xref: /freebsd/crypto/openssh/regress/krl.sh (revision f374ba41f55c1a127303d92d830dd58eef2f5243) 
1*f374ba41SEd Maste#	$OpenBSD: krl.sh,v 1.12 2023/01/16 04:11:29 djm Exp $
2ce3adf43SDag-Erling Smørgrav#	Placed in the Public Domain.
3ce3adf43SDag-Erling Smørgrav
4ce3adf43SDag-Erling Smørgravtid="key revocation lists"
5ce3adf43SDag-Erling Smørgrav
619261079SEd Maste# Use ed25519 by default since it's fast and it's supported when building
719261079SEd Maste# w/out OpenSSL.  Populate ktype[2-4] with the other types if supported.
819261079SEd Mastektype1=ed25519; ktype2=ed25519; ktype3=ed25519;
919261079SEd Mastektype4=ed25519; ktype5=ed25519; ktype6=ed25519;
1019261079SEd Mastefor t in $SSH_KEYTYPES; do
1119261079SEd Maste	case "$t" in
1219261079SEd Maste		ecdsa*)		ktype2=ecdsa ;;
1319261079SEd Maste		ssh-rsa)	ktype3=rsa ;;
1419261079SEd Maste		ssh-dss)	ktype4=dsa ;;
1519261079SEd Maste		sk-ssh-ed25519@openssh.com)		ktype5=ed25519-sk ;;
1619261079SEd Maste		sk-ecdsa-sha2-nistp256@openssh.com)	ktype6=ecdsa-sk ;;
1719261079SEd Maste	esac
1819261079SEd Mastedone
19ce3adf43SDag-Erling Smørgrav
20ce3adf43SDag-Erling Smørgrav# Do most testing with ssh-keygen; it uses the same verification code as sshd.
21ce3adf43SDag-Erling Smørgrav
22ce3adf43SDag-Erling Smørgrav# Old keys will interfere with ssh-keygen.
23ce3adf43SDag-Erling Smørgravrm -f $OBJ/revoked-* $OBJ/krl-*
24ce3adf43SDag-Erling Smørgrav
25ce3adf43SDag-Erling Smørgrav# Generate a CA key
2619261079SEd Maste$SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
27ce3adf43SDag-Erling Smørgrav	fatal "$SSHKEYGEN CA failed"
2819261079SEd Maste$SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2  -C "" -N "" > /dev/null ||
29bc5531deSDag-Erling Smørgrav	fatal "$SSHKEYGEN CA2 failed"
30ce3adf43SDag-Erling Smørgrav
31ce3adf43SDag-Erling Smørgrav# A specification that revokes some certificates by serial numbers
32ce3adf43SDag-Erling Smørgrav# The serial pattern is chosen to ensure the KRL includes list, range and
33ce3adf43SDag-Erling Smørgrav# bitmap sections.
34ce3adf43SDag-Erling Smørgravcat << EOF >> $OBJ/revoked-serials
35ce3adf43SDag-Erling Smørgravserial: 1-4
36ce3adf43SDag-Erling Smørgravserial: 10
37ce3adf43SDag-Erling Smørgravserial: 15
38ce3adf43SDag-Erling Smørgravserial: 30
39ce3adf43SDag-Erling Smørgravserial: 50
4019261079SEd Masteserial: 90
41ce3adf43SDag-Erling Smørgravserial: 999
42ce3adf43SDag-Erling Smørgrav# The following sum to 500-799
43ce3adf43SDag-Erling Smørgravserial: 500
44ce3adf43SDag-Erling Smørgravserial: 501
45ce3adf43SDag-Erling Smørgravserial: 502
46ce3adf43SDag-Erling Smørgravserial: 503-600
47ce3adf43SDag-Erling Smørgravserial: 700-797
48ce3adf43SDag-Erling Smørgravserial: 798
49ce3adf43SDag-Erling Smørgravserial: 799
50ce3adf43SDag-Erling Smørgravserial: 599-701
51a0ee8cc6SDag-Erling Smørgrav# Some multiple consecutive serial number ranges
52a0ee8cc6SDag-Erling Smørgravserial: 10000-20000
53a0ee8cc6SDag-Erling Smørgravserial: 30000-40000
54ce3adf43SDag-Erling SmørgravEOF
55ce3adf43SDag-Erling Smørgrav
56ce3adf43SDag-Erling Smørgrav# A specification that revokes some certificated by key ID.
57ce3adf43SDag-Erling Smørgravtouch $OBJ/revoked-keyid
5819261079SEd Mastefor n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do
59bc5531deSDag-Erling Smørgrav	test "x$n" = "x499" && continue
60ce3adf43SDag-Erling Smørgrav	# Fill in by-ID revocation spec.
61ce3adf43SDag-Erling Smørgrav	echo "id: revoked $n" >> $OBJ/revoked-keyid
62ce3adf43SDag-Erling Smørgravdone
63ce3adf43SDag-Erling Smørgrav
64ce3adf43SDag-Erling Smørgravkeygen() {
65ce3adf43SDag-Erling Smørgrav	N=$1
66ce3adf43SDag-Erling Smørgrav	f=$OBJ/revoked-`printf "%04d" $N`
6719261079SEd Maste	# Vary the keytype. We use mostly ed25519 since this is fast and well
6819261079SEd Maste	# supported.
