xref: /freebsd/crypto/openssh/regress/sshsig.sh (revision 1323ec57) 
1#	$OpenBSD: sshsig.sh,v 1.14 2022/02/01 23:37:15 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
16	-C "wrong trousers, Grommit" -N '' \
17	|| fatal "couldn't generate key"
18WRONG=$OBJ/wrong-key.pub
19
20# Make a CA key.
21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22	|| fatal "couldn't generate key"
23CA_PRIV=$OBJ/sigca-key
24CA_PUB=$OBJ/sigca-key.pub
25
26trace "start agent"
27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
28r=$?
29if [ $r -ne 0 ]; then
30	fatal "could not start ssh-agent: exit code $r"
31fi
32
33SIGNKEYS="$SSH_KEYTYPES"
34verbose "$tid: make certificates"
35for t in $SSH_KEYTYPES ; do
36	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
37	    -I "regress signature key for $USER" \
38		-V "19840101:19860101" \
39	    -n $sig_principal $OBJ/${t} || \
40		fatal "couldn't sign ${t}"
41	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
42done
43
44for t in $SIGNKEYS; do
45	verbose "$tid: check signature for $t"
46	keybase=`basename $t .pub`
47	privkey=${OBJ}/`basename $t -cert.pub`
48	sigfile=${OBJ}/sshsig-${keybase}.sig
49	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
50	pubkey=${OBJ}/${keybase}.pub
51	cert=${OBJ}/${keybase}-cert.pub
52	sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
53
54	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
55	    -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \
56		fail "sign using $t with bad hash algorithm succeeded"
57
58	for h in default sha256 sha512 ; do
59		case "$h" in
60		default) hashalg_arg="" ;;
61		*) hashalg_arg="-Ohashalg=$h" ;;
62		esac
63		${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
64		    $hashalg_arg < $DATA > $sigfile 2>/dev/null || \
65			fail "sign using $t / $h failed"
66		(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
67		${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
68		    -I $sig_principal -f $OBJ/allowed_signers \
69		    < $DATA >/dev/null 2>&1 || \
70			fail "failed signature for $t / $h key"
71	done
72
73	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
74	 cat $pubkey) > $OBJ/allowed_signers
75	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
76		-I $sig_principal -f $OBJ/allowed_signers \
77		< $DATA >/dev/null 2>&1 || \
78		fail "failed signature for $t key w/ limited namespace"
79
80	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
81	 cat $pubkey) > $OBJ/allowed_signers
82	${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
83		-I $sig_principal -f $OBJ/allowed_signers \
84		-O print-pubkey \
85		< $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
86		fail "failed signature for $t key w/ print-pubkey"
87	cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
88	diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
89		fail "print-pubkey differs from signature key"
90
91	# Invalid option
92	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
93	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
94		-I $sig_principal -f $OBJ/allowed_signers \
95		< $DATA >/dev/null 2>&1 && \
96		fail "accepted signature for $t key with bad signers option"
97
98	# Wrong key trusted.
