1*19261079SEd Maste# $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $ 2acc1a9efSDag-Erling Smørgrav# Placed in the Public Domain. 3acc1a9efSDag-Erling Smørgrav 4acc1a9efSDag-Erling Smørgravtid="ssh with certificates" 5acc1a9efSDag-Erling Smørgrav 6acc1a9efSDag-Erling Smørgravrm -f $OBJ/user_ca_key* $OBJ/user_key* 7acc1a9efSDag-Erling Smørgravrm -f $OBJ/cert_user_key* 8acc1a9efSDag-Erling Smørgrav 9acc1a9efSDag-Erling Smørgrav# Create a CA key 10acc1a9efSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ 11acc1a9efSDag-Erling Smørgrav fatal "ssh-keygen failed" 12acc1a9efSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ 13acc1a9efSDag-Erling Smørgrav fatal "ssh-keygen failed" 14acc1a9efSDag-Erling Smørgrav 15acc1a9efSDag-Erling Smørgrav# Make some keys and certificates. 16acc1a9efSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 17acc1a9efSDag-Erling Smørgrav fatal "ssh-keygen failed" 18acc1a9efSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ 19acc1a9efSDag-Erling Smørgrav fatal "ssh-keygen failed" 20d93a896eSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ 21d93a896eSDag-Erling Smørgrav fatal "ssh-keygen failed" 22d93a896eSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ 23d93a896eSDag-Erling Smørgrav fatal "ssh-keygen failed" 24d93a896eSDag-Erling Smørgrav${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ 25d93a896eSDag-Erling Smørgrav fatal "ssh-keygen failed" 26d93a896eSDag-Erling Smørgrav 27acc1a9efSDag-Erling Smørgrav# Move the certificate to a different address to better control 28acc1a9efSDag-Erling Smørgrav# when it is offered. 29acc1a9efSDag-Erling Smørgrav${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 30acc1a9efSDag-Erling Smørgrav -z $$ -n ${USER} $OBJ/user_key1 || 31d93a896eSDag-Erling Smørgrav fatal "couldn't sign user_key1 with user_ca_key1" 32acc1a9efSDag-Erling Smørgravmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub 33acc1a9efSDag-Erling Smørgrav${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ 34acc1a9efSDag-Erling Smørgrav -z $$ -n ${USER} $OBJ/user_key1 || 35d93a896eSDag-Erling Smørgrav fatal "couldn't sign user_key1 with user_ca_key2" 36acc1a9efSDag-Erling Smørgravmv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub 37d93a896eSDag-Erling Smørgrav${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 38d93a896eSDag-Erling Smørgrav -z $$ -n ${USER} $OBJ/user_key3 || 39d93a896eSDag-Erling Smørgrav fatal "couldn't sign user_key3 with user_ca_key1" 40d93a896eSDag-Erling Smørgravrm $OBJ/user_key3.pub # to test use of private key w/o public half. 41d93a896eSDag-Erling Smørgrav${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ 42d93a896eSDag-Erling Smørgrav -z $$ -n ${USER} $OBJ/user_key4 || 43d93a896eSDag-Erling Smørgrav fatal "couldn't sign user_key4 with user_ca_key1" 44d93a896eSDag-Erling Smørgravrm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. 45acc1a9efSDag-Erling Smørgrav 46acc1a9efSDag-Erling Smørgravtrace 'try with identity files' 47acc1a9efSDag-Erling Smørgravopts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 48acc1a9efSDag-Erling Smørgravopts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" 49acc1a9efSDag-Erling Smørgravecho "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER 50acc1a9efSDag-Erling Smørgrav 51d93a896eSDag-Erling Smørgrav# Make a clean config that doesn't have any pre-added identities. 