sshsig.sh revision 1.5 
1#	$OpenBSD: sshsig.sh,v 1.5 2021/07/12 02:12:22 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
16	-C "wrong trousers, Grommit" -N '' \
17	|| fatal "couldn't generate key"
18WRONG=$OBJ/wrong-key.pub
19
20# Make a CA key.
21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22	|| fatal "couldn't generate key"
23CA_PRIV=$OBJ/sigca-key
24CA_PUB=$OBJ/sigca-key.pub
25
26trace "start agent"
27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
28r=$?
29if [ $r -ne 0 ]; then
30	fatal "could not start ssh-agent: exit code $r"
31fi
32
33SIGNKEYS="$SSH_KEYTYPES"
34verbose "$tid: make certificates"
35for t in $SSH_KEYTYPES ; do
36	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
37	    -I "regress signature key for $USER" \
38	    -n $sig_principal $OBJ/${t} || \
39		fatal "couldn't sign ${t}"
40	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
41done
42
43for t in $SIGNKEYS; do
44	verbose "$tid: check signature for $t"
45	keybase=`basename $t .pub`
46	privkey=${OBJ}/`basename $t -cert.pub`
47	sigfile=${OBJ}/sshsig-${keybase}.sig
48	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
49	pubkey=${OBJ}/${keybase}.pub
50
51	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
52		< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
53
54	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
55	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
56		-I $sig_principal -f $OBJ/allowed_signers \
57		< $DATA >/dev/null 2>&1 || \
58		fail "failed signature for $t key"
59
60	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
61	 cat $pubkey) > $OBJ/allowed_signers
62	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
63		-I $sig_principal -f $OBJ/allowed_signers \
64		< $DATA >/dev/null 2>&1 || \
65		fail "failed signature for $t key w/ limited namespace"
66
67	# Invalid option
68	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
69	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
70		-I $sig_principal -f $OBJ/allowed_signers \
71		< $DATA >/dev/null 2>&1 && \
72		fail "accepted signature for $t key with bad signers option"
73
74	# Wrong key trusted.
75	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
76	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
77		-I $sig_principal -f $OBJ/allowed_signers \
78		< $DATA >/dev/null 2>&1 && \
79		fail "accepted signature for $t key with wrong key trusted"
80
81	# incorrect data
82	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
83	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
84		-I $sig_principal -f $OBJ/allowed_signers \
85		< $DATA2 >/dev/null 2>&1 && \
86		fail "passed signature for wrong data with $t key"
87
88	# wrong principal in signers
89	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
90	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
91		-I $sig_principal -f $OBJ/allowed_signers \
92		< $DATA >/dev/null 2>&1 && \
93		fail "accepted signature for $t key with wrong principal"
94
95	# wrong namespace
96	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
97	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
98		-I $sig_principal -f $OBJ/allowed_signers \
99		< $DATA >/dev/null 2>&1 && \
100		fail "accepted signature for $t key with wrong namespace"
101
102	# namespace excluded by option
103	(printf "$sig_principal namespaces=\"whatever\" " ;
104	 cat $pubkey) > $OBJ/allowed_signers
105	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
106		-I $sig_principal -f $OBJ/allowed_signers \
107		< $DATA >/dev/null 2>&1 && \
108		fail "accepted signature for $t key with excluded namespace"
109
110	# public key in revoked keys file
111	cat $pubkey > $OBJ/revoked_keys
112	(printf "$sig_principal namespaces=\"whatever\" " ;
113	 cat $pubkey) > $OBJ/allowed_signers
114	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
115		-I $sig_principal -f $OBJ/allowed_signers \
116		-r $OBJ/revoked_keys \
117		< $DATA >/dev/null 2>&1 && \
118		fail "accepted signature for $t key, but key is in revoked_keys"
119
120	# public key not revoked, but others are present in revoked_keysfile
121	cat $WRONG > $OBJ/revoked_keys
122	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
123	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
124		-I $sig_principal -f $OBJ/allowed_signers \
125		-r $OBJ/revoked_keys \
126		< $DATA >/dev/null 2>&1 || \
127		fail "couldn't verify signature for $t key, but key not in revoked_keys"
128
129	# check-novalidate with valid data
130	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
131		< $DATA >/dev/null 2>&1 || \
132		fail "failed to check valid signature for $t key"
133
134	# check-novalidate with invalid data
135	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
136		< $DATA2 >/dev/null 2>&1 && \
137		fail "succeeded checking signature for $t key with invalid data"
138
139	# Check signing keys using ssh-agent.
140	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
141	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
142
143	# Move private key to ensure agent key is used
144	mv ${privkey} ${privkey}.tmp
145
146	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
147		< $DATA > $sigfile_agent 2>/dev/null || \
148		fail "ssh-agent based sign using $pubkey failed"
149	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
150		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
151		fail "failed to check valid signature for $t key"
152
153	# Move private key back
154	mv ${privkey}.tmp ${privkey}
155
156	# Remaining tests are for certificates only.
157	case "$keybase" in
158		*-cert) ;;
159		*) continue ;;
160	esac
161
162
163	# correct CA key
164	(printf "$sig_principal cert-authority " ;
165	 cat $CA_PUB) > $OBJ/allowed_signers
166	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
167		-I $sig_principal -f $OBJ/allowed_signers \
168		< $DATA >/dev/null 2>&1 || \
169		fail "failed signature for $t cert"
170
171	# signing key listed as cert-authority
172	(printf "$sig_principal cert-authority " ;
173	 cat $pubkey) > $OBJ/allowed_signers
174	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
175		-I $sig_principal -f $OBJ/allowed_signers \
176		< $DATA >/dev/null 2>&1 && \
177		fail "accepted signature with $t key listed as CA"
178
179	# CA key not flagged cert-authority
180	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
181	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
182		-I $sig_principal -f $OBJ/allowed_signers \
183		< $DATA >/dev/null 2>&1 && \
184		fail "accepted signature for $t cert with CA not marked"
185
186	# mismatch between cert principal and file
187	(printf "josef.k@example.com cert-authority " ;
188	 cat $CA_PUB) > $OBJ/allowed_signers
189	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
190		-I $sig_principal -f $OBJ/allowed_signers \
191		< $DATA >/dev/null 2>&1 && \
192		fail "accepted signature for $t cert with wrong principal"
193done
194
195trace "kill agent"
196${SSHAGENT} -k > /dev/null
197
198