CA_PUB=$OBJ/sigca-key.pub
24
25trace "start agent"
26eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
27r=$?
28if [ $r -ne 0 ]; then
29	fatal "could not start ssh-agent: exit code $r"
30fi
31
32SIGNKEYS="$SSH_KEYTYPES"
33verbose "$tid: make certificates"
34for t in $SSH_KEYTYPES ; do
35	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
36	    -I "regress signature key for $USER" \
37	    -n $sig_principal $OBJ/${t} || \
38		fatal "couldn't sign ${t}"
39	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
40done
41
42for t in $SIGNKEYS; do
43	verbose "$tid: check signature for $t"
44	keybase=`basename $t .pub`
45	privkey=${OBJ}/`basename $t -cert.pub`
46	sigfile=${OBJ}/sshsig-${keybase}.sig
47	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
48	pubkey=${OBJ}/${keybase}.pub
49
50	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
51		< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
52
53	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
54	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
55		-I $sig_principal -f $OBJ/allowed_signers \
56		< $DATA >/dev/null 2>&1 || \
57		fail "failed signature for $t key"
58
59	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
60	 cat $pubkey) > $OBJ/allowed_signers
61	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
62		-I $sig_principal -f $OBJ/allowed_signers \
63		< $DATA >/dev/null 2>&1 || \
64		fail "failed signature for $t key w/ limited namespace"
65
66	# Invalid option
67	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
68	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
69		-I $sig_principal -f $OBJ/allowed_signers \
70		< $DATA >/dev/null 2>&1 && \
71		fail "accepted signature for $t key with bad signers option"
72
73	# Wrong key trusted.
74	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
75	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
76		-I $sig_principal -f $OBJ/allowed_signers \
77		< $DATA >/dev/null 2>&1 && \
78		fail "accepted signature for $t key with wrong key trusted"
79
80	# incorrect data
81	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
82	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
83		-I $sig_principal -f $OBJ/allowed_signers \
84		< $DATA2 >/dev/null 2>&1 && \
85		fail "passed signature for wrong data with $t key"
86
87	# wrong principal in signers
88	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
89	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
90		-I $sig_principal -f $OBJ/allowed_signers \
91		< $DATA >/dev/null 2>&1 && \
92		fail "accepted signature for $t key with wrong principal"
93
94	# wrong namespace
95	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
96	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
97		-I $sig_principal -f $OBJ/allowed_signers \
98		< $DATA >/dev/null 2>&1 && \
99		fail "accepted signature for $t key with wrong namespace"
100
101	# namespace excluded by option
102	(printf "$sig_principal namespaces=\"whatever\" " ;
103	 cat $pubkey) > $OBJ/allowed_signers
104	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
105		-I $sig_principal -f $OBJ/allowed_signers \
106		< $DATA >/dev/null 2>&1 && \
107		fail "accepted signature for $t key with excluded namespace"
108
109	# public key in revoked keys file
110	cat $pubkey > $OBJ/revoked_keys
111	(printf "$sig_principal namespaces=\"whatever\" " ;
112	 cat $pubkey) > $OBJ/allowed_signers
113	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
114		-I $sig_principal -f $OBJ/allowed_signers \
115		-r $OBJ/revoked_keys \
116		< $DATA >/dev/null 2>&1 && \
117		fail "accepted signature for $t key, but key is in revoked_keys"
118
119	# public key not revoked, but other are present in revoked_keysfile
120	cat $WRONG > $OBJ/revoked_keys
121	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
122	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
123		-I $sig_principal -f $OBJ/allowed_signers \
124		-r $OBJ/revoked_keys \
125		< $DATA >/dev/null 2>&1 || \
126		fail "couldn't verify signature for $t key, but key not in revoked_keys"
127
128	# check-novalidate with valid data
129	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
130		< $DATA >/dev/null 2>&1 || \
131		fail "failed to check valid signature for $t key"
132
133	# check-novalidate with invalid data
134	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
135		< $DATA2 >/dev/null 2>&1 && \
136		fail "sucessfully checked signature for $t key with invalid data"
137
138	# Check signing keys using ssh-agent.
139	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
140	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
141
142	# Move private key to ensure agent key is used
143	mv ${privkey} ${privkey}.tmp
144
145	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
146		< $DATA > $sigfile_agent 2>/dev/null || \
147		fail "ssh-agent based sign using $pubkey failed"
148	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
149		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
150		fail "failed to check valid signature for $t key"
151
152	# Move private key back
153	mv ${privkey}.tmp ${privkey}
154
155	# Remaining tests are for certificates only.
156	case "$keybase" in
157		*-cert) ;;
158		*) continue ;;
159	esac
160
161
162	# correct CA key
163	(printf "$sig_principal cert-authority " ;
164	 cat $CA_PUB) > $OBJ/allowed_signers
165	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
166		-I $sig_principal -f $OBJ/allowed_signers \
167		< $DATA >/dev/null 2>&1 || \
168		fail "failed signature for $t cert"
169
170	# signing key listed as cert-authority
171	(printf "$sig_principal cert-authority" ;
172	 cat $pubkey) > $OBJ/allowed_signers
173	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
174		-I $sig_principal -f $OBJ/allowed_signers \
175		< $DATA >/dev/null 2>&1 && \
176		fail "accepted signature with $t key listed as CA"
177
178	# CA key not flagged cert-authority
179	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
180	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
181		-I $sig_principal -f $OBJ/allowed_signers \
182		< $DATA >/dev/null 2>&1 && \
183		fail "accepted signature for $t cert with CA not marked"
184
185	# mismatch between cert principal and file
186	(printf "josef.k@example.com cert-authority" ;
187	 cat $CA_PUB) > $OBJ/allowed_signers
188	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
189		-I $sig_principal -f $OBJ/allowed_signers \
190		< $DATA >/dev/null 2>&1 && \
191		fail "accepted signature for $t cert with wrong principal"
192done
193
194trace "kill agent"
195${SSHAGENT} -k > /dev/null
196
197