xref: /freebsd/crypto/openssh/regress/cert-file.sh (revision 8ef24a0d4b28fe230e20637f56869cc4148cd2ca) 
1#	$OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $
2#	Placed in the Public Domain.
3
4tid="ssh with certificates"
5
6rm -f $OBJ/user_ca_key* $OBJ/user_key*
7rm -f $OBJ/cert_user_key*
8
9# Create a CA key
10${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\
11	fatal "ssh-keygen failed"
12${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key2 ||\
13	fatal "ssh-keygen failed"
14
15# Make some keys and certificates.
16${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
17	fatal "ssh-keygen failed"
18${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \
19	fatal "ssh-keygen failed"
20# Move the certificate to a different address to better control
21# when it is offered.
22${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \
23	-z $$ -n ${USER} $OBJ/user_key1 ||
24		fail "couldn't sign user_key1 with user_ca_key1"
25mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub
26${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
27	-z $$ -n ${USER} $OBJ/user_key1 ||
28		fail "couldn't sign user_key1 with user_ca_key2"
29mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub
30
31trace 'try with identity files'
32opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
33opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2"
34echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
35
36for p in ${SSH_PROTOCOLS}; do
37	# Just keys should fail
38	${SSH} $opts2 somehost exit 5$p
39	r=$?
40	if [ $r -eq 5$p ]; then
41		fail "ssh succeeded with no certs in protocol $p"
42	fi
43
44	# Keys with untrusted cert should fail.
45	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
46	${SSH} $opts3 somehost exit 5$p
47	r=$?
48	if [ $r -eq 5$p ]; then
49		fail "ssh succeeded with bad cert in protocol $p"
50	fi
51
52	# Good cert with bad key should fail.
53	opts3="$opts -i $OBJ/user_key2"
54	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
55	${SSH} $opts3 somehost exit 5$p
56	r=$?
57	if [ $r -eq 5$p ]; then
58		fail "ssh succeeded with no matching key in protocol $p"
59	fi
60
61	# Keys with one trusted cert, should succeed.
62	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
63	${SSH} $opts3 somehost exit 5$p
64	r=$?
65	if [ $r -ne 5$p ]; then
66		fail "ssh failed with trusted cert and key in protocol $p"
67	fi
68
69	# Multiple certs and keys, with one trusted cert, should succeed.
70	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
71	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
72	${SSH} $opts3 somehost exit 5$p
73	r=$?
74	if [ $r -ne 5$p ]; then
75		fail "ssh failed with multiple certs in protocol $p"
76	fi
77
78	#Keys with trusted certificate specified in config options, should succeed.
79	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
80	${SSH} $opts3 somehost exit 5$p
81	r=$?
82	if [ $r -ne 5$p ]; then
83		fail "ssh failed with trusted cert in config in protocol $p"
84	fi
85done
86
87#next, using an agent in combination with the keys
88SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
89if [ $? -ne 2 ]; then
90	fatal "ssh-add -l did not fail with exit code 2"
91fi
92
93trace "start agent"
94eval `${SSHAGENT} -s` > /dev/null
95r=$?
96if [ $r -ne 0 ]; then
97	fatal "could not start ssh-agent: exit code $r"
98fi
99
100# add private keys to agent
101${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1
102if [ $? -ne 0 ]; then
103	fatal "ssh-add did not succeed with exit code 0"
104fi
105${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1
106if [ $? -ne 0 ]; then
107	fatal "ssh-add did not succeed with exit code 0"
108fi
109
110# try ssh with the agent and certificates
111# note: ssh agent only uses certificates in protocol 2
112opts="-F $OBJ/ssh_proxy"
113# with no certificates, shoud fail
114${SSH} -2 $opts somehost exit 52
115if [ $? -eq 52 ]; then
116	fail "ssh connect with agent in protocol 2 succeeded with no cert"
117fi
118
119#with an untrusted certificate, should fail
120opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
121${SSH} -2 $opts somehost exit 52
122if [ $? -eq 52 ]; then
123	fail "ssh connect with agent in protocol 2 succeeded with bad cert"
124fi
125
126#with an additional trusted certificate, should succeed
127opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
128${SSH} -2 $opts somehost exit 52
129if [ $? -ne 52 ]; then
130	fail "ssh connect with agent in protocol 2 failed with good cert"
131fi
132
133trace "kill agent"
134${SSHAGENT} -k > /dev/null
135
136#cleanup
137rm -f $OBJ/user_ca_key* $OBJ/user_key*
138rm -f $OBJ/cert_user_key*
139