52d93a896eSDag-Erling Smørgravcat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config 53d93a896eSDag-Erling Smørgrav 54d93a896eSDag-Erling Smørgrav# XXX: verify that certificate used was what we expect. Needs exposure of 55190cef3dSDag-Erling Smørgrav# keys via environment variable or similar. 56d93a896eSDag-Erling Smørgrav 57d93a896eSDag-Erling Smørgrav # Key with no .pub should work - finding the equivalent *-cert.pub. 584f52dfbbSDag-Erling Smørgravverbose "identity cert with no plain public file" 59d93a896eSDag-Erling Smørgrav${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 604f52dfbbSDag-Erling Smørgrav -i $OBJ/user_key3 somehost exit 52 614f52dfbbSDag-Erling Smørgrav[ $? -ne 52 ] && fail "ssh failed" 62d93a896eSDag-Erling Smørgrav 63d93a896eSDag-Erling Smørgrav# CertificateFile matching private key with no .pub file should work. 644f52dfbbSDag-Erling Smørgravverbose "CertificateFile with no plain public file" 65d93a896eSDag-Erling Smørgrav${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 66d93a896eSDag-Erling Smørgrav -oCertificateFile=$OBJ/user_key3-cert.pub \ 674f52dfbbSDag-Erling Smørgrav -i $OBJ/user_key3 somehost exit 52 684f52dfbbSDag-Erling Smørgrav[ $? -ne 52 ] && fail "ssh failed" 69d93a896eSDag-Erling Smørgrav 70acc1a9efSDag-Erling Smørgrav# Just keys should fail 714f52dfbbSDag-Erling Smørgravverbose "plain keys" 724f52dfbbSDag-Erling Smørgrav${SSH} $opts2 somehost exit 52 73acc1a9efSDag-Erling Smørgravr=$? 744f52dfbbSDag-Erling Smørgravif [ $r -eq 52 ]; then 754f52dfbbSDag-Erling Smørgrav fail "ssh succeeded with no certs" 76acc1a9efSDag-Erling Smørgravfi 77acc1a9efSDag-Erling Smørgrav 78acc1a9efSDag-Erling Smørgrav# Keys with untrusted cert should fail. 794f52dfbbSDag-Erling Smørgravverbose "untrusted cert" 80acc1a9efSDag-Erling Smørgravopts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 814f52dfbbSDag-Erling Smørgrav${SSH} $opts3 somehost exit 52 82acc1a9efSDag-Erling Smørgravr=$? 834f52dfbbSDag-Erling Smørgravif [ $r -eq 52 ]; then 844f52dfbbSDag-Erling Smørgrav fail "ssh succeeded with bad cert" 85acc1a9efSDag-Erling Smørgravfi 86acc1a9efSDag-Erling Smørgrav 87acc1a9efSDag-Erling Smørgrav# Good cert with bad key should fail. 884f52dfbbSDag-Erling Smørgravverbose "good cert, bad key" 89acc1a9efSDag-Erling Smørgravopts3="$opts -i $OBJ/user_key2" 90acc1a9efSDag-Erling Smørgravopts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 914f52dfbbSDag-Erling Smørgrav${SSH} $opts3 somehost exit 52 92acc1a9efSDag-Erling Smørgravr=$? 934f52dfbbSDag-Erling Smørgravif [ $r -eq 52 ]; then 944f52dfbbSDag-Erling Smørgrav fail "ssh succeeded with no matching key" 95acc1a9efSDag-Erling Smørgravfi 96acc1a9efSDag-Erling Smørgrav 97acc1a9efSDag-Erling Smørgrav# Keys with one trusted cert, should succeed. 984f52dfbbSDag-Erling Smørgravverbose "single trusted" 99acc1a9efSDag-Erling Smørgravopts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 1004f52dfbbSDag-Erling Smørgrav${SSH} $opts3 somehost exit 52 101acc1a9efSDag-Erling Smørgravr=$? 1024f52dfbbSDag-Erling Smørgravif [ $r -ne 52 ]; then 1034f52dfbbSDag-Erling Smørgrav fail "ssh failed with trusted cert and key" 104acc1a9efSDag-Erling Smørgravfi 105acc1a9efSDag-Erling Smørgrav 106acc1a9efSDag-Erling Smørgrav# Multiple certs and keys, with one trusted cert, should succeed. 