1*e36b9660Sdjm# $OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $ 241c5d6efSdjm# Placed in the Public Domain. 341c5d6efSdjm 441c5d6efSdjmtid="key revocation lists" 541c5d6efSdjm 641c5d6efSdjm# Do most testing with ssh-keygen; it uses the same verification code as sshd. 741c5d6efSdjm 841c5d6efSdjm# Old keys will interfere with ssh-keygen. 941c5d6efSdjmrm -f $OBJ/revoked-* $OBJ/krl-* 1041c5d6efSdjm 1141c5d6efSdjm# Generate a CA key 1241c5d6efSdjm$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 1341c5d6efSdjm fatal "$SSHKEYGEN CA failed" 1441c5d6efSdjm 1541c5d6efSdjm# A specification that revokes some certificates by serial numbers 1641c5d6efSdjm# The serial pattern is chosen to ensure the KRL includes list, range and 1741c5d6efSdjm# bitmap sections. 1841c5d6efSdjmcat << EOF >> $OBJ/revoked-serials 1941c5d6efSdjmserial: 1-4 2041c5d6efSdjmserial: 10 2141c5d6efSdjmserial: 15 2241c5d6efSdjmserial: 30 2341c5d6efSdjmserial: 50 2441c5d6efSdjmserial: 999 2541c5d6efSdjm# The following sum to 500-799 2641c5d6efSdjmserial: 500 2741c5d6efSdjmserial: 501 2841c5d6efSdjmserial: 502 2941c5d6efSdjmserial: 503-600 3041c5d6efSdjmserial: 700-797 3141c5d6efSdjmserial: 798 3241c5d6efSdjmserial: 799 3341c5d6efSdjmserial: 599-701 3441c5d6efSdjmEOF 3541c5d6efSdjm 3641c5d6efSdjm# A specification that revokes some certificated by key ID. 3741c5d6efSdjmtouch $OBJ/revoked-keyid 3841c5d6efSdjmfor n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 3941c5d6efSdjm # Fill in by-ID revocation spec. 4041c5d6efSdjm echo "id: revoked $n" >> $OBJ/revoked-keyid 4141c5d6efSdjmdone 4241c5d6efSdjm 4341c5d6efSdjmkeygen() { 4441c5d6efSdjm N=$1 4541c5d6efSdjm f=$OBJ/revoked-`printf "%04d" $N` 4641c5d6efSdjm # Vary the keytype. We use mostly ECDSA since this is fastest by far. 4741c5d6efSdjm keytype=ecdsa 4841c5d6efSdjm case $N in 4941c5d6efSdjm 2 | 10 | 510 | 1001) keytype=rsa;; 5041c5d6efSdjm 4 | 30 | 520 | 1002) keytype=dsa;; 5141c5d6efSdjm esac 5241c5d6efSdjm $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 5341c5d6efSdjm || fatal "$SSHKEYGEN failed" 5441c5d6efSdjm # Sign cert 5541c5d6efSdjm $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ 5641c5d6efSdjm || fatal "$SSHKEYGEN sign failed" 5741c5d6efSdjm echo $f 5841c5d6efSdjm} 5941c5d6efSdjm 6041c5d6efSdjm# Generate some keys. 6141c5d6efSdjmverbose "$tid: generating test keys" 6241c5d6efSdjmREVOKED_SERIALS="1 4 10 50 500 510 520 799 999" 6341c5d6efSdjmfor n in $REVOKED_SERIALS ; do 6441c5d6efSdjm f=`keygen $n` 6541c5d6efSdjm REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" 6641c5d6efSdjm REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" 6741c5d6efSdjmdone 6841c5d6efSdjmNOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" 6941c5d6efSdjmNOTREVOKED="" 7041c5d6efSdjmfor n in $NOTREVOKED_SERIALS ; do 7141c5d6efSdjm NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" 7241c5d6efSdjm NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" 7341c5d6efSdjmdone 7441c5d6efSdjm 7541c5d6efSdjmgenkrls() { 7641c5d6efSdjm OPTS=$1 7741c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ 7841c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 7941c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ 8041c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 8141c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ 8241c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 8341c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ 8441c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 8541c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 8641c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 8741c5d6efSdjm# KRLs from serial/key-id spec need the CA specified. 8841c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 8941c5d6efSdjm >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 9041c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ 9141c5d6efSdjm >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 9241c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ 9341c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 9441c5d6efSdjm$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ 9541c5d6efSdjm >/dev/null || fatal "$SSHKEYGEN KRL failed" 9641c5d6efSdjm} 9741c5d6efSdjm 98*e36b9660Sdjm## XXX dump with trace and grep for set cert serials 99*e36b9660Sdjm## XXX test ranges near (u64)-1, etc. 100*e36b9660Sdjm 10141c5d6efSdjmverbose "$tid: generating KRLs" 10241c5d6efSdjmgenkrls 10341c5d6efSdjm 10441c5d6efSdjmcheck_krl() { 10541c5d6efSdjm KEY=$1 10641c5d6efSdjm KRL=$2 10741c5d6efSdjm EXPECT_REVOKED=$3 10841c5d6efSdjm TAG=$4 10941c5d6efSdjm $SSHKEYGEN -Qf $KRL $KEY >/dev/null 11041c5d6efSdjm result=$? 11141c5d6efSdjm if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then 11241c5d6efSdjm fatal "key $KEY not revoked by KRL $KRL: $TAG" 11341c5d6efSdjm elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then 11441c5d6efSdjm fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" 11541c5d6efSdjm fi 11641c5d6efSdjm} 11741c5d6efSdjmtest_all() { 11841c5d6efSdjm FILES=$1 11941c5d6efSdjm TAG=$2 12041c5d6efSdjm KEYS_RESULT=$3 12141c5d6efSdjm ALL_RESULT=$4 12241c5d6efSdjm SERIAL_RESULT=$5 12341c5d6efSdjm KEYID_RESULT=$6 12441c5d6efSdjm CERTS_RESULT=$7 12541c5d6efSdjm CA_RESULT=$8 12641c5d6efSdjm verbose "$tid: checking revocations for $TAG" 12741c5d6efSdjm for f in $FILES ; do 12841c5d6efSdjm check_krl $f $OBJ/krl-empty no "$TAG" 12941c5d6efSdjm check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" 13041c5d6efSdjm check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" 13141c5d6efSdjm check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" 13241c5d6efSdjm check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" 13341c5d6efSdjm check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" 13441c5d6efSdjm check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" 13541c5d6efSdjm done 13641c5d6efSdjm} 13741c5d6efSdjm# keys all serial keyid certs CA 13841c5d6efSdjmtest_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no 13941c5d6efSdjmtest_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no 14041c5d6efSdjmtest_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes 14141c5d6efSdjmtest_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes 14241c5d6efSdjm 14341c5d6efSdjm# Check update. Results should be identical. 14441c5d6efSdjmverbose "$tid: testing KRL update" 14541c5d6efSdjmfor f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ 14641c5d6efSdjm $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do 14741c5d6efSdjm cp -f $OBJ/krl-empty $f 14841c5d6efSdjm genkrls -u 14941c5d6efSdjmdone 15041c5d6efSdjm# keys all serial keyid certs CA 15141c5d6efSdjmtest_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no 15241c5d6efSdjmtest_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no 15341c5d6efSdjmtest_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes 15441c5d6efSdjmtest_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes 155