xref: /freebsd/crypto/openssh/regress/sshsig.sh (revision 725a9f47324d42037db93c27ceb40d4956872f3e)
1#	$OpenBSD: sshsig.sh,v 1.15 2023/10/12 03:51:08 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
16	-C "wrong trousers, Grommit" -N '' \
17	|| fatal "couldn't generate key"
18WRONG=$OBJ/wrong-key.pub
19
20# Make a CA key.
21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22	|| fatal "couldn't generate key"
23CA_PRIV=$OBJ/sigca-key
24CA_PUB=$OBJ/sigca-key.pub
25
26trace "start agent"
27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
28r=$?
29if [ $r -ne 0 ]; then
30	fatal "could not start ssh-agent: exit code $r"
31fi
32
33SIGNKEYS="$SSH_KEYTYPES"
34verbose "$tid: make certificates"
35for t in $SSH_KEYTYPES ; do
36	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
37	    -I "regress signature key for $USER" \
38		-V "19840101:19860101" \
39	    -n $sig_principal $OBJ/${t} || \
40		fatal "couldn't sign ${t}"
41	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
42done
43
44for t in $SIGNKEYS; do
45	verbose "$tid: check signature for $t"
46	keybase=`basename $t .pub`
47	privkey=${OBJ}/`basename $t -cert.pub`
48	sigfile=${OBJ}/sshsig-${keybase}.sig
49	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
50	pubkey=${OBJ}/${keybase}.pub
51	cert=${OBJ}/${keybase}-cert.pub
52	sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
53
54	trace "$tid: key type $t check bad hashlg"
55	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
56	    -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \
57		fail "sign using $t with bad hash algorithm succeeded"
58
59	for h in default sha256 sha512 ; do
60		case "$h" in
61		default) hashalg_arg="" ;;
62		*) hashalg_arg="-Ohashalg=$h" ;;
63		esac
64		trace "$tid: key type $t sign with hash $h"
65		${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
66		    $hashalg_arg < $DATA > $sigfile 2>/dev/null || \
67			fail "sign using $t / $h failed"
68		(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
69		trace "$tid: key type $t verify with hash $h"
70		${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
71		    -I $sig_principal -f $OBJ/allowed_signers \
72		    < $DATA >/dev/null 2>&1 || \
73			fail "failed signature for $t / $h key"
74	done
75
76	trace "$tid: key type $t verify with limited namespace"
77	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
78	 cat $pubkey) > $OBJ/allowed_signers
79	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
80		-I $sig_principal -f $OBJ/allowed_signers \
81		< $DATA >/dev/null 2>&1 || \
82		fail "failed signature for $t key w/ limited namespace"
83
84	trace "$tid: key type $t print-pubkey"
85	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
86	 cat $pubkey) > $OBJ/allowed_signers
87	${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
88		-I $sig_principal -f $OBJ/allowed_signers \
89		-O print-pubkey \
90		< $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
91		fail "failed signature for $t key w/ print-pubkey"
92	cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
93	diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
94		fail "print-pubkey differs from signature key"
95
96	# Invalid option
97	trace "$tid: key type $t verify with bad signers"
98	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
99	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
100		-I $sig_principal -f $OBJ/allowed_signers \
101		< $DATA >/dev/null 2>&1 && \
102		fail "accepted signature for $t key with bad signers option"
103
104	# Wrong key trusted.
