1# $OpenBSD: sshsig.sh,v 1.7 2021/08/11 08:55:04 djm Exp $ 2# Placed in the Public Domain. 3 4tid="sshsig" 5 6DATA2=$OBJ/${DATANAME}.2 7cat ${DATA} ${DATA} > ${DATA2} 8 9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key* 10 11sig_namespace="test-$$" 12sig_principal="user-$$@example.com" 13 14# Make a "wrong key" 15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \ 16 -C "wrong trousers, Grommit" -N '' \ 17 || fatal "couldn't generate key" 18WRONG=$OBJ/wrong-key.pub 19 20# Make a CA key. 21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \ 22 || fatal "couldn't generate key" 23CA_PRIV=$OBJ/sigca-key 24CA_PUB=$OBJ/sigca-key.pub 25 26trace "start agent" 27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null 28r=$? 29if [ $r -ne 0 ]; then 30 fatal "could not start ssh-agent: exit code $r" 31fi 32 33SIGNKEYS="$SSH_KEYTYPES" 34verbose "$tid: make certificates" 35for t in $SSH_KEYTYPES ; do 36 ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \ 37 -I "regress signature key for $USER" \ 38 -n $sig_principal $OBJ/${t} || \ 39 fatal "couldn't sign ${t}" 40 SIGNKEYS="$SIGNKEYS ${t}-cert.pub" 41done 42 43for t in $SIGNKEYS; do 44 verbose "$tid: check signature for $t" 45 keybase=`basename $t .pub` 46 privkey=${OBJ}/`basename $t -cert.pub` 47 sigfile=${OBJ}/sshsig-${keybase}.sig 48 sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig 49 pubkey=${OBJ}/${keybase}.pub 50 51 ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ 52 < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed" 53 54 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 55 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 56 -I $sig_principal -f $OBJ/allowed_signers \ 57 < $DATA >/dev/null 2>&1 || \ 58 fail "failed signature for $t key" 59 60 (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; 61 cat $pubkey) > $OBJ/allowed_signers 62 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 63 -I $sig_principal -f $OBJ/allowed_signers \ 64 < $DATA >/dev/null 2>&1 || \ 65 fail "failed signature for $t key w/ limited namespace" 66 67 (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; 68 cat $pubkey) > $OBJ/allowed_signers 69 ${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \ 70 -I $sig_principal -f $OBJ/allowed_signers \ 71 -O print-pubkey \ 72 < $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \ 73 fail "failed signature for $t key w/ print-pubkey" 74 cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub 75 diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \ 76 fail "print-pubkey differs from signature key" 77 78 # Invalid option 79 (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers 80 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 81 -I $sig_principal -f $OBJ/allowed_signers \ 82 < $DATA >/dev/null 2>&1 && \ 83 fail "accepted signature for $t key with bad signers option" 84 85 # Wrong key trusted. 86 (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers 87 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 88 -I $sig_principal -f $OBJ/allowed_signers \ 89 < $DATA >/dev/null 2>&1 && \ 90 fail "accepted signature for $t key with wrong key trusted" 91 92 # incorrect data 93 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 94 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 95 -I $sig_principal -f $OBJ/allowed_signers \ 96 < $DATA2 >/dev/null 2>&1 && \ 97 fail "passed signature for wrong data with $t key" 98 99 # wrong principal in signers 100 (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers 101 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 102 -I $sig_principal -f $OBJ/allowed_signers \ 103 < $DATA >/dev/null 2>&1 && \ 104 fail "accepted signature for $t key with wrong principal" 105 106 # wrong namespace 107 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 108 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \ 109 -I $sig_principal -f $OBJ/allowed_signers \ 110 < $DATA >/dev/null 2>&1 && \ 111 fail "accepted signature for $t key with wrong namespace" 112 113 # namespace excluded by option 114 (printf "$sig_principal namespaces=\"whatever\" " ; 115 cat $pubkey) > $OBJ/allowed_signers 116 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 117 -I $sig_principal -f $OBJ/allowed_signers \ 118 < $DATA >/dev/null 2>&1 && \ 119 fail "accepted signature for $t key with excluded namespace" 120 121 ( printf "$sig_principal " ; 122 printf "valid-after=\"19800101\",valid-before=\"19900101\" " ; 123 cat $pubkey) > $OBJ/allowed_signers 124 125 # key lifespan valid 126 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 127 -I $sig_principal -f $OBJ/allowed_signers \ 128 -Overify-time=19850101 \ 129 < $DATA >/dev/null 2>&1 || \ 130 fail "failed signature for $t key with valid expiry interval" 131 # key not yet valid 132 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 133 -I $sig_principal -f $OBJ/allowed_signers \ 134 -Overify-time=19790101 \ 135 < $DATA >/dev/null 2>&1 && \ 136 fail "failed signature for $t not-yet-valid key" 137 # key expired 138 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 139 -I $sig_principal -f $OBJ/allowed_signers \ 140 -Overify-time=19910101 \ 141 < $DATA >/dev/null 2>&1 && \ 142 fail "failed signature for $t with expired key" 143 # NB. assumes we're not running this test in the 1980s 144 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 145 -I $sig_principal -f $OBJ/allowed_signers \ 146 < $DATA >/dev/null 2>&1 && \ 147 fail "failed signature for $t with expired key" 148 149 # public key in revoked keys file 150 cat $pubkey > $OBJ/revoked_keys 151 (printf "$sig_principal namespaces=\"whatever\" " ; 152 cat $pubkey) > $OBJ/allowed_signers 153 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 154 -I $sig_principal -f $OBJ/allowed_signers \ 155 -r $OBJ/revoked_keys \ 156 < $DATA >/dev/null 2>&1 && \ 157 fail "accepted signature for $t key, but key is in revoked_keys" 158 159 # public key not revoked, but others are present in revoked_keysfile 160 cat $WRONG > $OBJ/revoked_keys 161 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers 162 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 163 -I $sig_principal -f $OBJ/allowed_signers \ 164 -r $OBJ/revoked_keys \ 165 < $DATA >/dev/null 2>&1 || \ 166 fail "couldn't verify signature for $t key, but key not in revoked_keys" 167 168 # check-novalidate with valid data 169 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ 170 < $DATA >/dev/null 2>&1 || \ 171 fail "failed to check valid signature for $t key" 172 173 # check-novalidate with invalid data 174 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ 175 < $DATA2 >/dev/null 2>&1 && \ 176 fail "succeeded checking signature for $t key with invalid data" 177 178 # Check signing keys using ssh-agent. 179 ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys. 180 ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed" 181 182 # Move private key to ensure agent key is used 183 mv ${privkey} ${privkey}.tmp 184 185 ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \ 186 < $DATA > $sigfile_agent 2>/dev/null || \ 187 fail "ssh-agent based sign using $pubkey failed" 188 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \ 189 -n $sig_namespace < $DATA >/dev/null 2>&1 || \ 190 fail "failed to check valid signature for $t key" 191 192 # Move private key back 193 mv ${privkey}.tmp ${privkey} 194 195 # Remaining tests are for certificates only. 196 case "$keybase" in 197 *-cert) ;; 198 *) continue ;; 199 esac 200 201 202 # correct CA key 203 (printf "$sig_principal cert-authority " ; 204 cat $CA_PUB) > $OBJ/allowed_signers 205 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 206 -I $sig_principal -f $OBJ/allowed_signers \ 207 < $DATA >/dev/null 2>&1 || \ 208 fail "failed signature for $t cert" 209 210 # signing key listed as cert-authority 211 (printf "$sig_principal cert-authority " ; 212 cat $pubkey) > $OBJ/allowed_signers 213 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 214 -I $sig_principal -f $OBJ/allowed_signers \ 215 < $DATA >/dev/null 2>&1 && \ 216 fail "accepted signature with $t key listed as CA" 217 218 # CA key not flagged cert-authority 219 (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers 220 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 221 -I $sig_principal -f $OBJ/allowed_signers \ 222 < $DATA >/dev/null 2>&1 && \ 223 fail "accepted signature for $t cert with CA not marked" 224 225 # mismatch between cert principal and file 226 (printf "josef.k@example.com cert-authority " ; 227 cat $CA_PUB) > $OBJ/allowed_signers 228 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ 229 -I $sig_principal -f $OBJ/allowed_signers \ 230 < $DATA >/dev/null 2>&1 && \ 231 fail "accepted signature for $t cert with wrong principal" 232done 233 234trace "kill agent" 235${SSHAGENT} -k > /dev/null 236 237