xref: /freebsd/crypto/openssh/regress/cert-hostkey.sh (revision 8d20be1e22095c27faf8fe8b2f0d089739cc742e)
1#	$OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
2#	Placed in the Public Domain.
3
4tid="certified host keys"
5
6# used to disable ECC based tests on platforms without ECC
7ecdsa=""
8if test "x$TEST_SSH_ECC" = "xyes"; then
9	ecdsa=ecdsa
10fi
11
12rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
14
15HOSTS='localhost-with-alias,127.0.0.1,::1'
16
17# Create a CA key and add it to known hosts
18${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
19	fail "ssh-keygen of host_ca_key failed"
20(
21	printf '@cert-authority '
22	printf "$HOSTS "
23	cat $OBJ/host_ca_key.pub
24) > $OBJ/known_hosts-cert
25
26# Generate and sign host keys
27for ktype in rsa dsa $ecdsa ; do
28	verbose "$tid: sign host ${ktype} cert"
29	# Generate and sign a host key
30	${SSHKEYGEN} -q -N '' -t ${ktype} \
31	    -f $OBJ/cert_host_key_${ktype} || \
32		fail "ssh-keygen of cert_host_key_${ktype} failed"
33	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
34	    -I "regress host key for $USER" \
35	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
36		fail "couldn't sign cert_host_key_${ktype}"
37	# v00 ecdsa certs do not exist
38	test "${ktype}" = "ecdsa" && continue
39	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
40	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
41	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
42	    -I "regress host key for $USER" \
43	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
44		fail "couldn't sign cert_host_key_${ktype}_v00"
45done
46
47# Basic connect tests
48for privsep in yes no ; do
49	for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
50		verbose "$tid: host ${ktype} cert connect privsep $privsep"
51		(
52			cat $OBJ/sshd_proxy_bak
53			echo HostKey $OBJ/cert_host_key_${ktype}
54			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
55			echo UsePrivilegeSeparation $privsep
56		) > $OBJ/sshd_proxy
57
58		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
59		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
60			-F $OBJ/ssh_proxy somehost true
61		if [ $? -ne 0 ]; then
62			fail "ssh cert connect failed"
63		fi
64	done
65done
66
67# Revoked certificates with key present
68(
69	printf '@cert-authority '
70	printf "$HOSTS "
71	cat $OBJ/host_ca_key.pub
72	printf '@revoked '
73	printf "* "
74	cat $OBJ/cert_host_key_rsa.pub
75	if test "x$TEST_SSH_ECC" = "xyes"; then
76		printf '@revoked '
77		printf "* "
78		cat $OBJ/cert_host_key_ecdsa.pub
79	fi
80	printf '@revoked '
81	printf "* "
82	cat $OBJ/cert_host_key_dsa.pub
83	printf '@revoked '
84	printf "* "
85	cat $OBJ/cert_host_key_rsa_v00.pub
86	printf '@revoked '
87	printf "* "
88	cat $OBJ/cert_host_key_dsa_v00.pub
89) > $OBJ/known_hosts-cert
90for privsep in yes no ; do
91	for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
92		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
93		(
94			cat $OBJ/sshd_proxy_bak
95			echo HostKey $OBJ/cert_host_key_${ktype}
96			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
97			echo UsePrivilegeSeparation $privsep
98		) > $OBJ/sshd_proxy
99
100		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
101		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
102			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
103		if [ $? -eq 0 ]; then
104			fail "ssh cert connect succeeded unexpectedly"
105		fi
106	done
107done
108
109# Revoked CA
110(
111	printf '@cert-authority '
112	printf "$HOSTS "
113	cat $OBJ/host_ca_key.pub
114	printf '@revoked '
115	printf "* "
116	cat $OBJ/host_ca_key.pub
117) > $OBJ/known_hosts-cert
118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
119	verbose "$tid: host ${ktype} revoked cert"
120	(
121		cat $OBJ/sshd_proxy_bak
122		echo HostKey $OBJ/cert_host_key_${ktype}
123		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
124	) > $OBJ/sshd_proxy
125	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
126	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
127		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
128	if [ $? -eq 0 ]; then
129		fail "ssh cert connect succeeded unexpectedly"
130	fi
131done
132
133# Create a CA key and add it to known hosts
134(
135	printf '@cert-authority '
136	printf "$HOSTS "
137	cat $OBJ/host_ca_key.pub
138) > $OBJ/known_hosts-cert
139
140test_one() {
141	ident=$1
142	result=$2
143	sign_opts=$3
144
145	for kt in rsa rsa_v00 ; do
146		case $kt in
147		*_v00) args="-t v00" ;;
148		*) args="" ;;
149		esac
150
151		verbose "$tid: host cert connect $ident $kt expect $result"
152		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
153		    -I "regress host key for $USER" \
154		    $sign_opts $args \
155		    $OBJ/cert_host_key_${kt} ||
156			fail "couldn't sign cert_host_key_${kt}"
157		(
158			cat $OBJ/sshd_proxy_bak
159			echo HostKey $OBJ/cert_host_key_${kt}
160			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
161		) > $OBJ/sshd_proxy
162
163		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
164		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
165		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
166		rc=$?