99	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
100	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
101		-I $sig_principal -f $OBJ/allowed_signers \
102		< $DATA >/dev/null 2>&1 && \
103		fail "accepted signature for $t key with wrong key trusted"
104
105	# incorrect data
106	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
107	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
108		-I $sig_principal -f $OBJ/allowed_signers \
109		< $DATA2 >/dev/null 2>&1 && \
110		fail "passed signature for wrong data with $t key"
111
112	# wrong principal in signers
113	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
114	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
115		-I $sig_principal -f $OBJ/allowed_signers \
116		< $DATA >/dev/null 2>&1 && \
117		fail "accepted signature for $t key with wrong principal"
118
119	# wrong namespace
120	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
121	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
122		-I $sig_principal -f $OBJ/allowed_signers \
123		< $DATA >/dev/null 2>&1 && \
124		fail "accepted signature for $t key with wrong namespace"
125
126	# namespace excluded by option
127	(printf "$sig_principal namespaces=\"whatever\" " ;
128	 cat $pubkey) > $OBJ/allowed_signers
129	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
130		-I $sig_principal -f $OBJ/allowed_signers \
131		< $DATA >/dev/null 2>&1 && \
132		fail "accepted signature for $t key with excluded namespace"
133
134	( printf "$sig_principal " ;
135	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
136	  cat $pubkey) > $OBJ/allowed_signers
137
138	# key lifespan valid
139	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
140		-I $sig_principal -f $OBJ/allowed_signers \
141		-Overify-time=19850101 \
142		< $DATA >/dev/null 2>&1 || \
143		fail "failed signature for $t key with valid expiry interval"
144	# key not yet valid
145	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
146		-I $sig_principal -f $OBJ/allowed_signers \
147		-Overify-time=19790101 \
148		< $DATA >/dev/null 2>&1 && \
149		fail "failed signature for $t not-yet-valid key"
150	# key expired
151	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
152		-I $sig_principal -f $OBJ/allowed_signers \
153		-Overify-time=19910101 \
154		< $DATA >/dev/null 2>&1 && \
155		fail "failed signature for $t with expired key"
156	# NB. assumes we're not running this test in the 1980s
157	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
158		-I $sig_principal -f $OBJ/allowed_signers \
159		< $DATA >/dev/null 2>&1 && \
160		fail "failed signature for $t with expired key"
161
162	# key lifespan valid
163	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
164		-Overify-time="19850101" \
165		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
166		fail "failed find-principals for $t key with valid expiry interval"
167	# key not yet valid
168	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
169		-Overify-time="19790101" \
170		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
171		fail "failed find-principals for $t not-yet-valid key"
172	# key expired
173	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
174		-Overify-time="19990101" \
175		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
176		fail "failed find-principals for $t with expired key"
177	# NB. assumes we're not running this test in the 1980s
178	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
179		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
180		fail "failed find-principals for $t with expired key"
181
182	# public key in revoked keys file
183	cat $pubkey > $OBJ/revoked_keys
184	(printf "$sig_principal namespaces=\"whatever\" " ;
185	 cat $pubkey) > $OBJ/allowed_signers
186	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
187		-I $sig_principal -f $OBJ/allowed_signers \
188		-r $OBJ/revoked_keys \
189		< $DATA >/dev/null 2>&1 && \
190		fail "accepted signature for $t key, but key is in revoked_keys"
191
192	# public key not revoked, but others are present in revoked_keysfile
193	cat $WRONG > $OBJ/revoked_keys
194	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
195	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
196		-I $sig_principal -f $OBJ/allowed_signers \
197		-r $OBJ/revoked_keys \
198		< $DATA >/dev/null 2>&1 || \
199		fail "couldn't verify signature for $t key, but key not in revoked_keys"
200
201	# check-novalidate with valid data
202	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
203		< $DATA >/dev/null 2>&1 || \
204		fail "failed to check valid signature for $t key"
205
206	# check-novalidate with invalid data
207	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
208		< $DATA2 >/dev/null 2>&1 && \
209		fail "succeeded checking signature for $t key with invalid data"
210
211	# find-principals with valid public key
212	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
213	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
214		fail "failed to find valid principals in allowed_signers"
215
216	# find-principals with wrong key not in allowed_signers
217	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
218	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
219		fail "succeeded finding principal with invalid signers file"
220
221	# find-principals with a configured namespace but none on command-line
222	(printf "$sig_principal " ;
223	 printf "namespaces=\"test1,test2\" ";
224	 cat $pubkey) > $OBJ/allowed_signers
225	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
226	    -f $OBJ/allowed_signers >/dev/null 2>&1 || \
227		fail "failed finding principal when namespaces are configured"
228
229	# Check signing keys using ssh-agent.