105	trace "$tid: key type $t verify with wrong key"
106	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
107	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
108		-I $sig_principal -f $OBJ/allowed_signers \
109		< $DATA >/dev/null 2>&1 && \
110		fail "accepted signature for $t key with wrong key trusted"
111
112	# incorrect data
113	trace "$tid: key type $t verify with wrong data"
114	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
115	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
116		-I $sig_principal -f $OBJ/allowed_signers \
117		< $DATA2 >/dev/null 2>&1 && \
118		fail "passed signature for wrong data with $t key"
119
120	# wrong principal in signers
121	trace "$tid: key type $t verify with wrong principal"
122	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
123	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
124		-I $sig_principal -f $OBJ/allowed_signers \
125		< $DATA >/dev/null 2>&1 && \
126		fail "accepted signature for $t key with wrong principal"
127
128	# wrong namespace
129	trace "$tid: key type $t verify with wrong namespace"
130	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
131	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
132		-I $sig_principal -f $OBJ/allowed_signers \
133		< $DATA >/dev/null 2>&1 && \
134		fail "accepted signature for $t key with wrong namespace"
135
136	# namespace excluded by option
137	trace "$tid: key type $t verify with excluded namespace"
138	(printf "$sig_principal namespaces=\"whatever\" " ;
139	 cat $pubkey) > $OBJ/allowed_signers
140	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
141		-I $sig_principal -f $OBJ/allowed_signers \
142		< $DATA >/dev/null 2>&1 && \
143		fail "accepted signature for $t key with excluded namespace"
144
145	( printf "$sig_principal " ;
146	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
147	  cat $pubkey) > $OBJ/allowed_signers
148
149	# key lifespan valid
150	trace "$tid: key type $t verify with valid lifespan"
151	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
152		-I $sig_principal -f $OBJ/allowed_signers \
153		-Overify-time=19850101 \
154		< $DATA >/dev/null 2>&1 || \
155		fail "failed signature for $t key with valid expiry interval"
156	# key not yet valid
157	trace "$tid: key type $t verify with not-yet-valid lifespan"
158	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
159		-I $sig_principal -f $OBJ/allowed_signers \
160		-Overify-time=19790101 \
161		< $DATA >/dev/null 2>&1 && \
162		fail "failed signature for $t not-yet-valid key"
163	# key expired
164	trace "$tid: key type $t verify with expired lifespan"
165	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
166		-I $sig_principal -f $OBJ/allowed_signers \
167		-Overify-time=19910101 \
168		< $DATA >/dev/null 2>&1 && \
169		fail "failed signature for $t with expired key"
170	# NB. assumes we're not running this test in the 1980s
171	trace "$tid: key type $t verify with expired lifespan (now)"
172	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
173		-I $sig_principal -f $OBJ/allowed_signers \
174		< $DATA >/dev/null 2>&1 && \
175		fail "failed signature for $t with expired key"
176
177	# key lifespan valid
178	trace "$tid: key type $t find-principals with valid lifespan"
179	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
180		-Overify-time="19850101" \
181		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
182		fail "failed find-principals for $t key with valid expiry interval"
183	# key not yet valid
184	trace "$tid: key type $t find principals with not-yet-valid lifespan"
185	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
186		-Overify-time="19790101" \
187		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
188		fail "failed find-principals for $t not-yet-valid key"
189	# key expired
190	trace "$tid: key type $t find-principals with expired lifespan"
191	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
192		-Overify-time="19990101" \
193		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
194		fail "failed find-principals for $t with expired key"
195	# NB. assumes we're not running this test in the 1980s
196	trace "$tid: key type $t find-principals with expired lifespan (now)"
197	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
198		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
199		fail "failed find-principals for $t with expired key"
200
201	# public key in revoked keys file
202	trace "$tid: key type $t verify with revoked key"
203	cat $pubkey > $OBJ/revoked_keys
204	(printf "$sig_principal namespaces=\"whatever\" " ;
205	 cat $pubkey) > $OBJ/allowed_signers
206	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
207		-I $sig_principal -f $OBJ/allowed_signers \
208		-r $OBJ/revoked_keys \
209		< $DATA >/dev/null 2>&1 && \
210		fail "accepted signature for $t key, but key is in revoked_keys"
211
212	# public key not revoked, but others are present in revoked_keysfile
213	trace "$tid: key type $t verify with unrevoked key"
214	cat $WRONG > $OBJ/revoked_keys
215	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
216	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
217		-I $sig_principal -f $OBJ/allowed_signers \
218		-r $OBJ/revoked_keys \
219		< $DATA >/dev/null 2>&1 || \
220		fail "couldn't verify signature for $t key, but key not in revoked_keys"
221
222	# check-novalidate with valid data
223	trace "$tid: key type $t check-novalidate with valid data"
224	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
225		< $DATA >/dev/null 2>&1 || \
226		fail "failed to check valid signature for $t key"
227
228	# check-novalidate with invalid data
229	trace "$tid: key type $t check-novalidate with invalid data"
230	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
231		< $DATA2 >/dev/null 2>&1 && \
232		fail "succeeded checking signature for $t key with invalid data"
233
234	# find-principals with valid public key
235	trace "$tid: key type $t find-principals with valid key"
236	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
237	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
238		fail "failed to find valid principals in allowed_signers"
239
240	# find-principals with wrong key not in allowed_signers
241	trace "$tid: key type $t find-principals with wrong key"
242	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
243	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
244		fail "succeeded finding principal with invalid signers file"
245
246	# find-principals with a configured namespace but none on command-line
247	trace "$tid: key type $t find-principals with missing namespace"
248	(printf "$sig_principal " ;
249	 printf "namespaces=\"test1,test2\" ";
250	 cat $pubkey) > $OBJ/allowed_signers
251	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
252	    -f $OBJ/allowed_signers >/dev/null 2>&1 || \
253		fail "failed finding principal when namespaces are configured"
254
255	# Check signing keys using ssh-agent.