6919261079SEd Maste	keytype=$ktype1
70ce3adf43SDag-Erling Smørgrav	case $N in
7119261079SEd Maste	2  | 10 | 510 | 1001)	keytype=$ktype2 ;;
7219261079SEd Maste	4  | 30 | 520 | 1002)	keytype=$ktype3 ;;
7319261079SEd Maste	8  | 50 | 530 | 1003)	keytype=$ktype4 ;;
7419261079SEd Maste	16 | 70 | 540 | 1004)	keytype=$ktype5 ;;
7519261079SEd Maste	32 | 90 | 550 | 1005)	keytype=$ktype6 ;;
76ce3adf43SDag-Erling Smørgrav	esac
77ce3adf43SDag-Erling Smørgrav	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
78ce3adf43SDag-Erling Smørgrav		|| fatal "$SSHKEYGEN failed"
79ce3adf43SDag-Erling Smørgrav	# Sign cert
80ce3adf43SDag-Erling Smørgrav	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
81ce3adf43SDag-Erling Smørgrav		|| fatal "$SSHKEYGEN sign failed"
82ce3adf43SDag-Erling Smørgrav	echo $f
83ce3adf43SDag-Erling Smørgrav}
84ce3adf43SDag-Erling Smørgrav
85ce3adf43SDag-Erling Smørgrav# Generate some keys.
86ce3adf43SDag-Erling Smørgravverbose "$tid: generating test keys"
8719261079SEd MasteREVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999"
88ce3adf43SDag-Erling Smørgravfor n in $REVOKED_SERIALS ; do
89ce3adf43SDag-Erling Smørgrav	f=`keygen $n`
90bc5531deSDag-Erling Smørgrav	RKEYS="$RKEYS ${f}.pub"
91bc5531deSDag-Erling Smørgrav	RCERTS="$RCERTS ${f}-cert.pub"
92ce3adf43SDag-Erling Smørgravdone
93bc5531deSDag-Erling SmørgravUNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
94bc5531deSDag-Erling SmørgravUNREVOKED=""
95bc5531deSDag-Erling Smørgravfor n in $UNREVOKED_SERIALS ; do
96bc5531deSDag-Erling Smørgrav	f=`keygen $n`
97bc5531deSDag-Erling Smørgrav	UKEYS="$UKEYS ${f}.pub"
98bc5531deSDag-Erling Smørgrav	UCERTS="$UCERTS ${f}-cert.pub"
99ce3adf43SDag-Erling Smørgravdone
100ce3adf43SDag-Erling Smørgrav
1012f513db7SEd Maste# Specifications that revoke keys by hash.
1022f513db7SEd Mastetouch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
1032f513db7SEd Mastefor rkey in $RKEYS; do
1042f513db7SEd Maste	(printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
1052f513db7SEd Maste	(printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
1062f513db7SEd Maste	(printf "hash: "; $SSHKEYGEN -lf $rkey | \
1072f513db7SEd Maste		awk '{ print $2 }') >> $OBJ/revoked-hash
1082f513db7SEd Mastedone
1092f513db7SEd Maste
110ce3adf43SDag-Erling Smørgravgenkrls() {
111ce3adf43SDag-Erling Smørgrav	OPTS=$1
112ce3adf43SDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
113ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
114bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
115ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
116bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
117ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
118bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
119ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
120ce3adf43SDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
121ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
1222f513db7SEd Maste$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
1232f513db7SEd Maste	>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
1242f513db7SEd Maste$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
1252f513db7SEd Maste	>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
1262f513db7SEd Maste$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
1272f513db7SEd Maste	>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
128bc5531deSDag-Erling Smørgrav# This should fail as KRLs from serial/key-id spec need the CA specified.
129ce3adf43SDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
130ce3adf43SDag-Erling Smørgrav	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
131ce3adf43SDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
132ce3adf43SDag-Erling Smørgrav	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
133bc5531deSDag-Erling Smørgrav# These should succeed; they specify an explicit CA key.
134bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
135bc5531deSDag-Erling Smørgrav	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
136bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
137bc5531deSDag-Erling Smørgrav	$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
138bc5531deSDag-Erling Smørgrav# These should succeed; they specify an wildcard CA key.
139bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
140ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
141bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
142ce3adf43SDag-Erling Smørgrav	>/dev/null || fatal "$SSHKEYGEN KRL failed"
143bc5531deSDag-Erling Smørgrav# Revoke the same serials with the second CA key to ensure a multi-CA
144bc5531deSDag-Erling Smørgrav# KRL is generated.
145bc5531deSDag-Erling Smørgrav$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
146bc5531deSDag-Erling Smørgrav	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
147ce3adf43SDag-Erling Smørgrav}
148ce3adf43SDag-Erling Smørgrav
149f7167e0eSDag-Erling Smørgrav## XXX dump with trace and grep for set cert serials
150f7167e0eSDag-Erling Smørgrav## XXX test ranges near (u64)-1, etc.
