xref: /openbsd/regress/usr.bin/ssh/cert-hostkey.sh (revision 3d8817e4) 
1#	$OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $
2#	Placed in the Public Domain.
3
4tid="certified host keys"
5
6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9HOSTS='localhost-with-alias,127.0.0.1,::1'
10
11# Create a CA key and add it to known hosts
12${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
13	fail "ssh-keygen of host_ca_key failed"
14(
15	echo -n '@cert-authority '
16	echo -n "$HOSTS "
17	cat $OBJ/host_ca_key.pub
18) > $OBJ/known_hosts-cert
19
20# Generate and sign host keys
21for ktype in rsa dsa ecdsa ; do
22	verbose "$tid: sign host ${ktype} cert"
23	# Generate and sign a host key
24	${SSHKEYGEN} -q -N '' -t ${ktype} \
25	    -f $OBJ/cert_host_key_${ktype} || \
26		fail "ssh-keygen of cert_host_key_${ktype} failed"
27	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
28	    -I "regress host key for $USER" \
29	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
30		fail "couldn't sign cert_host_key_${ktype}"
31	# v00 ecdsa certs do not exist
32	test "{ktype}" = "ecdsa" && continue
33	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
34	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
35	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
36	    -I "regress host key for $USER" \
37	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
38		fail "couldn't sign cert_host_key_${ktype}_v00"
39done
40
41# Basic connect tests
42for privsep in yes no ; do
43	for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do
44		verbose "$tid: host ${ktype} cert connect privsep $privsep"
45		(
46			cat $OBJ/sshd_proxy_bak
47			echo HostKey $OBJ/cert_host_key_${ktype}
48			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
49			echo UsePrivilegeSeparation $privsep
50		) > $OBJ/sshd_proxy
51
52		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
53		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
54			-F $OBJ/ssh_proxy somehost true
55		if [ $? -ne 0 ]; then
56			fail "ssh cert connect failed"
57		fi
58	done
59done
60
61# Revoked certificates with key present
62(
63	echo -n '@cert-authority '
64	echo -n "$HOSTS "
65	cat $OBJ/host_ca_key.pub
66	echo -n '@revoked '
67	echo -n "* "
68	cat $OBJ/cert_host_key_rsa.pub
69	echo -n '@revoked '
70	echo -n "* "
71	cat $OBJ/cert_host_key_ecdsa.pub
72	echo -n '@revoked '
73	echo -n "* "
74	cat $OBJ/cert_host_key_dsa.pub
75	echo -n '@revoked '
76	echo -n "* "
77	cat $OBJ/cert_host_key_rsa_v00.pub
78	echo -n '@revoked '
79	echo -n "* "
80	cat $OBJ/cert_host_key_dsa_v00.pub
81) > $OBJ/known_hosts-cert
82for privsep in yes no ; do
83	for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do
84		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
85		(
86			cat $OBJ/sshd_proxy_bak
87			echo HostKey $OBJ/cert_host_key_${ktype}
88			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
89			echo UsePrivilegeSeparation $privsep
90		) > $OBJ/sshd_proxy
91
92		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
93		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
94			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
95		if [ $? -eq 0 ]; then
96			fail "ssh cert connect succeeded unexpectedly"
97		fi
98	done
99done
100
101# Revoked CA
102(
103	echo -n '@cert-authority '
104	echo -n "$HOSTS "
105	cat $OBJ/host_ca_key.pub
106	echo -n '@revoked '
107	echo -n "* "
108	cat $OBJ/host_ca_key.pub
109) > $OBJ/known_hosts-cert
110for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do
111	verbose "$tid: host ${ktype} revoked cert"
112	(
113		cat $OBJ/sshd_proxy_bak
114		echo HostKey $OBJ/cert_host_key_${ktype}
115		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
116	) > $OBJ/sshd_proxy
117	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
118	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
119		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
120	if [ $? -eq 0 ]; then
121		fail "ssh cert connect succeeded unexpectedly"
122	fi
123done
124
125# Create a CA key and add it to known hosts
126(
127	echo -n '@cert-authority '
128	echo -n "$HOSTS "
129	cat $OBJ/host_ca_key.pub
130) > $OBJ/known_hosts-cert
131
132test_one() {
133	ident=$1
134	result=$2
135	sign_opts=$3
136
137	for kt in rsa rsa_v00 ; do
138		case $kt in
139		*_v00) args="-t v00" ;;
140		*) args="" ;;
141		esac
142
143		verbose "$tid: host cert connect $ident $kt expect $result"
144		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
145		    -I "regress host key for $USER" \
146		    $sign_opts $args \
147		    $OBJ/cert_host_key_${kt} ||
148			fail "couldn't sign cert_host_key_${kt}"
149		(
150			cat $OBJ/sshd_proxy_bak
151			echo HostKey $OBJ/cert_host_key_${kt}
152			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
153		) > $OBJ/sshd_proxy
154
155		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
156		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
157		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
158		rc=$?
