xref: /freebsd/crypto/openssh/regress/krl.sh (revision a0ee8cc636cd5c2374ec44ca71226564ea0bca95)
1#	$OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $
2#	Placed in the Public Domain.
3
4tid="key revocation lists"
5
6# If we don't support ecdsa keys then this tell will be much slower.
7ECDSA=ecdsa
8if test "x$TEST_SSH_ECC" != "xyes"; then
9	ECDSA=rsa
10fi
11
12# Do most testing with ssh-keygen; it uses the same verification code as sshd.
13
14# Old keys will interfere with ssh-keygen.
15rm -f $OBJ/revoked-* $OBJ/krl-*
16
17# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
19	fatal "$SSHKEYGEN CA failed"
20
21# A specification that revokes some certificates by serial numbers
22# The serial pattern is chosen to ensure the KRL includes list, range and
23# bitmap sections.
24cat << EOF >> $OBJ/revoked-serials
25serial: 1-4
26serial: 10
27serial: 15
28serial: 30
29serial: 50
30serial: 999
31# The following sum to 500-799
32serial: 500
33serial: 501
34serial: 502
35serial: 503-600
36serial: 700-797
37serial: 798
38serial: 799
39serial: 599-701
40# Some multiple consecutive serial number ranges
41serial: 10000-20000
42serial: 30000-40000
43EOF
44
45# A specification that revokes some certificated by key ID.
46touch $OBJ/revoked-keyid
47for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
48	# Fill in by-ID revocation spec.
49	echo "id: revoked $n" >> $OBJ/revoked-keyid
50done
51
52keygen() {
53	N=$1
54	f=$OBJ/revoked-`printf "%04d" $N`
55	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
56	keytype=$ECDSA
57	case $N in
58	2 | 10 | 510 | 1001)	keytype=rsa;;
59	4 | 30 | 520 | 1002)	keytype=dsa;;
60	esac
61	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
62		|| fatal "$SSHKEYGEN failed"
63	# Sign cert
64	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
65		|| fatal "$SSHKEYGEN sign failed"
66	echo $f
67}
68
69# Generate some keys.
70verbose "$tid: generating test keys"
71REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
72for n in $REVOKED_SERIALS ; do
73	f=`keygen $n`
74	REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
75	REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
76done
77NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
78NOTREVOKED=""
79for n in $NOTREVOKED_SERIALS ; do
80	NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
81	NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
82done
83
84genkrls() {
85	OPTS=$1
86$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
87	>/dev/null || fatal "$SSHKEYGEN KRL failed"
88$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
89	>/dev/null || fatal "$SSHKEYGEN KRL failed"
90$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
91	>/dev/null || fatal "$SSHKEYGEN KRL failed"
92$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
93	>/dev/null || fatal "$SSHKEYGEN KRL failed"
94$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
95	>/dev/null || fatal "$SSHKEYGEN KRL failed"
96# KRLs from serial/key-id spec need the CA specified.
97$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
98	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
99$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
100	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
101$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
102	>/dev/null || fatal "$SSHKEYGEN KRL failed"
103$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
104	>/dev/null || fatal "$SSHKEYGEN KRL failed"
105}
106
107## XXX dump with trace and grep for set cert serials
108## XXX test ranges near (u64)-1, etc.
109
110verbose "$tid: generating KRLs"
111genkrls
112
113check_krl() {
114	KEY=$1
115	KRL=$2
116	EXPECT_REVOKED=$3
117	TAG=$4
118	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
119	result=$?
120	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
121		fatal "key $KEY not revoked by KRL $KRL: $TAG"
122	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
123		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
124	fi
125}
126test_all() {
127	FILES=$1
128	TAG=$2
129	KEYS_RESULT=$3
130	ALL_RESULT=$4
131	SERIAL_RESULT=$5
132	KEYID_RESULT=$6
133	CERTS_RESULT=$7
134	CA_RESULT=$8
135	verbose "$tid: checking revocations for $TAG"
136	for f in $FILES ; do
137		check_krl $f $OBJ/krl-empty  no             "$TAG"
138		check_krl $f $OBJ/krl-keys   $KEYS_RESULT   "$TAG"
139		check_krl $f $OBJ/krl-all    $ALL_RESULT    "$TAG"
140		check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
141		check_krl $f $OBJ/krl-keyid  $KEYID_RESULT  "$TAG"
142		check_krl $f $OBJ/krl-cert  $CERTS_RESULT   "$TAG"
143		check_krl $f $OBJ/krl-ca     $CA_RESULT     "$TAG"
144	done
145}
146#                                            keys  all serial  keyid  certs   CA
147test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
148test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
149test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
150test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
151
152# Check update. Results should be identical.
153verbose "$tid: testing KRL update"
154for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
155    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
156	cp -f $OBJ/krl-empty $f
157	genkrls -u
158done
159#                                            keys  all serial  keyid  certs   CA
160test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
161test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
162test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
163test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
164