Lines Matching +full:key +full:-
9 rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
11 sig_namespace="test-$$"
12 sig_principal="user-$$@example.com"
14 # Make a "wrong key"
15 ${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
16 -C "wrong trousers, Grommit" -N '' \
17 || fatal "couldn't generate key"
18 WRONG=$OBJ/wrong-key.pub
20 # Make a CA key.
21 ${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22 || fatal "couldn't generate key"
23 CA_PRIV=$OBJ/sigca-key
24 CA_PUB=$OBJ/sigca-key.pub
27 eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
29 if [ $r -ne 0 ]; then
30 fatal "could not start ssh-agent: exit code $r"
36 ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
37 -I "regress signature key for $USER" \
38 -V "19840101:19860101" \
39 -n $sig_principal $OBJ/${t} || \
41 SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
47 privkey=${OBJ}/`basename $t -cert.pub`
48 sigfile=${OBJ}/sshsig-${keybase}.sig
49 sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
51 cert=${OBJ}/${keybase}-cert.pub
52 sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
54 trace "$tid: key type $t check bad hashlg"
55 ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
56 -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \
62 *) hashalg_arg="-Ohashalg=$h" ;;
64 trace "$tid: key type $t sign with hash $h"
65 ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
69 trace "$tid: key type $t verify with hash $h"
70 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
71 -I $sig_principal -f $OBJ/allowed_signers \
73 fail "failed signature for $t / $h key"
76 trace "$tid: key type $t verify with limited namespace"
79 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
80 -I $sig_principal -f $OBJ/allowed_signers \
82 fail "failed signature for $t key w/ limited namespace"
84 trace "$tid: key type $t print-pubkey"
87 ${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
88 -I $sig_principal -f $OBJ/allowed_signers \
89 -O print-pubkey \
90 < $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
91 fail "failed signature for $t key w/ print-pubkey"
92 cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
93 diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
94 fail "print-pubkey differs from signature key"
97 trace "$tid: key type $t verify with bad signers"
99 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
100 -I $sig_principal -f $OBJ/allowed_signers \
102 fail "accepted signature for $t key with bad signers option"
104 # Wrong key trusted.
105 trace "$tid: key type $t verify with wrong key"
107 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
108 -I $sig_principal -f $OBJ/allowed_signers \
110 fail "accepted signature for $t key with wrong key trusted"
113 trace "$tid: key type $t verify with wrong data"
115 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
116 -I $sig_principal -f $OBJ/allowed_signers \
118 fail "passed signature for wrong data with $t key"
121 trace "$tid: key type $t verify with wrong principal"
123 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
124 -I $sig_principal -f $OBJ/allowed_signers \
126 fail "accepted signature for $t key with wrong principal"
129 trace "$tid: key type $t verify with wrong namespace"
131 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
132 -I $sig_principal -f $OBJ/allowed_signers \
134 fail "accepted signature for $t key with wrong namespace"
137 trace "$tid: key type $t verify with excluded namespace"
140 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
141 -I $sig_principal -f $OBJ/allowed_signers \
143 fail "accepted signature for $t key with excluded namespace"
146 printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
149 # key lifespan valid
150 trace "$tid: key type $t verify with valid lifespan"
151 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
152 -I $sig_principal -f $OBJ/allowed_signers \
153 -Overify-time=19850101 \
155 fail "failed signature for $t key with valid expiry interval"
156 # key not yet valid
157 trace "$tid: key type $t verify with not-yet-valid lifespan"
158 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
159 -I $sig_principal -f $OBJ/allowed_signers \
160 -Overify-time=19790101 \
162 fail "failed signature for $t not-yet-valid key"
163 # key expired
164 trace "$tid: key type $t verify with expired lifespan"
165 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
166 -I $sig_principal -f $OBJ/allowed_signers \
167 -Overify-time=19910101 \
169 fail "failed signature for $t with expired key"
171 trace "$tid: key type $t verify with expired lifespan (now)"
172 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
173 -I $sig_principal -f $OBJ/allowed_signers \
175 fail "failed signature for $t with expired key"
177 # key lifespan valid
178 trace "$tid: key type $t find-principals with valid lifespan"
179 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
180 -Overify-time="19850101" \
181 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
182 fail "failed find-principals for $t key with valid expiry interval"
183 # key not yet valid
184 trace "$tid: key type $t find principals with not-yet-valid lifespan"
185 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
186 -Overify-time="19790101" \
187 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
188 fail "failed find-principals for $t not-yet-valid key"
189 # key expired
190 trace "$tid: key type $t find-principals with expired lifespan"
191 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
192 -Overify-time="19990101" \
193 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
194 fail "failed find-principals for $t with expired key"