151f7167e0eSDag-Erling Smørgrav
152ce3adf43SDag-Erling Smørgravverbose "$tid: generating KRLs"
153ce3adf43SDag-Erling Smørgravgenkrls
154ce3adf43SDag-Erling Smørgrav
155ce3adf43SDag-Erling Smørgravcheck_krl() {
156ce3adf43SDag-Erling Smørgrav	KEY=$1
157ce3adf43SDag-Erling Smørgrav	KRL=$2
158ce3adf43SDag-Erling Smørgrav	EXPECT_REVOKED=$3
159ce3adf43SDag-Erling Smørgrav	TAG=$4
160ce3adf43SDag-Erling Smørgrav	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
161ce3adf43SDag-Erling Smørgrav	result=$?
1622f513db7SEd Maste	if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
163ce3adf43SDag-Erling Smørgrav		fatal "key $KEY not revoked by KRL $KRL: $TAG"
1642f513db7SEd Maste	elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
165ce3adf43SDag-Erling Smørgrav		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
166ce3adf43SDag-Erling Smørgrav	fi
167ce3adf43SDag-Erling Smørgrav}
168bc5531deSDag-Erling Smørgravtest_rev() {
169ce3adf43SDag-Erling Smørgrav	FILES=$1
170ce3adf43SDag-Erling Smørgrav	TAG=$2
171ce3adf43SDag-Erling Smørgrav	KEYS_RESULT=$3
172ce3adf43SDag-Erling Smørgrav	ALL_RESULT=$4
1732f513db7SEd Maste	HASH_RESULT=$5
1742f513db7SEd Maste	SERIAL_RESULT=$6
1752f513db7SEd Maste	KEYID_RESULT=$7
1762f513db7SEd Maste	CERTS_RESULT=$8
1772f513db7SEd Maste	CA_RESULT=$9
178*f374ba41SEd Maste	SERIAL_WRESULT=${10}
179*f374ba41SEd Maste	KEYID_WRESULT=${11}
180ce3adf43SDag-Erling Smørgrav	verbose "$tid: checking revocations for $TAG"
181ce3adf43SDag-Erling Smørgrav	for f in $FILES ; do
182ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-empty		no		"$TAG"
183ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-keys		$KEYS_RESULT	"$TAG"
184ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-all		$ALL_RESULT	"$TAG"
1852f513db7SEd Maste		check_krl $f $OBJ/krl-sha1		$HASH_RESULT	"$TAG"
1862f513db7SEd Maste		check_krl $f $OBJ/krl-sha256		$HASH_RESULT	"$TAG"
1872f513db7SEd Maste		check_krl $f $OBJ/krl-hash		$HASH_RESULT	"$TAG"
188ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-serial		$SERIAL_RESULT	"$TAG"
189ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-keyid		$KEYID_RESULT	"$TAG"
190ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-cert		$CERTS_RESULT	"$TAG"
191ce3adf43SDag-Erling Smørgrav		check_krl $f $OBJ/krl-ca		$CA_RESULT	"$TAG"
192bc5531deSDag-Erling Smørgrav		check_krl $f $OBJ/krl-serial-wild	$SERIAL_WRESULT	"$TAG"
193bc5531deSDag-Erling Smørgrav		check_krl $f $OBJ/krl-keyid-wild	$KEYID_WRESULT	"$TAG"
194ce3adf43SDag-Erling Smørgrav	done
195ce3adf43SDag-Erling Smørgrav}
196bc5531deSDag-Erling Smørgrav
197bc5531deSDag-Erling Smørgravtest_all() {
198bc5531deSDag-Erling Smørgrav	#                                                           wildcard
1992f513db7SEd Maste	#                                 keys all hash sr# ID cert  CA srl ID
2002f513db7SEd Maste	test_rev "$RKEYS"     "revoked keys" y   y    y   n  n    n   n   n  n
2012f513db7SEd Maste	test_rev "$UKEYS"   "unrevoked keys" n   n    n   n  n    n   n   n  n
2022f513db7SEd Maste	test_rev "$RCERTS"   "revoked certs" y   y    y   y  y    y   y   y  y
2032f513db7SEd Maste	test_rev "$UCERTS" "unrevoked certs" n   n    n   n  n    n   y   n  n
204bc5531deSDag-Erling Smørgrav}
205bc5531deSDag-Erling Smørgrav
206bc5531deSDag-Erling Smørgravtest_all
207ce3adf43SDag-Erling Smørgrav
208ce3adf43SDag-Erling Smørgrav# Check update. Results should be identical.
209ce3adf43SDag-Erling Smørgravverbose "$tid: testing KRL update"
210ce3adf43SDag-Erling Smørgravfor f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
211bc5531deSDag-Erling Smørgrav    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
212bc5531deSDag-Erling Smørgrav    $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
213ce3adf43SDag-Erling Smørgrav	cp -f $OBJ/krl-empty $f
214ce3adf43SDag-Erling Smørgrav	genkrls -u
215ce3adf43SDag-Erling Smørgravdone
216bc5531deSDag-Erling Smørgrav
217bc5531deSDag-Erling Smørgravtest_all
218