xref: /openbsd/regress/usr.bin/ssh/sshsig.sh (revision 73471bf0) 
1#	$OpenBSD: sshsig.sh,v 1.11 2021/11/27 07:23:35 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
16	-C "wrong trousers, Grommit" -N '' \
17	|| fatal "couldn't generate key"
18WRONG=$OBJ/wrong-key.pub
19
20# Make a CA key.
21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22	|| fatal "couldn't generate key"
23CA_PRIV=$OBJ/sigca-key
24CA_PUB=$OBJ/sigca-key.pub
25
26trace "start agent"
27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
28r=$?
29if [ $r -ne 0 ]; then
30	fatal "could not start ssh-agent: exit code $r"
31fi
32
33SIGNKEYS="$SSH_KEYTYPES"
34verbose "$tid: make certificates"
35for t in $SSH_KEYTYPES ; do
36	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
37	    -I "regress signature key for $USER" \
38		-V "19840101:19860101" \
39	    -n $sig_principal $OBJ/${t} || \
40		fatal "couldn't sign ${t}"
41	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
42done
43
44for t in $SIGNKEYS; do
45	verbose "$tid: check signature for $t"
46	keybase=`basename $t .pub`
47	privkey=${OBJ}/`basename $t -cert.pub`
48	sigfile=${OBJ}/sshsig-${keybase}.sig
49	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
50	pubkey=${OBJ}/${keybase}.pub
51	cert=${OBJ}/${keybase}-cert.pub
52	sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
53
54	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
55		< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
56
57	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
58	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
59		-I $sig_principal -f $OBJ/allowed_signers \
60		< $DATA >/dev/null 2>&1 || \
61		fail "failed signature for $t key"
62
63	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
64	 cat $pubkey) > $OBJ/allowed_signers
65	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
66		-I $sig_principal -f $OBJ/allowed_signers \
67		< $DATA >/dev/null 2>&1 || \
68		fail "failed signature for $t key w/ limited namespace"
69
70	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
71	 cat $pubkey) > $OBJ/allowed_signers
72	${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
73		-I $sig_principal -f $OBJ/allowed_signers \
74		-O print-pubkey \
75		< $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
76		fail "failed signature for $t key w/ print-pubkey"
77	cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
78	diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
79		fail "print-pubkey differs from signature key"
80
81	# Invalid option
82	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
83	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
84		-I $sig_principal -f $OBJ/allowed_signers \
85		< $DATA >/dev/null 2>&1 && \
86		fail "accepted signature for $t key with bad signers option"
87
88	# Wrong key trusted.
89	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
90	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
91		-I $sig_principal -f $OBJ/allowed_signers \
92		< $DATA >/dev/null 2>&1 && \
93		fail "accepted signature for $t key with wrong key trusted"
94
95	# incorrect data
96	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
97	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
98		-I $sig_principal -f $OBJ/allowed_signers \
99		< $DATA2 >/dev/null 2>&1 && \
100		fail "passed signature for wrong data with $t key"
101
102	# wrong principal in signers
103	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
104	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
105		-I $sig_principal -f $OBJ/allowed_signers \
106		< $DATA >/dev/null 2>&1 && \
107		fail "accepted signature for $t key with wrong principal"
108
109	# wrong namespace
110	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
111	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
112		-I $sig_principal -f $OBJ/allowed_signers \
113		< $DATA >/dev/null 2>&1 && \
114		fail "accepted signature for $t key with wrong namespace"
115
116	# namespace excluded by option
117	(printf "$sig_principal namespaces=\"whatever\" " ;
118	 cat $pubkey) > $OBJ/allowed_signers
119	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
120		-I $sig_principal -f $OBJ/allowed_signers \
121		< $DATA >/dev/null 2>&1 && \
122		fail "accepted signature for $t key with excluded namespace"
123
124	( printf "$sig_principal " ;
125	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
126	  cat $pubkey) > $OBJ/allowed_signers
127
128	# key lifespan valid
129	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
130		-I $sig_principal -f $OBJ/allowed_signers \
131		-Overify-time=19850101 \
132		< $DATA >/dev/null 2>&1 || \
133		fail "failed signature for $t key with valid expiry interval"
134	# key not yet valid
135	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
136		-I $sig_principal -f $OBJ/allowed_signers \
137		-Overify-time=19790101 \
138		< $DATA >/dev/null 2>&1 && \
139		fail "failed signature for $t not-yet-valid key"
140	# key expired
141	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
142		-I $sig_principal -f $OBJ/allowed_signers \
143		-Overify-time=19910101 \
144		< $DATA >/dev/null 2>&1 && \
145		fail "failed signature for $t with expired key"
146	# NB. assumes we're not running this test in the 1980s
147	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
148		-I $sig_principal -f $OBJ/allowed_signers \
149		< $DATA >/dev/null 2>&1 && \
150		fail "failed signature for $t with expired key"
151
152	# key lifespan valid
153	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
154		-Overify-time="19850101" \
155		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
156		fail "failed find-principals for $t key with valid expiry interval"
157	# key not yet valid
158	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