230	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
231	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
232
233	# Move private key to ensure agent key is used
234	mv ${privkey} ${privkey}.tmp
235
236	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
237		< $DATA > $sigfile_agent 2>/dev/null || \
238		fail "ssh-agent based sign using $pubkey failed"
239	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
240		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
241		fail "failed to check valid signature for $t key"
242
243	# Move private key back
244	mv ${privkey}.tmp ${privkey}
245
246	# Duplicate principals & keys in allowed_signers but with different validities
247	( printf "$sig_principal " ;
248	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
249	  cat $pubkey;
250	  printf "${sig_principal} " ;
251	  printf "valid-after=\"19850101\",valid-before=\"20000101\" " ;
252	  cat $pubkey) > $OBJ/allowed_signers
253
254	# find-principals outside of any validity lifespan
255	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
256		-Overify-time="20100101" \
257		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
258		fail "succeeded find-principals for $t verify-time outside of validity"
259	# find-principals matching only the first lifespan
260	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
261		-Overify-time="19830101" \
262		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
263		fail "failed find-principals for $t verify-time within first span"
264	# find-principals matching both lifespans
265	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
266		-Overify-time="19880101" \
267		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
268		fail "failed find-principals for $t verify-time within both spans"
269	# find-principals matching only the second lifespan
270	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
271		-Overify-time="19950101" \
272		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
273		fail "failed find-principals for $t verify-time within second span"
274
275	# verify outside of any validity lifespan
276	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
277		-Overify-time="20100101" -I $sig_principal \
278		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
279		< $DATA >/dev/null 2>&1 && \
280		fail "succeeded verify for $t verify-time outside of validity"
281	# verify matching only the first lifespan
282	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
283		-Overify-time="19830101" -I $sig_principal \
284		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
285		< $DATA >/dev/null 2>&1 || \
286		fail "failed verify for $t verify-time within first span"
287	# verify matching both lifespans
288	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
289		-Overify-time="19880101" -I $sig_principal \
290		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
291		< $DATA >/dev/null 2>&1 || \
292		fail "failed verify for $t verify-time within both spans"
293	# verify matching only the second lifespan
294	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
295		-Overify-time="19950101" -I $sig_principal \
296		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
297		< $DATA >/dev/null 2>&1 || \
298		fail "failed verify for $t verify-time within second span"
299
300	# Remaining tests are for certificates only.
301	case "$keybase" in
302		*-cert) ;;
303		*) continue ;;
304	esac
305
306	# Check key lifespan on find-principals when using the CA
307	( printf "$sig_principal " ;
308	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" ";
309	  cat $CA_PUB) > $OBJ/allowed_signers
310	# key lifespan valid
311	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
312		-Overify-time="19850101" \
313		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
314		fail "failed find-principals for $t key with valid expiry interval"
315	# key not yet valid
316	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
317		-Overify-time="19790101" \
318		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
319		fail "failed find-principals for $t not-yet-valid key"
320	# key expired
321	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
322		-Overify-time="19990101" \
323		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
324		fail "failed find-principals for $t with expired key"
325	# NB. assumes we're not running this test in the 1980s
326	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
327		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
328		fail "failed find-principals for $t with expired key"
329
330	# correct CA key
331	(printf "$sig_principal cert-authority " ;
332	 cat $CA_PUB) > $OBJ/allowed_signers
333	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
334		-I $sig_principal -f $OBJ/allowed_signers \
335		-Overify-time=19850101 \
336		< $DATA >/dev/null 2>&1 || \
337		fail "failed signature for $t cert"
338
339	# find-principals
340	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
341		-Overify-time=19850101 \
342		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
343		fail "failed find-principals for $t with ca key"
344
345	# CA with wildcard principal
346	(printf "*@example.com cert-authority " ;
347	 cat $CA_PUB) > $OBJ/allowed_signers
348	# find-principals CA with wildcard principal
