sshsig.sh revision 1.8
1# $OpenBSD: sshsig.sh,v 1.8 2021/10/29 03:03:06 djm Exp $ 2# Placed in the Public Domain. 3 4tid="sshsig" 5 6DATA2=$OBJ/${DATANAME}.2 7cat ${DATA} ${DATA} > ${DATA2} 8 9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key* 10 11sig_namespace="test-$$" 12sig_principal="user-$$@example.com" 13 14# Make a "wrong key" 15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \ 16 -C "wrong trousers, Grommit" -N '' \ 17 || fatal "couldn't generate key" 18WRONG=$OBJ/wrong-key.pub 19 20# Make a CA key. 21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \ 22 || fatal "couldn't generate key" 23CA_PRIV=$OBJ/sigca-key 24CA_PUB=$OBJ/sigca-key.pub 25 26trace "start agent" 27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null 28r=$? 29if [ $r -ne 0 ]; then 30 fatal "could not start ssh-agent: exit code $r" 31fi 32 33SIGNKEYS="$SSH_KEYTYPES" 34verbose "$tid: make certificates" 35for t in $SSH_KEYTYPES ; do 36 ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \ 37 -I "regress signature key for $USER" \ 38 -V "19840101:19860101" \ 39 -n $sig_principal $OBJ/${t} || \ 40 fatal "couldn't sign ${t}" 41 SIGNKEYS="$SIGNKEYS ${t}-cert.pub" 42done 43 44for t in $SIGNKEYS; do 45 verbose "$tid: check signature for $t" 46 keybase=`basename $t .pub` 47 privkey=${OBJ}/`basename $t -cert.pub` 48 sigfile=${OBJ}/sshsig-${keybase}.sig 49 sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig 50 pubkey=${OBJ}/${keybase}.pub 51 cert=${OBJ}/${keybase}-cert.pub 52 sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig 53 54 ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ 55 < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed" 56 57 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 58 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 59 -I $sig_principal -f $OBJ/allowed_signers \ 60 < $DATA >/dev/null 2>&1 || \ 61 fail "failed signature for $t key" 62 63 (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; 64 cat $pubkey) > $OBJ/allowed_signers 65 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 66 -I $sig_principal -f $OBJ/allowed_signers \ 67 < $DATA >/dev/null 2>&1 || \ 68 fail "failed signature for $t key w/ limited namespace" 69 70 (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; 71 cat $pubkey) > $OBJ/allowed_signers 72 ${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \ 73 -I $sig_principal -f $OBJ/allowed_signers \ 74 -O print-pubkey \ 75 < $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \ 76 fail "failed signature for $t key w/ print-pubkey" 77 cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub 78 diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \ 79 fail "print-pubkey differs from signature key" 80 81 # Invalid option 82 (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers 83 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 84 -I $sig_principal -f $OBJ/allowed_signers \ 85 < $DATA >/dev/null 2>&1 && \ 86 fail "accepted signature for $t key with bad signers option" 87 88 # Wrong key trusted. 89 (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers 90 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 91 -I $sig_principal -f $OBJ/allowed_signers \ 92 < $DATA >/dev/null 2>&1 && \ 93 fail "accepted signature for $t key with wrong key trusted" 94 95 # incorrect data 96 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 97 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 98 -I $sig_principal -f $OBJ/allowed_signers \ 99 < $DATA2 >/dev/null 2>&1 && \ 100 fail "passed signature for wrong data with $t key" 101 102 # wrong principal in signers 103 (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers 104 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 105 -I $sig_principal -f $OBJ/allowed_signers \ 106 < $DATA >/dev/null 2>&1 && \ 107 fail "accepted signature for $t key with wrong principal" 108 109 # wrong namespace 110 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 111 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \ 112 -I $sig_principal -f $OBJ/allowed_signers \ 113 < $DATA >/dev/null 2>&1 && \ 114 fail "accepted signature for $t key with wrong namespace" 115 116 # namespace excluded by option 117 (printf "$sig_principal namespaces=\"whatever\" " ; 118 cat $pubkey) > $OBJ/allowed_signers 119 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 120 -I $sig_principal -f $OBJ/allowed_signers \ 121 < $DATA >/dev/null 2>&1 && \ 122 fail "accepted signature for $t key with excluded namespace" 123 124 ( printf "$sig_principal " ; 125 printf "valid-after=\"19800101\",valid-before=\"19900101\" " ; 126 cat $pubkey) > $OBJ/allowed_signers 127 128 # key lifespan valid 129 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 130 -I $sig_principal -f $OBJ/allowed_signers \ 131 -Overify-time=19850101 \ 132 < $DATA >/dev/null 2>&1 || \ 133 fail "failed signature for $t key with valid expiry interval" 134 # key not yet valid 135 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 136 -I $sig_principal -f $OBJ/allowed_signers \ 137 -Overify-time=19790101 \ 138 < $DATA >/dev/null 2>&1 && \ 139 fail "failed signature for $t not-yet-valid key" 140 # key expired 141 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 142 -I $sig_principal -f $OBJ/allowed_signers \ 143 -Overify-time=19910101 \ 144 < $DATA >/dev/null 2>&1 && \ 145 fail "failed signature for $t with expired key" 146 # NB. assumes we're not running this test in the 1980s 147 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 148 -I $sig_principal -f $OBJ/allowed_signers \ 149 < $DATA >/dev/null 2>&1 && \ 150 fail "failed signature for $t with expired key" 151 152 # public key in revoked keys file 153 cat $pubkey > $OBJ/revoked_keys 154 (printf "$sig_principal namespaces=\"whatever\" " ; 155 cat $pubkey) > $OBJ/allowed_signers 156 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 157 -I $sig_principal -f $OBJ/allowed_signers \ 158 -r $OBJ/revoked_keys \ 159 < $DATA >/dev/null 2>&1 && \ 160 fail "accepted signature for $t key, but key is in revoked_keys" 161 162 # public key not revoked, but others are present in revoked_keysfile 163 cat $WRONG > $OBJ/revoked_keys 164 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 165 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 166 -I $sig_principal -f $OBJ/allowed_signers \ 167 -r $OBJ/revoked_keys \ 168 < $DATA >/dev/null 2>&1 || \ 169 fail "couldn't verify signature for $t key, but key not in revoked_keys" 170 171 # check-novalidate with valid data 172 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ 173 < $DATA >/dev/null 2>&1 || \ 174 fail "failed to check valid signature for $t key" 175 176 # check-novalidate with invalid data 177 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ 178 < $DATA2 >/dev/null 2>&1 && \ 179 fail "succeeded checking signature for $t key with invalid data" 180 181 # find-principals with valid public key 182 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 183 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \ 184 fail "failed to find valid principals in allowed_signers" 185 186 # find-principals with wrong key not in allowed_signers 187 (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers 188 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \ 189 fail "succeeded finding principal with invalid signers file" 190 191 # Check signing keys using ssh-agent. 192 ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys. 193 ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed" 194 195 # Move private key to ensure agent key is used 196 mv ${privkey} ${privkey}.tmp 197 198 ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \ 199 < $DATA > $sigfile_agent 2>/dev/null || \ 200 fail "ssh-agent based sign using $pubkey failed" 201 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \ 202 -n $sig_namespace < $DATA >/dev/null 2>&1 || \ 203 fail "failed to check valid signature for $t key" 204 205 # Move private key back 206 mv ${privkey}.tmp ${privkey} 207 208 # Remaining tests are for certificates only. 209 case "$keybase" in 210 *-cert) ;; 211 *) continue ;; 212 esac 213 214 215 # correct CA