xref: /freebsd/crypto/openssh/regress/krl.sh (revision b9f654b163bce26de79705e77b872427c9f2afa1)
1#	$OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
2#	Placed in the Public Domain.
3
4tid="key revocation lists"
5
6# If we don't support ecdsa keys then this tell will be much slower.
7ECDSA=ecdsa
8if test "x$TEST_SSH_ECC" != "xyes"; then
9	ECDSA=rsa
10fi
11
12# Do most testing with ssh-keygen; it uses the same verification code as sshd.
13
14# Old keys will interfere with ssh-keygen.
15rm -f $OBJ/revoked-* $OBJ/krl-*
16
17# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
19	fatal "$SSHKEYGEN CA failed"
20$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2  -C "" -N "" > /dev/null ||
21	fatal "$SSHKEYGEN CA2 failed"
22
23# A specification that revokes some certificates by serial numbers
24# The serial pattern is chosen to ensure the KRL includes list, range and
25# bitmap sections.
26cat << EOF >> $OBJ/revoked-serials
27serial: 1-4
28serial: 10
29serial: 15
30serial: 30
31serial: 50
32serial: 999
33# The following sum to 500-799
34serial: 500
35serial: 501
36serial: 502
37serial: 503-600
38serial: 700-797
39serial: 798
40serial: 799
41serial: 599-701
42# Some multiple consecutive serial number ranges
43serial: 10000-20000
44serial: 30000-40000
45EOF
46
47# A specification that revokes some certificated by key ID.
48touch $OBJ/revoked-keyid
49for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
50	test "x$n" = "x499" && continue
51	# Fill in by-ID revocation spec.
52	echo "id: revoked $n" >> $OBJ/revoked-keyid
53done
54
55keygen() {
56	N=$1
57	f=$OBJ/revoked-`printf "%04d" $N`
58	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
59	keytype=$ECDSA
60	case $N in
61	2 | 10 | 510 | 1001)	keytype=rsa;;
62	4 | 30 | 520 | 1002)	keytype=ed25519;;
63	esac
64	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
65		|| fatal "$SSHKEYGEN failed"
66	# Sign cert
67	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
68		|| fatal "$SSHKEYGEN sign failed"
69	echo $f
70}
71
72# Generate some keys.
73verbose "$tid: generating test keys"
74REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
75for n in $REVOKED_SERIALS ; do
76	f=`keygen $n`
77	RKEYS="$RKEYS ${f}.pub"
78	RCERTS="$RCERTS ${f}-cert.pub"
79done
80UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
81UNREVOKED=""
82for n in $UNREVOKED_SERIALS ; do
83	f=`keygen $n`
84	UKEYS="$UKEYS ${f}.pub"
85	UCERTS="$UCERTS ${f}-cert.pub"
86done
87
88genkrls() {
89	OPTS=$1
90$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
91	>/dev/null || fatal "$SSHKEYGEN KRL failed"
92$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
93	>/dev/null || fatal "$SSHKEYGEN KRL failed"
94$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
95	>/dev/null || fatal "$SSHKEYGEN KRL failed"
96$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
97	>/dev/null || fatal "$SSHKEYGEN KRL failed"
98$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
99	>/dev/null || fatal "$SSHKEYGEN KRL failed"
100# This should fail as KRLs from serial/key-id spec need the CA specified.
101$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
102	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
103$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
104	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
105# These should succeed; they specify an explicit CA key.
106$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
107	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
108$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
109	$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
110# These should succeed; they specify an wildcard CA key.
111$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
112	>/dev/null || fatal "$SSHKEYGEN KRL failed"
113$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
114	>/dev/null || fatal "$SSHKEYGEN KRL failed"
115# Revoke the same serials with the second CA key to ensure a multi-CA
116# KRL is generated.
117$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
118	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
119}
120
121## XXX dump with trace and grep for set cert serials
122## XXX test ranges near (u64)-1, etc.
123
124verbose "$tid: generating KRLs"
125genkrls
126
127check_krl() {
128	KEY=$1
129	KRL=$2
130	EXPECT_REVOKED=$3
131	TAG=$4
132	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
133	result=$?
134	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
135		fatal "key $KEY not revoked by KRL $KRL: $TAG"
136	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
137		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
138	fi
139}
140test_rev() {
141	FILES=$1
142	TAG=$2
143	KEYS_RESULT=$3
144	ALL_RESULT=$4
145	SERIAL_RESULT=$5
146	KEYID_RESULT=$6
147	CERTS_RESULT=$7
148	CA_RESULT=$8
149	SERIAL_WRESULT=$9
150	KEYID_WRESULT=$10
151	verbose "$tid: checking revocations for $TAG"
152	for f in $FILES ; do
153		check_krl $f $OBJ/krl-empty		no		"$TAG"
154		check_krl $f $OBJ/krl-keys		$KEYS_RESULT	"$TAG"
155		check_krl $f $OBJ/krl-all		$ALL_RESULT	"$TAG"
156		check_krl $f $OBJ/krl-serial		$SERIAL_RESULT	"$TAG"
157		check_krl $f $OBJ/krl-keyid		$KEYID_RESULT	"$TAG"
158		check_krl $f $OBJ/krl-cert		$CERTS_RESULT	"$TAG"
159		check_krl $f $OBJ/krl-ca		$CA_RESULT	"$TAG"
160		check_krl $f $OBJ/krl-serial-wild	$SERIAL_WRESULT	"$TAG"
161		check_krl $f $OBJ/krl-keyid-wild	$KEYID_WRESULT	"$TAG"
162	done
163}
164
165test_all() {
166	#                                                               wildcard
167	#                                   keys all sr# k.ID cert  CA sr.# k.ID
168	test_rev "$RKEYS"     "revoked keys" yes yes  no   no   no  no   no   no
169	test_rev "$UKEYS"   "unrevoked keys"  no  no  no   no   no  no   no   no
170	test_rev "$RCERTS"   "revoked certs" yes yes yes  yes  yes yes  yes  yes
171	test_rev "$UCERTS" "unrevoked certs"  no  no  no   no   no yes   no   no
172}
173
174test_all
175
176# Check update. Results should be identical.
177verbose "$tid: testing KRL update"
178for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
179    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
180    $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
181	cp -f $OBJ/krl-empty $f
182	genkrls -u
183done
184
185test_all
186