256	trace "$tid: key type $t prepare agent"
257	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
258	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
259
260	# Move private key to ensure agent key is used
261	mv ${privkey} ${privkey}.tmp
262
263	trace "$tid: key type $t sign with agent"
264	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
265		< $DATA > $sigfile_agent 2>/dev/null || \
266		fail "ssh-agent based sign using $pubkey failed"
267	trace "$tid: key type $t check signature w/ agent"
268	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
269		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
270		fail "failed to check valid signature for $t key"
271	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
272	 cat $pubkey) > $OBJ/allowed_signers
273	${SSHKEYGEN} -vvv -Y verify -s $sigfile_agent -n $sig_namespace \
274		-I $sig_principal -f $OBJ/allowed_signers \
275		< $DATA >/dev/null 2>&1 || \
276		fail "failed signature for $t key w/ limited namespace"
277
278	# Move private key back
279	mv ${privkey}.tmp ${privkey}
280
281	# Duplicate principals & keys in allowed_signers but with different validities
282	( printf "$sig_principal " ;
283	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
284	  cat $pubkey;
285	  printf "${sig_principal} " ;
286	  printf "valid-after=\"19850101\",valid-before=\"20000101\" " ;
287	  cat $pubkey) > $OBJ/allowed_signers
288
289	# find-principals outside of any validity lifespan
290	trace "$tid: key type $t find principals outside multiple validities"
291	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
292		-Overify-time="20100101" \
293		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
294		fail "succeeded find-principals for $t verify-time outside of validity"
295	# find-principals matching only the first lifespan
296	trace "$tid: key type $t find principals matching one validity (1st)"
297	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
298		-Overify-time="19830101" \
299		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
300		fail "failed find-principals for $t verify-time within first span"
301	# find-principals matching both lifespans
302	trace "$tid: key type $t find principals matching two validities"
303	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
304		-Overify-time="19880101" \
305		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
306		fail "failed find-principals for $t verify-time within both spans"
307	# find-principals matching only the second lifespan
308	trace "$tid: key type $t find principals matching one validity (2nd)"
309	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
310		-Overify-time="19950101" \
311		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
312		fail "failed find-principals for $t verify-time within second span"
313
314	# verify outside of any validity lifespan
315	trace "$tid: key type $t verify outside multiple validities"
316	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
317		-Overify-time="20100101" -I $sig_principal \
318		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
319		< $DATA >/dev/null 2>&1 && \
320		fail "succeeded verify for $t verify-time outside of validity"
321	# verify matching only the first lifespan
322	trace "$tid: key type $t verify matching one validity (1st)"
323	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
324		-Overify-time="19830101" -I $sig_principal \
325		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
326		< $DATA >/dev/null 2>&1 || \
327		fail "failed verify for $t verify-time within first span"
328	# verify matching both lifespans
329	trace "$tid: key type $t verify matching two validities"
330	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
331		-Overify-time="19880101" -I $sig_principal \
332		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
333		< $DATA >/dev/null 2>&1 || \
334		fail "failed verify for $t verify-time within both spans"
335	# verify matching only the second lifespan
336	trace "$tid: key type $t verify matching one validity (2nd)"
337	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
338		-Overify-time="19950101" -I $sig_principal \
339		-r $OBJ/revoked_keys -f $OBJ/allowed_signers \
340		< $DATA >/dev/null 2>&1 || \
341		fail "failed verify for $t verify-time within second span"
342
343	# Remaining tests are for certificates only.