key 216 (printf "$sig_principal cert-authority " ; 217 cat $CA_PUB) > $OBJ/allowed_signers 218 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 219 -I $sig_principal -f $OBJ/allowed_signers \ 220 -Overify-time=19850101 \ 221 < $DATA >/dev/null 2>&1 || \ 222 fail "failed signature for $t cert" 223 224 # signing key listed as cert-authority 225 (printf "$sig_principal cert-authority " ; 226 cat $pubkey) > $OBJ/allowed_signers 227 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 228 -I $sig_principal -f $OBJ/allowed_signers \ 229 < $DATA >/dev/null 2>&1 && \ 230 fail "accepted signature with $t key listed as CA" 231 232 # CA key not flagged cert-authority 233 (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers 234 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 235 -I $sig_principal -f $OBJ/allowed_signers \ 236 < $DATA >/dev/null 2>&1 && \ 237 fail "accepted signature for $t cert with CA not marked" 238 239 # mismatch between cert principal and file 240 (printf "josef.k@example.com cert-authority " ; 241 cat $CA_PUB) > $OBJ/allowed_signers 242 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 243 -I $sig_principal -f $OBJ/allowed_signers \ 244 < $DATA >/dev/null 2>&1 && \ 245 fail "accepted signature for $t cert with wrong principal" 246 247 # Cert valid but CA revoked 248 cat $CA_PUB > $OBJ/revoked_keys 249 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 250 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 251 -I $sig_principal -f $OBJ/allowed_signers \ 252 -r $OBJ/revoked_keys \ 253 < $DATA >/dev/null 2>&1 && \ 254 fail "accepted signature for $t key, but CA key in revoked_keys" 255 256 # Set lifespan of CA key and verify signed user certs behave accordingly 257 ( printf "$sig_principal " ; 258 printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ; 259 cat $CA_PUB) > $OBJ/allowed_signers 260 261 # CA key lifespan valid 262 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 263 -I $sig_principal -f $OBJ/allowed_signers \ 264 -Overify-time=19850101 \ 265 < $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \ 266 fail "failed signature for $t key with valid CA expiry interval" 267 # CA lifespan is valid but user key not yet valid 268 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 269 -I $sig_principal -f $OBJ/allowed_signers \ 270 -Overify-time=19810101 \ 271 < $DATA >/dev/null 2>&1 && \ 272 fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert" 273 # CA lifespan is valid but user key expired 274 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 275 -I $sig_principal -f $OBJ/allowed_signers \ 276 -Overify-time=19890101 \ 277 < $DATA >/dev/null 2>&1 && \ 278 fail "accepted signature for $t key with valid CA expiry interval but expired cert" 279 # CA key not yet valid 280 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 281 -I $sig_principal -f $OBJ/allowed_signers \ 282 -Overify-time=19790101 \ 283 < $DATA >/dev/null 2>&1 && \ 284 fail "accepted signature for $t not-yet-valid CA key" 285 # CA key expired 286 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 287 -I $sig_principal -f $OBJ/allowed_signers \ 288 -Overify-time=19910101 \ 289 < $DATA >/dev/null 2>&1 && \ 290 fail "accepted signature for $t with expired CA key" 291 # NB. assumes we're not running this test in the 1980s 292 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 293 -I $sig_principal -f $OBJ/allowed_signers \ 294 < $DATA >/dev/null 2>&1 && \ 295 fail "accepted signature for $t with expired CA key" 296 297 # Set lifespan of CA outside of the cert validity 298 ( printf "$sig_principal " ; 299 printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ; 300 cat $CA_PUB) > $OBJ/allowed_signers 301 # valid cert validity but expired CA 302 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 303 -I $sig_principal -f $OBJ/allowed_signers \ 304 -Overify-time=19840101 \ 305 < $DATA >/dev/null 2>&1 && \ 306 fail "accepted signature for $t key with expired CA but valid cert" 307 308done 309 310trace "kill agent" 311${SSHAGENT} -k > /dev/null 312 313