196 trace "$tid: key type $t find-principals with expired lifespan (now)"
197 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
198 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
199 fail "failed find-principals for $t with expired key"
201 # public key in revoked keys file
202 trace "$tid: key type $t verify with revoked key"
206 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
207 -I $sig_principal -f $OBJ/allowed_signers \
208 -r $OBJ/revoked_keys \
210 fail "accepted signature for $t key, but key is in revoked_keys"
212 # public key not revoked, but others are present in revoked_keysfile
213 trace "$tid: key type $t verify with unrevoked key"
216 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
217 -I $sig_principal -f $OBJ/allowed_signers \
218 -r $OBJ/revoked_keys \
220 fail "couldn't verify signature for $t key, but key not in revoked_keys"
222 # check-novalidate with valid data
223 trace "$tid: key type $t check-novalidate with valid data"
224 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
226 fail "failed to check valid signature for $t key"
228 # check-novalidate with invalid data
229 trace "$tid: key type $t check-novalidate with invalid data"
230 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
232 fail "succeeded checking signature for $t key with invalid data"
234 # find-principals with valid public key
235 trace "$tid: key type $t find-principals with valid key"
237 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
240 # find-principals with wrong key not in allowed_signers
241 trace "$tid: key type $t find-principals with wrong key"
243 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
246 # find-principals with a configured namespace but none on command-line
247 trace "$tid: key type $t find-principals with missing namespace"
251 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
252 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
255 # Check signing keys using ssh-agent.
256 trace "$tid: key type $t prepare agent"
257 ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
258 ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
260 # Move private key to ensure agent key is used
263 trace "$tid: key type $t sign with agent"
264 ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
266 fail "ssh-agent based sign using $pubkey failed"
267 trace "$tid: key type $t check signature w/ agent"
268 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
269 -n $sig_namespace < $DATA >/dev/null 2>&1 || \
270 fail "failed to check valid signature for $t key"
273 ${SSHKEYGEN} -vvv -Y verify -s $sigfile_agent -n $sig_namespace \
274 -I $sig_principal -f $OBJ/allowed_signers \
276 fail "failed signature for $t key w/ limited namespace"
278 # Move private key back
283 printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
286 printf "valid-after=\"19850101\",valid-before=\"20000101\" " ;
289 # find-principals outside of any validity lifespan
290 trace "$tid: key type $t find principals outside multiple validities"
291 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
292 -Overify-time="20100101" \
293 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
294 fail "succeeded find-principals for $t verify-time outside of validity"
295 # find-principals matching only the first lifespan
296 trace "$tid: key type $t find principals matching one validity (1st)"
297 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
298 -Overify-time="19830101" \
299 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
300 fail "failed find-principals for $t verify-time within first span"
301 # find-principals matching both lifespans
302 trace "$tid: key type $t find principals matching two validities"
303 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
304 -Overify-time="19880101" \
305 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
306 fail "failed find-principals for $t verify-time within both spans"
307 # find-principals matching only the second lifespan
308 trace "$tid: key type $t find principals matching one validity (2nd)"
309 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
310 -Overify-time="19950101" \
311 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
312 fail "failed find-principals for $t verify-time within second span"
315 trace "$tid: key type $t verify outside multiple validities"
316 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
317 -Overify-time="20100101" -I $sig_principal \
318 -r $OBJ/revoked_keys -f $OBJ/allowed_signers \
320 fail "succeeded verify for $t verify-time outside of validity"
322 trace "$tid: key type $t verify matching one validity (1st)"
323 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
324 -Overify-time="19830101" -I $sig_principal \
325 -r $OBJ/revoked_keys -f $OBJ/allowed_signers \
327 fail "failed verify for $t verify-time within first span"
329 trace "$tid: key type $t verify matching two validities"
330 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
331 -Overify-time="19880101" -I $sig_principal \
332 -r $OBJ/revoked_keys -f $OBJ/allowed_signers \
334 fail "failed verify for $t verify-time within both spans"
336 trace "$tid: key type $t verify matching one validity (2nd)"
337 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
338 -Overify-time="19950101" -I $sig_principal \
339 -r $OBJ/revoked_keys -f $OBJ/allowed_signers \
341 fail "failed verify for $t verify-time within second span"
345 *-cert) ;;
349 # Check key lifespan on find-principals when using the CA
351 printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" ";
353 # key lifespan valid
354 trace "$tid: key type $t find-principals cert lifetime valid"
355 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
