search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a
[openssh-git.git] / regress / cert-userkey.sh
bloba7760a2f63a641807c4dca5b355f85ac6c49b823
1 # $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $
2 # Placed in the Public Domain.
3
4 tid="certified user keys"
5
6 # used to disable ECC based tests on platforms without ECC
7 ecdsa=""
8 if grep "#define.*OPENSSL_HAS_ECC" ${BUILDDIR}/config.h >/dev/null 2>&1
9 then
10 ecdsa=ecdsa
11 fi
12
13 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
14 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
15
16 # Create a CA key
17 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
18 fail "ssh-keygen of user_ca_key failed"
19
20 # Generate and sign user keys
21 for ktype in rsa dsa $ecdsa ; do
22 verbose "$tid: sign user ${ktype} cert"
23 ${SSHKEYGEN} -q -N '' -t ${ktype} \
24 -f $OBJ/cert_user_key_${ktype} || \
25 fail "ssh-keygen of cert_user_key_${ktype} failed"
26 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
27 "regress user key for $USER" \
28 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
29 fail "couldn't sign cert_user_key_${ktype}"
30 # v00 ecdsa certs do not exist
31 test "{ktype}" = "ecdsa" && continue
32 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
33 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
34 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
35 "regress user key for $USER" \
36 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
37 fail "couldn't sign cert_user_key_${ktype}_v00"
38 done
39
40 # Test explicitly-specified principals
41 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
42 for privsep in yes no ; do
43 _prefix="${ktype} privsep $privsep"
44
45 # Setup for AuthorizedPrincipalsFile
46 rm -f $OBJ/authorized_keys_$USER
47 (
48 cat $OBJ/sshd_proxy_bak
49 echo "UsePrivilegeSeparation $privsep"
50 echo "AuthorizedPrincipalsFile " \
51 "$OBJ/authorized_principals_%u"
52 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
53 ) > $OBJ/sshd_proxy
54
55 # Missing authorized_principals
56 verbose "$tid: ${_prefix} missing authorized_principals"
57 rm -f $OBJ/authorized_principals_$USER
58 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
59 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
60 if [ $? -eq 0 ]; then
61 fail "ssh cert connect succeeded unexpectedly"
62 fi
63
64 # Empty authorized_principals
65 verbose "$tid: ${_prefix} empty authorized_principals"
66 echo > $OBJ/authorized_principals_$USER
67 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
68 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
69 if [ $? -eq 0 ]; then
70 fail "ssh cert connect succeeded unexpectedly"
71 fi
72
73 # Wrong authorized_principals
74 verbose "$tid: ${_prefix} wrong authorized_principals"
75 echo gregorsamsa > $OBJ/authorized_principals_$USER
76 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 if [ $? -eq 0 ]; then
79 fail "ssh cert connect succeeded unexpectedly"
80 fi
81
82 # Correct authorized_principals
83 verbose "$tid: ${_prefix} correct authorized_principals"
84 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
85 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
86 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
87 if [ $? -ne 0 ]; then
88 fail "ssh cert connect failed"
89 fi
90
91 # authorized_principals with bad key option
92 verbose "$tid: ${_prefix} authorized_principals bad key opt"
93 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
94 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
95 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
96 if [ $? -eq 0 ]; then
97 fail "ssh cert connect succeeded unexpectedly"
98 fi
99
100 # authorized_principals with command=false
101 verbose "$tid: ${_prefix} authorized_principals command=false"
102 echo 'command="false" mekmitasdigoat' > \
103 $OBJ/authorized_principals_$USER
104 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
105 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
106 if [ $? -eq 0 ]; then
107 fail "ssh cert connect succeeded unexpectedly"
108 fi
109
110
111 # authorized_principals with command=true
112 verbose "$tid: ${_prefix} authorized_principals command=true"
113 echo 'command="true" mekmitasdigoat' > \
114 $OBJ/authorized_principals_$USER
115 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
116 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
117 if [ $? -ne 0 ]; then
118 fail "ssh cert connect failed"
119 fi
120
121 # Setup for principals= key option
122 rm -f $OBJ/authorized_principals_$USER
123 (
124 cat $OBJ/sshd_proxy_bak
125 echo "UsePrivilegeSeparation $privsep"
126 ) > $OBJ/sshd_proxy
127
128 # Wrong principals list
129 verbose "$tid: ${_prefix} wrong principals key option"
130 (
131 echon 'cert-authority,principals="gregorsamsa" '
132 cat $OBJ/user_ca_key.pub
133 ) > $OBJ/authorized_keys_$USER
134 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
135 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
136 if [ $? -eq 0 ]; then
137 fail "ssh cert connect succeeded unexpectedly"
138 fi
139
140 # Correct principals list
141 verbose "$tid: ${_prefix} correct principals key option"
142 (
143 echon 'cert-authority,principals="mekmitasdigoat" '
144 cat $OBJ/user_ca_key.pub
145 ) > $OBJ/authorized_keys_$USER
146 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
147 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
148 if [ $? -ne 0 ]; then
149 fail "ssh cert connect failed"
150 fi
151 done
152 done
153
154 basic_tests() {
155 auth=$1
156 if test "x$auth" = "xauthorized_keys" ; then
157 # Add CA to authorized_keys
158 (
159 echon 'cert-authority '
160 cat $OBJ/user_ca_key.pub