349	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
350		-Overify-time=19850101 \
351		-f $OBJ/allowed_signers 2>/dev/null | \
352		fgrep "$sig_principal" >/dev/null || \
353		fail "failed find-principals for $t with ca key using wildcard principal"
354
355	# verify CA with wildcard principal
356	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
357		-I $sig_principal -f $OBJ/allowed_signers \
358		-Overify-time=19850101 \
359		< $DATA >/dev/null 2>&1 || \
360		fail "failed signature for $t cert using wildcard principal"
361
362	# signing key listed as cert-authority
363	(printf "$sig_principal cert-authority " ;
364	 cat $pubkey) > $OBJ/allowed_signers
365	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
366		-I $sig_principal -f $OBJ/allowed_signers \
367		< $DATA >/dev/null 2>&1 && \
368		fail "accepted signature with $t key listed as CA"
369
370	# CA key not flagged cert-authority
371	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
372	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
373		-I $sig_principal -f $OBJ/allowed_signers \
374		< $DATA >/dev/null 2>&1 && \
375		fail "accepted signature for $t cert with CA not marked"
376
377	# mismatch between cert principal and file
378	(printf "josef.k@example.com cert-authority " ;
379	 cat $CA_PUB) > $OBJ/allowed_signers
380	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
381		-I $sig_principal -f $OBJ/allowed_signers \
382		< $DATA >/dev/null 2>&1 && \
383		fail "accepted signature for $t cert with wrong principal"
384
385	# Cert valid but CA revoked
386	cat $CA_PUB > $OBJ/revoked_keys
387	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
388	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
389		-I $sig_principal -f $OBJ/allowed_signers \
390		-r $OBJ/revoked_keys \
391		< $DATA >/dev/null 2>&1 && \
392		fail "accepted signature for $t key, but CA key in revoked_keys"
393
394	# Set lifespan of CA key and verify signed user certs behave accordingly
395	( printf "$sig_principal " ;
396	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ;
397	  cat $CA_PUB) > $OBJ/allowed_signers
398
399	# CA key lifespan valid
400	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
401		-I $sig_principal -f $OBJ/allowed_signers \
402		-Overify-time=19850101 \
403		< $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \
404		fail "failed signature for $t key with valid CA expiry interval"
405	# CA lifespan is valid but user key not yet valid
406	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
407		-I $sig_principal -f $OBJ/allowed_signers \
408		-Overify-time=19810101 \
409		< $DATA >/dev/null 2>&1 && \
410		fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
411	# CA lifespan is valid but user key expired
412	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
413		-I $sig_principal -f $OBJ/allowed_signers \
414		-Overify-time=19890101 \
415		< $DATA >/dev/null 2>&1 && \
416		fail "accepted signature for $t key with valid CA expiry interval but expired cert"
417	# CA key not yet valid
418	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
419		-I $sig_principal -f $OBJ/allowed_signers \
420		-Overify-time=19790101 \
421		< $DATA >/dev/null 2>&1 && \
422		fail "accepted signature for $t not-yet-valid CA key"
423	# CA key expired
424	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
425		-I $sig_principal -f $OBJ/allowed_signers \
426		-Overify-time=19910101 \
427		< $DATA >/dev/null 2>&1 && \
428		fail "accepted signature for $t with expired CA key"
429	# NB. assumes we're not running this test in the 1980s
430	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
431		-I $sig_principal -f $OBJ/allowed_signers \
432		< $DATA >/dev/null 2>&1 && \
433		fail "accepted signature for $t with expired CA key"
434
435	# Set lifespan of CA outside of the cert validity
436	( printf "$sig_principal " ;
437	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
438	  cat $CA_PUB) > $OBJ/allowed_signers
439	# valid cert validity but expired CA
440	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
441		-I $sig_principal -f $OBJ/allowed_signers \
442		-Overify-time=19840101 \
443		< $DATA >/dev/null 2>&1 && \
444		fail "accepted signature for $t key with expired CA but valid cert"
445
446done
447
448# Test key independant match-principals
449(
450	printf "principal1 " ; cat $pubkey;
451	printf "princi* " ; cat $pubkey;
452	printf "unique " ; cat $pubkey;
453) > $OBJ/allowed_signers
454
455verbose "$tid: match principals"
456${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \
457    fgrep "unique" >/dev/null || \
458	fail "faild to match static principal"
459
460${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \
461    fgrep "princi*" >/dev/null || \
462	fail "faild to match wildcard principal"
463
464${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \
465    fgrep -e "principal1" -e "princi*" >/dev/null || \
466	fail "faild to match static and wildcard principal"
467verbose "$tid: nomatch principals"
468for x in princ prince unknown ; do
469	${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \
470	    -I $x >/dev/null 2>&1 && \
471		fail "succeeded to match unknown principal \"$x\""
472done
473
474trace "kill agent"
475${SSHAGENT} -k > /dev/null
476
477