1# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ 2# Placed in the Public Domain. 3 4tid="key revocation lists" 5 6# If we don't support ecdsa keys then this tell will be much slower. 7ECDSA=ecdsa 8if test "x$TEST_SSH_ECC" != "xyes"; then 9 ECDSA=rsa 10fi 11 12# Do most testing with ssh-keygen; it uses the same verification code as sshd. 13 14# Old keys will interfere with ssh-keygen. 15rm -f $OBJ/revoked-* $OBJ/krl-* 16 17# Generate a CA key 18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 19 fatal "$SSHKEYGEN CA failed" 20$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || 21 fatal "$SSHKEYGEN CA2 failed" 22 23# A specification that revokes some certificates by serial numbers 24# The serial pattern is chosen to ensure the KRL includes list, range and 25# bitmap sections. 26cat << EOF >> $OBJ/revoked-serials 27serial: 1-4 28serial: 10 29serial: 15 30serial: 30 31serial: 50 32serial: 999 33# The following sum to 500-799 34serial: 500 35serial: 501 36serial: 502 37serial: 503-600 38serial: 700-797 39serial: 798 40serial: 799 41serial: 599-701 42# Some multiple consecutive serial number ranges 43serial: 10000-20000 44serial: 30000-40000 45EOF 46 47# A specification that revokes some certificated by key ID. 48touch $OBJ/revoked-keyid 49for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 50 test "x$n" = "x499" && continue 51 # Fill in by-ID revocation spec. 52 echo "id: revoked $n" >> $OBJ/revoked-keyid 53done 54 55keygen() { 56 N=$1 57 f=$OBJ/revoked-`printf "%04d" $N` 58 # Vary the keytype. We use mostly ECDSA since this is fastest by far. 59 keytype=$ECDSA 60 case $N in 61 2 | 10 | 510 | 1001) keytype=rsa;; 62 4 | 30 | 520 | 1002) keytype=ed25519;; 63 esac 64 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 65 || fatal "$SSHKEYGEN failed" 66 # Sign cert 67 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ 68 || fatal "$SSHKEYGEN sign failed" 69 echo $f 70} 71 72# Generate some keys. 73verbose "$tid: generating test keys" 74REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" 75for n in $REVOKED_SERIALS ; do 76 f=`keygen $n` 77 RKEYS="$RKEYS ${f}.pub" 78 RCERTS="$RCERTS ${f}-cert.pub" 79done 80UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011" 81UNREVOKED="" 82for n in $UNREVOKED_SERIALS ; do 83 f=`keygen $n` 84 UKEYS="$UKEYS ${f}.pub" 85 UCERTS="$UCERTS ${f}-cert.pub" 86done 87 88genkrls() { 89 OPTS=$1 90$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ 91 >/dev/null || fatal "$SSHKEYGEN KRL failed" 92$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \ 93 >/dev/null || fatal "$SSHKEYGEN KRL failed" 94$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \ 95 >/dev/null || fatal "$SSHKEYGEN KRL failed" 96$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ 97 >/dev/null || fatal "$SSHKEYGEN KRL failed" 98$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 99 >/dev/null || fatal "$SSHKEYGEN KRL failed" 100# This should fail as KRLs from serial/key-id spec need the CA specified. 101$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 102 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 103$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ 104 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 105# These should succeed; they specify an explicit CA key. 106$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \ 107 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" 108$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \ 109 $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed" 110# These should succeed; they specify an wildcard CA key. 111$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \ 112 >/dev/null || fatal "$SSHKEYGEN KRL failed" 113$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \ 114 >/dev/null || fatal "$SSHKEYGEN KRL failed" 115# Revoke the same serials with the second CA key to ensure a multi-CA 116# KRL is generated. 117$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \ 118 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" 119} 120 121## XXX dump with trace and grep for set cert serials 122## XXX test ranges near (u64)-1, etc. 123 124verbose "$tid: generating KRLs" 125genkrls 126 127check_krl() { 128 KEY=$1 129 KRL=$2 130 EXPECT_REVOKED=$3 131 TAG=$4 132 $SSHKEYGEN -Qf $KRL $KEY >/dev/null 133 result=$? 134 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then 135 fatal "key $KEY not revoked by KRL $KRL: $TAG" 136 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then 137 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" 138 fi 139} 140test_rev() { 141 FILES=$1 142 TAG=$2 143 KEYS_RESULT=$3 144 ALL_RESULT=$4 145 SERIAL_RESULT=$5 146 KEYID_RESULT=$6 147 CERTS_RESULT=$7 148 CA_RESULT=$8 149 SERIAL_WRESULT=$9 150 KEYID_WRESULT=$10 151 verbose "$tid: checking revocations for $TAG" 152 for f in $FILES ; do 153 check_krl $f $OBJ/krl-empty no "$TAG" 154 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" 155 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" 156 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" 157 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" 158 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" 159 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" 160 check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG" 161 check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG" 162 done 163} 164 165test_all() { 166 # wildcard 167 # keys all sr# k.ID cert CA sr.# k.ID 168 test_rev "$RKEYS" "revoked keys" yes yes no no no no no no 169 test_rev "$UKEYS" "unrevoked keys" no no no no no no no no 170 test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes 171 test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no 172} 173 174test_all 175 176# Check update. Results should be identical. 177verbose "$tid: testing KRL update" 178for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ 179 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \ 180 $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do 181 cp -f $OBJ/krl-empty $f 182 genkrls -u 183done 184 185test_all 186