159		-Overify-time="19790101" \
160		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
161		fail "failed find-principals for $t not-yet-valid key"
162	# key expired
163	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
164		-Overify-time="19990101" \
165		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
166		fail "failed find-principals for $t with expired key"
167	# NB. assumes we're not running this test in the 1980s
168	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
169		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
170		fail "failed find-principals for $t with expired key"
171
172	# public key in revoked keys file
173	cat $pubkey > $OBJ/revoked_keys
174	(printf "$sig_principal namespaces=\"whatever\" " ;
175	 cat $pubkey) > $OBJ/allowed_signers
176	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
177		-I $sig_principal -f $OBJ/allowed_signers \
178		-r $OBJ/revoked_keys \
179		< $DATA >/dev/null 2>&1 && \
180		fail "accepted signature for $t key, but key is in revoked_keys"
181
182	# public key not revoked, but others are present in revoked_keysfile
183	cat $WRONG > $OBJ/revoked_keys
184	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
185	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
186		-I $sig_principal -f $OBJ/allowed_signers \
187		-r $OBJ/revoked_keys \
188		< $DATA >/dev/null 2>&1 || \
189		fail "couldn't verify signature for $t key, but key not in revoked_keys"
190
191	# check-novalidate with valid data
192	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
193		< $DATA >/dev/null 2>&1 || \
194		fail "failed to check valid signature for $t key"
195
196	# check-novalidate with invalid data
197	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
198		< $DATA2 >/dev/null 2>&1 && \
199		fail "succeeded checking signature for $t key with invalid data"
200
201	# find-principals with valid public key
202	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
203	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
204		fail "failed to find valid principals in allowed_signers"
205
206	# find-principals with wrong key not in allowed_signers
207	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
208	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
209		fail "succeeded finding principal with invalid signers file"
210
211	# Check signing keys using ssh-agent.
212	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
213	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
214
215	# Move private key to ensure agent key is used
216	mv ${privkey} ${privkey}.tmp
217
218	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
219		< $DATA > $sigfile_agent 2>/dev/null || \
220		fail "ssh-agent based sign using $pubkey failed"
221	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
222		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
223		fail "failed to check valid signature for $t key"
224
225	# Move private key back
226	mv ${privkey}.tmp ${privkey}
227
228	# Duplicate principals & keys in allowed_signers but with different validities
229	( printf "$sig_principal " ;
230	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
231	  cat $pubkey;
232	  printf "${sig_principal} " ;
233	  printf "valid-after=\"19850101\",valid-before=\"20000101\" " ;
234	  cat $pubkey) > $OBJ/allowed_signers
235
236	# find-principals outside of any validity lifespan
237	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
238		-Overify-time="20100101" \
239		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
240		fail "succeeded find-principals for $t verify-time outside of validity"
241	# find-principals matching only the first lifespan
242	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
243		-Overify-time="19830101" \
244		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
245		fail "failed find-principals for $t verify-time within first span"
246	# find-principals matching both lifespans
247	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
248		-Overify-time="19880101" \
249		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
250		fail "failed find-principals for $t verify-time within both spans"
251	# find-principals matching only the second lifespan
252	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
253		-Overify-time="19950101" \
254		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
255		fail "failed find-principals for $t verify-time within second span"
256
257	# verify outside of any validity lifespan
258	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
259		-Overify-time="20100101" -I $sig_principal \
260		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
261		< $DATA >/dev/null 2>&1 && \
262		fail "succeeded verify for $t verify-time outside of validity"
263	# verify matching only the first lifespan
264	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
265		-Overify-time="19830101" -I $sig_principal \
266		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
267		< $DATA >/dev/null 2>&1 || \
268		fail "failed verify for $t verify-time within first span"
269	# verify matching both lifespans
270	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
271		-Overify-time="19880101" -I $sig_principal \
272		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
273		< $DATA >/dev/null 2>&1 || \
274		fail "failed verify for $t verify-time within both spans"
275	# verify matching only the second lifespan
276	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
277		-Overify-time="19950101" -I $sig_principal \
278		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
279		< $DATA >/dev/null 2>&1 || \
280		fail "failed verify for $t verify-time within second span"
281
282	# Remaining tests are for certificates only.