1074f52dfbbSDag-Erling Smørgravverbose "multiple trusted" 108acc1a9efSDag-Erling Smørgravopts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 109acc1a9efSDag-Erling Smørgravopts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 1104f52dfbbSDag-Erling Smørgrav${SSH} $opts3 somehost exit 52 111acc1a9efSDag-Erling Smørgravr=$? 1124f52dfbbSDag-Erling Smørgravif [ $r -ne 52 ]; then 1134f52dfbbSDag-Erling Smørgrav fail "ssh failed with multiple certs" 114acc1a9efSDag-Erling Smørgravfi 115acc1a9efSDag-Erling Smørgrav 116acc1a9efSDag-Erling Smørgrav#next, using an agent in combination with the keys 117acc1a9efSDag-Erling SmørgravSSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 118acc1a9efSDag-Erling Smørgravif [ $? -ne 2 ]; then 119acc1a9efSDag-Erling Smørgrav fatal "ssh-add -l did not fail with exit code 2" 120acc1a9efSDag-Erling Smørgravfi 121acc1a9efSDag-Erling Smørgrav 122acc1a9efSDag-Erling Smørgravtrace "start agent" 123*19261079SEd Masteeval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null 124acc1a9efSDag-Erling Smørgravr=$? 125acc1a9efSDag-Erling Smørgravif [ $r -ne 0 ]; then 126acc1a9efSDag-Erling Smørgrav fatal "could not start ssh-agent: exit code $r" 127acc1a9efSDag-Erling Smørgravfi 128acc1a9efSDag-Erling Smørgrav 129acc1a9efSDag-Erling Smørgrav# add private keys to agent 130acc1a9efSDag-Erling Smørgrav${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 131acc1a9efSDag-Erling Smørgravif [ $? -ne 0 ]; then 132acc1a9efSDag-Erling Smørgrav fatal "ssh-add did not succeed with exit code 0" 133acc1a9efSDag-Erling Smørgravfi 134acc1a9efSDag-Erling Smørgrav${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 135acc1a9efSDag-Erling Smørgravif [ $? -ne 0 ]; then 136acc1a9efSDag-Erling Smørgrav fatal "ssh-add did not succeed with exit code 0" 137acc1a9efSDag-Erling Smørgravfi 138acc1a9efSDag-Erling Smørgrav 139acc1a9efSDag-Erling Smørgrav# try ssh with the agent and certificates 140acc1a9efSDag-Erling Smørgravopts="-F $OBJ/ssh_proxy" 141190cef3dSDag-Erling Smørgrav# with no certificates, should fail 1424f52dfbbSDag-Erling Smørgrav${SSH} $opts somehost exit 52 143acc1a9efSDag-Erling Smørgravif [ $? -eq 52 ]; then 1444f52dfbbSDag-Erling Smørgrav fail "ssh connect with agent in succeeded with no cert" 145acc1a9efSDag-Erling Smørgravfi 146acc1a9efSDag-Erling Smørgrav 147acc1a9efSDag-Erling Smørgrav#with an untrusted certificate, should fail 148acc1a9efSDag-Erling Smørgravopts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" 1494f52dfbbSDag-Erling Smørgrav${SSH} $opts somehost exit 52 150acc1a9efSDag-Erling Smørgravif [ $? -eq 52 ]; then 1514f52dfbbSDag-Erling Smørgrav fail "ssh connect with agent in succeeded with bad cert" 152acc1a9efSDag-Erling Smørgravfi 153acc1a9efSDag-Erling Smørgrav 154acc1a9efSDag-Erling Smørgrav#with an additional trusted certificate, should succeed 155acc1a9efSDag-Erling Smørgravopts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" 1564f52dfbbSDag-Erling Smørgrav${SSH} $opts somehost exit 52 157acc1a9efSDag-Erling Smørgravif [ $? -ne 52 ]; then 1584f52dfbbSDag-Erling Smørgrav fail "ssh connect with agent in failed with good cert" 159acc1a9efSDag-Erling Smørgravfi 160acc1a9efSDag-Erling Smørgrav 161acc1a9efSDag-Erling Smørgravtrace "kill agent" 162acc1a9efSDag-Erling Smørgrav${SSHAGENT} -k > /dev/null 163acc1a9efSDag-Erling Smørgrav 164acc1a9efSDag-Erling Smørgrav#cleanup 165acc1a9efSDag-Erling Smørgravrm -f $OBJ/user_ca_key* $OBJ/user_key* 166acc1a9efSDag-Erling Smørgravrm -f $OBJ/cert_user_key* 167