161 ) > $OBJ/authorized_keys_$USER
162 else
163 echo > $OBJ/authorized_keys_$USER
164 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
165 fi
166
167 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
168 for privsep in yes no ; do
169 _prefix="${ktype} privsep $privsep $auth"
170 # Simple connect
171 verbose "$tid: ${_prefix} connect"
172 (
173 cat $OBJ/sshd_proxy_bak
174 echo "UsePrivilegeSeparation $privsep"
175 echo "$extra_sshd"
176 ) > $OBJ/sshd_proxy
177
178 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
179 -F $OBJ/ssh_proxy somehost true
180 if [ $? -ne 0 ]; then
181 fail "ssh cert connect failed"
182 fi
183
184 # Revoked keys
185 verbose "$tid: ${_prefix} revoked key"
186 (
187 cat $OBJ/sshd_proxy_bak
188 echo "UsePrivilegeSeparation $privsep"
189 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
190 echo "$extra_sshd"
191 ) > $OBJ/sshd_proxy
192 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
193 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
194 if [ $? -eq 0 ]; then
195 fail "ssh cert connect succeeded unexpecedly"
196 fi
197 done
198
199 # Revoked CA
200 verbose "$tid: ${ktype} $auth revoked CA key"
201 (
202 cat $OBJ/sshd_proxy_bak
203 echo "RevokedKeys $OBJ/user_ca_key.pub"
204 echo "$extra_sshd"
205 ) > $OBJ/sshd_proxy
206 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
207 somehost true >/dev/null 2>&1
208 if [ $? -eq 0 ]; then
209 fail "ssh cert connect succeeded unexpecedly"
210 fi
211 done
212
213 verbose "$tid: $auth CA does not authenticate"
214 (
215 cat $OBJ/sshd_proxy_bak
216 echo "$extra_sshd"
217 ) > $OBJ/sshd_proxy
218 verbose "$tid: ensure CA key does not authenticate user"
219 ${SSH} -2i $OBJ/user_ca_key \
220 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
221 if [ $? -eq 0 ]; then
222 fail "ssh cert connect with CA key succeeded unexpectedly"
223 fi
224 }
225
226 basic_tests authorized_keys
227 basic_tests TrustedUserCAKeys
228
229 test_one() {
230 ident=$1
231 result=$2
232 sign_opts=$3
233 auth_choice=$4
234 auth_opt=$5
235
236 if test "x$auth_choice" = "x" ; then
237 auth_choice="authorized_keys TrustedUserCAKeys"
238 fi
239
240 for auth in $auth_choice ; do
241 for ktype in rsa rsa_v00 ; do
242 case $ktype in
243 *_v00) keyv="-t v00" ;;
244 *) keyv="" ;;
245 esac
246
247 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
248 if test "x$auth" = "xauthorized_keys" ; then
249 # Add CA to authorized_keys
250 (
251 echon "cert-authority${auth_opt} "
252 cat $OBJ/user_ca_key.pub
253 ) > $OBJ/authorized_keys_$USER
254 else
255 echo > $OBJ/authorized_keys_$USER
256 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
257 >> $OBJ/sshd_proxy
258 if test "x$auth_opt" != "x" ; then
259 echo $auth_opt >> $OBJ/sshd_proxy
260 fi
261 fi
262
263 verbose "$tid: $ident auth $auth expect $result $ktype"
264 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
265 -I "regress user key for $USER" \
266 $sign_opts $keyv \
267 $OBJ/cert_user_key_${ktype} ||
268 fail "couldn't sign cert_user_key_${ktype}"
269
270 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
271 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
272 rc=$?
273 if [ "x$result" = "xsuccess" ] ; then
274 if [ $rc -ne 0 ]; then
275 fail "$ident failed unexpectedly"
276 fi
277 else
278 if [ $rc -eq 0 ]; then
279 fail "$ident succeeded unexpectedly"
280 fi
281 fi
282 done
283 done
284 }
285
286 test_one "correct principal" success "-n ${USER}"
287 test_one "host-certificate" failure "-n ${USER} -h"
288 test_one "wrong principals" failure "-n foo"
289 test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
290 test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
291 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
292 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
293 test_one "force-command" failure "-n ${USER} -Oforce-command=false"
294
295 # Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
296 test_one "empty principals" success "" authorized_keys
297 test_one "empty principals" failure "" TrustedUserCAKeys
298
299 # Check explicitly-specified principals: an empty principals list in the cert
300 # should always be refused.
301
302 # AuthorizedPrincipalsFile
303 rm -f $OBJ/authorized_keys_$USER
304 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
305 test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
306 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
307 test_one "AuthorizedPrincipalsFile no principals" failure "" \
308 TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
309
310 # principals= key option
311 rm -f $OBJ/authorized_principals_$USER
312 test_one "principals key option principals" success "-n mekmitasdigoat" \
313 authorized_keys ',principals="mekmitasdigoat"'
314 test_one "principals key option no principals" failure "" \
315 authorized_keys ',principals="mekmitasdigoat"'
316
317 # Wrong certificate
318 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
319 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
320 case $ktype in
321 *_v00) args="-t v00" ;;
322 *) args="" ;;
323 esac
324 # Self-sign
325 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
326 "regress user key for $USER" \
327 -n $USER $OBJ/cert_user_key_${ktype} ||
328 fail "couldn't sign cert_user_key_${ktype}"
329 verbose "$tid: user ${ktype} connect wrong cert"
330 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
331 somehost true >/dev/null 2>&1
332 if [ $? -eq 0 ]; then
333 fail "ssh cert connect $ident succeeded unexpectedly"
334 fi
335 done
336
337 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
338 rm -f $OBJ/authorized_principals_$USER
339
A clone of openssh git repository