283	case "$keybase" in
284		*-cert) ;;
285		*) continue ;;
286	esac
287
288	# Check key lifespan on find-principals when using the CA
289	( printf "$sig_principal " ;
290	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" ";
291	  cat $CA_PUB) > $OBJ/allowed_signers
292	# key lifespan valid
293	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
294		-Overify-time="19850101" \
295		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
296		fail "failed find-principals for $t key with valid expiry interval"
297	# key not yet valid
298	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
299		-Overify-time="19790101" \
300		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
301		fail "failed find-principals for $t not-yet-valid key"
302	# key expired
303	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
304		-Overify-time="19990101" \
305		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
306		fail "failed find-principals for $t with expired key"
307	# NB. assumes we're not running this test in the 1980s
308	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
309		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
310		fail "failed find-principals for $t with expired key"
311
312	# correct CA key
313	(printf "$sig_principal cert-authority " ;
314	 cat $CA_PUB) > $OBJ/allowed_signers
315	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
316		-I $sig_principal -f $OBJ/allowed_signers \
317		-Overify-time=19850101 \
318		< $DATA >/dev/null 2>&1 || \
319		fail "failed signature for $t cert"
320
321	# find-principals
322	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
323		-Overify-time=19850101 \
324		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
325		fail "failed find-principals for $t with ca key"
326
327	# signing key listed as cert-authority
328	(printf "$sig_principal cert-authority " ;
329	 cat $pubkey) > $OBJ/allowed_signers
330	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
331		-I $sig_principal -f $OBJ/allowed_signers \
332		< $DATA >/dev/null 2>&1 && \
333		fail "accepted signature with $t key listed as CA"
334
335	# CA key not flagged cert-authority
336	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
337	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
338		-I $sig_principal -f $OBJ/allowed_signers \
339		< $DATA >/dev/null 2>&1 && \
340		fail "accepted signature for $t cert with CA not marked"
341
342	# mismatch between cert principal and file
343	(printf "josef.k@example.com cert-authority " ;
344	 cat $CA_PUB) > $OBJ/allowed_signers
345	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
346		-I $sig_principal -f $OBJ/allowed_signers \
347		< $DATA >/dev/null 2>&1 && \
348		fail "accepted signature for $t cert with wrong principal"
349
350	# Cert valid but CA revoked
351	cat $CA_PUB > $OBJ/revoked_keys
352	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
353	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
354		-I $sig_principal -f $OBJ/allowed_signers \
355		-r $OBJ/revoked_keys \
356		< $DATA >/dev/null 2>&1 && \
357		fail "accepted signature for $t key, but CA key in revoked_keys"
358
359	# Set lifespan of CA key and verify signed user certs behave accordingly
360	( printf "$sig_principal " ;
361	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ;
362	  cat $CA_PUB) > $OBJ/allowed_signers
363
364	# CA key lifespan valid
365	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
366		-I $sig_principal -f $OBJ/allowed_signers \
367		-Overify-time=19850101 \
368		< $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \
369		fail "failed signature for $t key with valid CA expiry interval"
370	# CA lifespan is valid but user key not yet valid
371	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
372		-I $sig_principal -f $OBJ/allowed_signers \
373		-Overify-time=19810101 \
374		< $DATA >/dev/null 2>&1 && \
375		fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
376	# CA lifespan is valid but user key expired
377	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
378		-I $sig_principal -f $OBJ/allowed_signers \
379		-Overify-time=19890101 \
380		< $DATA >/dev/null 2>&1 && \
381		fail "accepted signature for $t key with valid CA expiry interval but expired cert"
382	# CA key not yet valid
383	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
384		-I $sig_principal -f $OBJ/allowed_signers \
385		-Overify-time=19790101 \
386		< $DATA >/dev/null 2>&1 && \
387		fail "accepted signature for $t not-yet-valid CA key"
388	# CA key expired
389	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
390		-I $sig_principal -f $OBJ/allowed_signers \
391		-Overify-time=19910101 \
392		< $DATA >/dev/null 2>&1 && \
393		fail "accepted signature for $t with expired CA key"
394	# NB. assumes we're not running this test in the 1980s
395	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
396		-I $sig_principal -f $OBJ/allowed_signers \
397		< $DATA >/dev/null 2>&1 && \
398		fail "accepted signature for $t with expired CA key"
399
400	# Set lifespan of CA outside of the cert validity
401	( printf "$sig_principal " ;
402	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
403	  cat $CA_PUB) > $OBJ/allowed_signers
404	# valid cert validity but expired CA
405	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
406		-I $sig_principal -f $OBJ/allowed_signers \
407		-Overify-time=19840101 \
408		< $DATA >/dev/null 2>&1 && \
409		fail "accepted signature for $t key with expired CA but valid cert"
410
411done
412
413# Test key independant match-principals
414(
415	printf "principal1 " ; cat $pubkey;
416	printf "princi* " ; cat $pubkey;
417	printf "unique " ; cat $pubkey;
418) > $OBJ/allowed_signers
419
420verbose "$tid: match principals"
421${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \
422    fgrep "unique" >/dev/null || \
423	fail "faild to match static principal"
424
425${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \
426    fgrep "princi*" >/dev/null || \
427	fail "faild to match wildcard principal"
428
429${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \
430    fgrep -e "principal1" -e "princi*" >/dev/null || \
431	fail "faild to match static and wildcard principal"
432verbose "$tid: nomatch principals"
433for x in princ prince unknown ; do
434	${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \
435	    -I $x >/dev/null 2>&1 && \
436		fail "succeeded to match unknown principal \"$x\""
437done
438
439trace "kill agent"
440${SSHAGENT} -k > /dev/null
441
442