159		if [ "x$result" = "xsuccess" ] ; then
160			if [ $rc -ne 0 ]; then
161				fail "ssh cert connect $ident failed unexpectedly"
162			fi
163		else
164			if [ $rc -eq 0 ]; then
165				fail "ssh cert connect $ident succeeded unexpectedly"
166			fi
167		fi
168	done
169}
170
171test_one "user-certificate"	failure "-n $HOSTS"
172test_one "empty principals"	success "-h"
173test_one "wrong principals"	failure "-h -n foo"
174test_one "cert not yet valid"	failure "-h -V20200101:20300101"
175test_one "cert expired"		failure "-h -V19800101:19900101"
176test_one "cert valid interval"	success "-h -V-1w:+2w"
177test_one "cert has constraints"	failure "-h -Oforce-command=false"
178
179# Check downgrade of cert to raw key when no CA found
180for v in v01 v00 ;  do
181	for ktype in rsa dsa ecdsa ; do
182		# v00 ecdsa certs do not exist.
183		test "${v}${ktype}" = "v00ecdsa" && continue
184		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
185		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
186		# Generate and sign a host key
187		${SSHKEYGEN} -q -N '' -t ${ktype} \
188		    -f $OBJ/cert_host_key_${ktype} || \
189			fail "ssh-keygen of cert_host_key_${ktype} failed"
190		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
191		    -I "regress host key for $USER" \
192		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
193			fail "couldn't sign cert_host_key_${ktype}"
194		(
195			echo -n "$HOSTS "
196			cat $OBJ/cert_host_key_${ktype}.pub
197		) > $OBJ/known_hosts-cert
198		(
199			cat $OBJ/sshd_proxy_bak
200			echo HostKey $OBJ/cert_host_key_${ktype}
201			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
202		) > $OBJ/sshd_proxy
203
204		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
205		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
206			-F $OBJ/ssh_proxy somehost true
207		if [ $? -ne 0 ]; then
208			fail "ssh cert connect failed"
209		fi
210	done
211done
212
213# Wrong certificate
214(
215	echo -n '@cert-authority '
216	echo -n "$HOSTS "
217	cat $OBJ/host_ca_key.pub
218) > $OBJ/known_hosts-cert
219for v in v01 v00 ;  do
220	for kt in rsa dsa ecdsa ; do
221		# v00 ecdsa certs do not exist.
222		test "${v}${ktype}" = "v00ecdsa" && continue
223		rm -f $OBJ/cert_host_key*
224		# Self-sign key
225		${SSHKEYGEN} -q -N '' -t ${kt} \
226		    -f $OBJ/cert_host_key_${kt} || \
227			fail "ssh-keygen of cert_host_key_${kt} failed"
228		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
229		    -I "regress host key for $USER" \
230		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
231			fail "couldn't sign cert_host_key_${kt}"
232		verbose "$tid: host ${kt} connect wrong cert"
233		(
234			cat $OBJ/sshd_proxy_bak
235			echo HostKey $OBJ/cert_host_key_${kt}
236			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
237		) > $OBJ/sshd_proxy
238
239		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
240		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
241			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
242		if [ $? -eq 0 ]; then
243			fail "ssh cert connect $ident succeeded unexpectedly"
244		fi
245	done
246done
247
248rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
249