356 -Overify-time="19850101" \
357 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
358 fail "failed find-principals for $t key with valid expiry interval"
359 # key not yet valid
360 trace "$tid: key type $t find-principals cert lifetime not-yet-valid"
361 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
362 -Overify-time="19790101" \
363 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
364 fail "failed find-principals for $t not-yet-valid key"
365 # key expired
366 trace "$tid: key type $t find-principals cert lifetime expired"
367 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
368 -Overify-time="19990101" \
369 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
370 fail "failed find-principals for $t with expired key"
372 trace "$tid: key type $t find-principals cert lifetime expired (now)"
373 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
374 -f $OBJ/allowed_signers >/dev/null 2>&1 && \
375 fail "failed find-principals for $t with expired key"
377 # correct CA key
378 trace "$tid: key type $t verify cert good CA"
379 (printf "$sig_principal cert-authority " ;
381 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
382 -I $sig_principal -f $OBJ/allowed_signers \
383 -Overify-time=19850101 \
387 # find-principals
388 trace "$tid: key type $t find-principals cert good CA"
389 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
390 -Overify-time=19850101 \
391 -f $OBJ/allowed_signers >/dev/null 2>&1 || \
392 fail "failed find-principals for $t with ca key"
395 trace "$tid: key type $t find-principals cert good wildcard CA"
396 (printf "*@example.com cert-authority " ;
398 # find-principals CA with wildcard principal
399 ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
400 -Overify-time=19850101 \
401 -f $OBJ/allowed_signers 2>/dev/null | \
403 fail "failed find-principals for $t with ca key using wildcard principal"
406 trace "$tid: key type $t verify cert good wildcard CA"
407 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
408 -I $sig_principal -f $OBJ/allowed_signers \
409 -Overify-time=19850101 \
413 # signing key listed as cert-authority
414 trace "$tid: key type $t verify signing key listed as CA"
415 (printf "$sig_principal cert-authority " ;
417 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
418 -I $sig_principal -f $OBJ/allowed_signers \
420 fail "accepted signature with $t key listed as CA"
422 # CA key not flagged cert-authority
423 trace "$tid: key type $t verify key not marked as CA"
425 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
426 -I $sig_principal -f $OBJ/allowed_signers \
431 trace "$tid: key type $t verify cert with wrong principal"
432 (printf "josef.k@example.com cert-authority " ;
434 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
435 -I $sig_principal -f $OBJ/allowed_signers \
440 trace "$tid: key type $t verify cert with revoked CA"
443 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
444 -I $sig_principal -f $OBJ/allowed_signers \
445 -r $OBJ/revoked_keys \
447 fail "accepted signature for $t key, but CA key in revoked_keys"
449 # Set lifespan of CA key and verify signed user certs behave accordingly
451 printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ;
454 # CA key lifespan valid
455 trace "$tid: key type $t verify cert valid CA lifespan"
456 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
457 -I $sig_principal -f $OBJ/allowed_signers \
458 -Overify-time=19850101 \
460 fail "failed signature for $t key with valid CA expiry interval"
461 # CA lifespan is valid but user key not yet valid
462 trace "$tid: key type $t verify cert valid CA lifespan, not-yet-valid cert"
463 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
464 -I $sig_principal -f $OBJ/allowed_signers \
465 -Overify-time=19810101 \
467 fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
468 # CA lifespan is valid but user key expired
469 trace "$tid: key type $t verify cert valid CA lifespan, expired cert"
470 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
471 -I $sig_principal -f $OBJ/allowed_signers \
472 -Overify-time=19890101 \
474 fail "accepted signature for $t key with valid CA expiry interval but expired cert"
475 # CA key not yet valid
476 trace "$tid: key type $t verify cert CA not-yet-valid"
477 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
478 -I $sig_principal -f $OBJ/allowed_signers \
479 -Overify-time=19790101 \
481 fail "accepted signature for $t not-yet-valid CA key"
482 # CA key expired
483 trace "$tid: key type $t verify cert CA expired"
484 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
485 -I $sig_principal -f $OBJ/allowed_signers \
486 -Overify-time=19910101 \
488 fail "accepted signature for $t with expired CA key"
490 trace "$tid: key type $t verify cert CA expired (now)"
491 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
492 -I $sig_principal -f $OBJ/allowed_signers \
494 fail "accepted signature for $t with expired CA key"
497 trace "$tid: key type $t verify CA/cert lifespan mismatch"
499 printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
502 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
503 -I $sig_principal -f $OBJ/allowed_signers \
504 -Overify-time=19840101 \
506 fail "accepted signature for $t key with expired CA but valid cert"
510 # Test key independant match-principals
518 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \
523 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \
528 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \
529 fgrep -e "principal1" -e "princi*" >/dev/null || \
533 ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \
534 -I $x >/dev/null 2>&1 && \
539 ${SSHAGENT} -k > /dev/null