1# $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $ 2# Placed in the Public Domain. 3 4tid="key revocation lists" 5 6# If we don't support ecdsa keys then this tell will be much slower. 7ECDSA=ecdsa 8if test "x$TEST_SSH_ECC" != "xyes"; then 9 ECDSA=rsa 10fi 11 12# Do most testing with ssh-keygen; it uses the same verification code as sshd. 13 14# Old keys will interfere with ssh-keygen. 15rm -f $OBJ/revoked-* $OBJ/krl-* 16 17# Generate a CA key 18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 19 fatal "$SSHKEYGEN CA failed" 20 21# A specification that revokes some certificates by serial numbers 22# The serial pattern is chosen to ensure the KRL includes list, range and 23# bitmap sections. 24cat << EOF >> $OBJ/revoked-serials 25serial: 1-4 26serial: 10 27serial: 15 28serial: 30 29serial: 50 30serial: 999 31# The following sum to 500-799 32serial: 500 33serial: 501 34serial: 502 35serial: 503-600 36serial: 700-797 37serial: 798 38serial: 799 39serial: 599-701 40# Some multiple consecutive serial number ranges 41serial: 10000-20000 42serial: 30000-40000 43EOF 44 45# A specification that revokes some certificated by key ID. 46touch $OBJ/revoked-keyid 47for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 48 # Fill in by-ID revocation spec. 49 echo "id: revoked $n" >> $OBJ/revoked-keyid 50done 51 52keygen() { 53 N=$1 54 f=$OBJ/revoked-`printf "%04d" $N` 55 # Vary the keytype. We use mostly ECDSA since this is fastest by far. 56 keytype=$ECDSA 57 case $N in 58 2 | 10 | 510 | 1001) keytype=rsa;; 59 4 | 30 | 520 | 1002) keytype=dsa;; 60 esac 61 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 62 || fatal "$SSHKEYGEN failed" 63 # Sign cert 64 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ 65 || fatal "$SSHKEYGEN sign failed" 66 echo $f 67} 68 69# Generate some keys. 70verbose "$tid: generating test keys" 71REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" 72for n in $REVOKED_SERIALS ; do 73 f=`keygen $n` 74 REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" 75 REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" 76done 77NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" 78NOTREVOKED="" 79for n in $NOTREVOKED_SERIALS ; do 80 NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" 81 NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" 82done 83 84genkrls() { 85 OPTS=$1 86$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ 87 >/dev/null || fatal "$SSHKEYGEN KRL failed" 88$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ 89 >/dev/null || fatal "$SSHKEYGEN KRL failed" 90$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ 91 >/dev/null || fatal "$SSHKEYGEN KRL failed" 92$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ 93 >/dev/null || fatal "$SSHKEYGEN KRL failed" 94$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 95 >/dev/null || fatal "$SSHKEYGEN KRL failed" 96# KRLs from serial/key-id spec need the CA specified. 97$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 98 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 99$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ 100 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 101$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ 102 >/dev/null || fatal "$SSHKEYGEN KRL failed" 103$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ 104 >/dev/null || fatal "$SSHKEYGEN KRL failed" 105} 106 107## XXX dump with trace and grep for set cert serials 108## XXX test ranges near (u64)-1, etc. 109 110verbose "$tid: generating KRLs" 111genkrls 112 113check_krl() { 114 KEY=$1 115 KRL=$2 116 EXPECT_REVOKED=$3 117 TAG=$4 118 $SSHKEYGEN -Qf $KRL $KEY >/dev/null 119 result=$? 120 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then 121 fatal "key $KEY not revoked by KRL $KRL: $TAG" 122 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then 123 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" 124 fi 125} 126test_all() { 127 FILES=$1 128 TAG=$2 129 KEYS_RESULT=$3 130 ALL_RESULT=$4 131 SERIAL_RESULT=$5 132 KEYID_RESULT=$6 133 CERTS_RESULT=$7 134 CA_RESULT=$8 135 verbose "$tid: checking revocations for $TAG" 136 for f in $FILES ; do 137 check_krl $f $OBJ/krl-empty no "$TAG" 138 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" 139 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" 140 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" 141 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" 142 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" 143 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" 144 done 145} 146# keys all serial keyid certs CA 147test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no 148test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no 149test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes 150test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes 151 152# Check update. Results should be identical. 153verbose "$tid: testing KRL update" 154for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ 155 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do 156 cp -f $OBJ/krl-empty $f 157 genkrls -u 158done 159# keys all serial keyid certs CA 160test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no 161test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no 162test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes 163test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes 164