1# $OpenBSD: krl.sh,v 1.12 2023/01/16 04:11:29 djm Exp $ 2# Placed in the Public Domain. 3 4tid="key revocation lists" 5 6# Use ed25519 by default since it's fast and it's supported when building 7# w/out OpenSSL. Populate ktype[2-4] with the other types if supported. 8ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; 9ktype4=ed25519; ktype5=ed25519; ktype6=ed25519; 10for t in $SSH_KEYTYPES; do 11 case "$t" in 12 ecdsa*) ktype2=ecdsa ;; 13 ssh-rsa) ktype3=rsa ;; 14 ssh-dss) ktype4=dsa ;; 15 sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;; 16 sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;; 17 esac 18done 19 20# Do most testing with ssh-keygen; it uses the same verification code as sshd. 21 22# Old keys will interfere with ssh-keygen. 23rm -f $OBJ/revoked-* $OBJ/krl-* 24 25# Generate a CA key 26$SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 27 fatal "$SSHKEYGEN CA failed" 28$SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || 29 fatal "$SSHKEYGEN CA2 failed" 30 31# A specification that revokes some certificates by serial numbers 32# The serial pattern is chosen to ensure the KRL includes list, range and 33# bitmap sections. 34cat << EOF >> $OBJ/revoked-serials 35serial: 1-4 36serial: 10 37serial: 15 38serial: 30 39serial: 50 40serial: 90 41serial: 999 42# The following sum to 500-799 43serial: 500 44serial: 501 45serial: 502 46serial: 503-600 47serial: 700-797 48serial: 798 49serial: 799 50serial: 599-701 51# Some multiple consecutive serial number ranges 52serial: 10000-20000 53serial: 30000-40000 54EOF 55 56# A specification that revokes some certificated by key ID. 57touch $OBJ/revoked-keyid 58for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do 59 test "x$n" = "x499" && continue 60 # Fill in by-ID revocation spec. 61 echo "id: revoked $n" >> $OBJ/revoked-keyid 62done 63 64keygen() { 65 N=$1 66 f=$OBJ/revoked-`printf "%04d" $N` 67 # Vary the keytype. We use mostly ed25519 since this is fast and well 68 # supported. 69 keytype=$ktype1 70 case $N in 71 2 | 10 | 510 | 1001) keytype=$ktype2 ;; 72 4 | 30 | 520 | 1002) keytype=$ktype3 ;; 73 8 | 50 | 530 | 1003) keytype=$ktype4 ;; 74 16 | 70 | 540 | 1004) keytype=$ktype5 ;; 75 32 | 90 | 550 | 1005) keytype=$ktype6 ;; 76 esac 77 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 78 || fatal "$SSHKEYGEN failed" 79 # Sign cert 80 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ 81 || fatal "$SSHKEYGEN sign failed" 82 echo $f 83} 84 85# Generate some keys. 86verbose "$tid: generating test keys" 87REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999" 88for n in $REVOKED_SERIALS ; do 89 f=`keygen $n` 90 RKEYS="$RKEYS ${f}.pub" 91 RCERTS="$RCERTS ${f}-cert.pub" 92done 93UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011" 94UNREVOKED="" 95for n in $UNREVOKED_SERIALS ; do 96 f=`keygen $n` 97 UKEYS="$UKEYS ${f}.pub" 98 UCERTS="$UCERTS ${f}-cert.pub" 99done 100 101# Specifications that revoke keys by hash. 102touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash 103for rkey in $RKEYS; do 104 (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1 105 (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256 106 (printf "hash: "; $SSHKEYGEN -lf $rkey | \ 107 awk '{ print $2 }') >> $OBJ/revoked-hash 108done 109 110genkrls() { 111 OPTS=$1 112$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ 113 >/dev/null || fatal "$SSHKEYGEN KRL failed" 114$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \ 115 >/dev/null || fatal "$SSHKEYGEN KRL failed" 116$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \ 117 >/dev/null || fatal "$SSHKEYGEN KRL failed" 118$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ 119 >/dev/null || fatal "$SSHKEYGEN KRL failed" 120$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 121 >/dev/null || fatal "$SSHKEYGEN KRL failed" 122$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \ 123 >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" 124$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \ 125 >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" 126$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \ 127 >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" 128# This should fail as KRLs from serial/key-id spec need the CA specified. 129$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 130 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 131$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ 132 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 133# These should succeed; they specify an explicit CA key. 134$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \ 135 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" 136$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \ 137 $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed" 138# These should succeed; they specify an wildcard CA key. 139$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \ 140 >/dev/null || fatal "$SSHKEYGEN KRL failed" 141$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \ 142 >/dev/null || fatal "$SSHKEYGEN KRL failed" 143# Revoke the same serials with the second CA key to ensure a multi-CA 144# KRL is generated. 145$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \ 146 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" 147} 148 149## XXX dump with trace and grep for set cert serials 150## XXX test ranges near (u64)-1, etc. 151 152verbose "$tid: generating KRLs" 153genkrls 154 155check_krl() { 156 KEY=$1 157 KRL=$2 158 EXPECT_REVOKED=$3 159 TAG=$4 160 $SSHKEYGEN -Qf $KRL $KEY >/dev/null 161 result=$? 162 if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then 163 fatal "key $KEY not revoked by KRL $KRL: $TAG" 164 elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then 165 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" 166 fi 167} 168test_rev() { 169 FILES=$1 170 TAG=$2 171 KEYS_RESULT=$3 172 ALL_RESULT=$4 173 HASH_RESULT=$5 174 SERIAL_RESULT=$6 175 KEYID_RESULT=$7 176 CERTS_RESULT=$8 177 CA_RESULT=$9 178 SERIAL_WRESULT=${10} 179 KEYID_WRESULT=${11} 180 verbose "$tid: checking revocations for $TAG" 181 for f in $FILES ; do 182 check_krl $f $OBJ/krl-empty no "$TAG" 183 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" 184 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" 185 check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" 186 check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" 187 check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" 188 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" 189 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" 190 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" 191 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" 192 check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG" 193 check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG" 194 done 195} 196 197test_all() { 198 # wildcard 199 # keys all hash sr# ID cert CA srl ID 200 test_rev "$RKEYS" "revoked keys" y y y n n n n n n 201 test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n 202 test_rev "$RCERTS" "revoked certs" y y y y y y y y y 203 test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n 204} 205 206test_all 207 208# Check update. Results should be identical. 209verbose "$tid: testing KRL update" 210for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ 211 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \ 212 $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do 213 cp -f $OBJ/krl-empty $f 214 genkrls -u 215done 216 217test_all 218