167		if [ "x$result" = "xsuccess" ] ; then
168			if [ $rc -ne 0 ]; then
169				fail "ssh cert connect $ident failed unexpectedly"
170			fi
171		else
172			if [ $rc -eq 0 ]; then
173				fail "ssh cert connect $ident succeeded unexpectedly"
174			fi
175		fi
176	done
177}
178
179test_one "user-certificate"	failure "-n $HOSTS"
180test_one "empty principals"	success "-h"
181test_one "wrong principals"	failure "-h -n foo"
182test_one "cert not yet valid"	failure "-h -V20200101:20300101"
183test_one "cert expired"		failure "-h -V19800101:19900101"
184test_one "cert valid interval"	success "-h -V-1w:+2w"
185test_one "cert has constraints"	failure "-h -Oforce-command=false"
186
187# Check downgrade of cert to raw key when no CA found
188for v in v01 v00 ;  do
189	for ktype in rsa dsa $ecdsa ; do
190		# v00 ecdsa certs do not exist.
191		test "${v}${ktype}" = "v00ecdsa" && continue
192		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
193		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
194		# Generate and sign a host key
195		${SSHKEYGEN} -q -N '' -t ${ktype} \
196		    -f $OBJ/cert_host_key_${ktype} || \
197			fail "ssh-keygen of cert_host_key_${ktype} failed"
198		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
199		    -I "regress host key for $USER" \
200		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
201			fail "couldn't sign cert_host_key_${ktype}"
202		(
203			printf "$HOSTS "
204			cat $OBJ/cert_host_key_${ktype}.pub
205		) > $OBJ/known_hosts-cert
206		(
207			cat $OBJ/sshd_proxy_bak
208			echo HostKey $OBJ/cert_host_key_${ktype}
209			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
210		) > $OBJ/sshd_proxy
211
212		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
213		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
214			-F $OBJ/ssh_proxy somehost true
215		if [ $? -ne 0 ]; then
216			fail "ssh cert connect failed"
217		fi
218	done
219done
220
221# Wrong certificate
222(
223	printf '@cert-authority '
224	printf "$HOSTS "
225	cat $OBJ/host_ca_key.pub
226) > $OBJ/known_hosts-cert
227for v in v01 v00 ;  do
228	for kt in rsa dsa $ecdsa ; do
229		# v00 ecdsa certs do not exist.
230		test "${v}${ktype}" = "v00ecdsa" && continue
231		rm -f $OBJ/cert_host_key*
232		# Self-sign key
233		${SSHKEYGEN} -q -N '' -t ${kt} \
234		    -f $OBJ/cert_host_key_${kt} || \
235			fail "ssh-keygen of cert_host_key_${kt} failed"
236		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
237		    -I "regress host key for $USER" \
238		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
239			fail "couldn't sign cert_host_key_${kt}"
240		verbose "$tid: host ${kt} connect wrong cert"
241		(
242			cat $OBJ/sshd_proxy_bak
243			echo HostKey $OBJ/cert_host_key_${kt}
244			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
245		) > $OBJ/sshd_proxy
246
247		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
248		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
249			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
250		if [ $? -eq 0 ]; then
251			fail "ssh cert connect $ident succeeded unexpectedly"
252		fi
253	done
254done
255
256rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
257