344	case "$keybase" in
345		*-cert) ;;
346		*) continue ;;
347	esac
348
349	# Check key lifespan on find-principals when using the CA
350	( printf "$sig_principal " ;
351	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" ";
352	  cat $CA_PUB) > $OBJ/allowed_signers
353	# key lifespan valid
354	trace "$tid: key type $t find-principals cert lifetime valid"
355	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
356		-Overify-time="19850101" \
357		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
358		fail "failed find-principals for $t key with valid expiry interval"
359	# key not yet valid
360	trace "$tid: key type $t find-principals cert lifetime not-yet-valid"
361	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
362		-Overify-time="19790101" \
363		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
364		fail "failed find-principals for $t not-yet-valid key"
365	# key expired
366	trace "$tid: key type $t find-principals cert lifetime expired"
367	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
368		-Overify-time="19990101" \
369		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
370		fail "failed find-principals for $t with expired key"
371	# NB. assumes we're not running this test in the 1980s
372	trace "$tid: key type $t find-principals cert lifetime expired (now)"
373	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
374		-f $OBJ/allowed_signers >/dev/null 2>&1 && \
375		fail "failed find-principals for $t with expired key"
376
377	# correct CA key
378	trace "$tid: key type $t verify cert good CA"
379	(printf "$sig_principal cert-authority " ;
380	 cat $CA_PUB) > $OBJ/allowed_signers
381	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
382		-I $sig_principal -f $OBJ/allowed_signers \
383		-Overify-time=19850101 \
384		< $DATA >/dev/null 2>&1 || \
385		fail "failed signature for $t cert"
386
387	# find-principals
388	trace "$tid: key type $t find-principals cert good CA"
389	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
390		-Overify-time=19850101 \
391		-f $OBJ/allowed_signers >/dev/null 2>&1 || \
392		fail "failed find-principals for $t with ca key"
393
394	# CA with wildcard principal
395	trace "$tid: key type $t find-principals cert good wildcard CA"
396	(printf "*@example.com cert-authority " ;
397	 cat $CA_PUB) > $OBJ/allowed_signers
398	# find-principals CA with wildcard principal
399	${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \
400		-Overify-time=19850101 \
401		-f $OBJ/allowed_signers 2>/dev/null | \
402		fgrep "$sig_principal" >/dev/null || \
403		fail "failed find-principals for $t with ca key using wildcard principal"
404
405	# verify CA with wildcard principal
406	trace "$tid: key type $t verify cert good wildcard CA"
407	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
408		-I $sig_principal -f $OBJ/allowed_signers \
409		-Overify-time=19850101 \
410		< $DATA >/dev/null 2>&1 || \
411		fail "failed signature for $t cert using wildcard principal"
412
413	# signing key listed as cert-authority
414	trace "$tid: key type $t verify signing key listed as CA"
415	(printf "$sig_principal cert-authority " ;
416	 cat $pubkey) > $OBJ/allowed_signers
417	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
418		-I $sig_principal -f $OBJ/allowed_signers \
419		< $DATA >/dev/null 2>&1 && \
420		fail "accepted signature with $t key listed as CA"
421
422	# CA key not flagged cert-authority
423	trace "$tid: key type $t verify key not marked as CA"
424	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
425	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
426		-I $sig_principal -f $OBJ/allowed_signers \
427		< $DATA >/dev/null 2>&1 && \
428		fail "accepted signature for $t cert with CA not marked"
429
430	# mismatch between cert principal and file
431	trace "$tid: key type $t verify cert with wrong principal"
432	(printf "josef.k@example.com cert-authority " ;
433	 cat $CA_PUB) > $OBJ/allowed_signers
434	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
435		-I $sig_principal -f $OBJ/allowed_signers \
436		< $DATA >/dev/null 2>&1 && \
437		fail "accepted signature for $t cert with wrong principal"
438
439	# Cert valid but CA revoked
440	trace "$tid: key type $t verify cert with revoked CA"
441	cat $CA_PUB > $OBJ/revoked_keys
442	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
443	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
444		-I $sig_principal -f $OBJ/allowed_signers \
445		-r $OBJ/revoked_keys \
446		< $DATA >/dev/null 2>&1 && \
447		fail "accepted signature for $t key, but CA key in revoked_keys"
448
449	# Set lifespan of CA key and verify signed user certs behave accordingly
450	( printf "$sig_principal " ;
451	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ;
452	  cat $CA_PUB) > $OBJ/allowed_signers
453
454	# CA key lifespan valid
455	trace "$tid: key type $t verify cert valid CA lifespan"
456	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
457		-I $sig_principal -f $OBJ/allowed_signers \
458		-Overify-time=19850101 \
459		< $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \
460		fail "failed signature for $t key with valid CA expiry interval"
461	# CA lifespan is valid but user key not yet valid
462	trace "$tid: key type $t verify cert valid CA lifespan, not-yet-valid cert"
463	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
464		-I $sig_principal -f $OBJ/allowed_signers \
465		-Overify-time=19810101 \
466		< $DATA >/dev/null 2>&1 && \
467		fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
468	# CA lifespan is valid but user key expired
469	trace "$tid: key type $t verify cert valid CA lifespan, expired cert"
470	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
471		-I $sig_principal -f $OBJ/allowed_signers \
472		-Overify-time=19890101 \
473		< $DATA >/dev/null 2>&1 && \
474		fail "accepted signature for $t key with valid CA expiry interval but expired cert"
475	# CA key not yet valid
476	trace "$tid: key type $t verify cert CA not-yet-valid"
477	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
478		-I $sig_principal -f $OBJ/allowed_signers \
479		-Overify-time=19790101 \
480		< $DATA >/dev/null 2>&1 && \
481		fail "accepted signature for $t not-yet-valid CA key"
482	# CA key expired
483	trace "$tid: key type $t verify cert CA expired"
484	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
485		-I $sig_principal -f $OBJ/allowed_signers \
486		-Overify-time=19910101 \
487		< $DATA >/dev/null 2>&1 && \
488		fail "accepted signature for $t with expired CA key"
489	# NB. assumes we're not running this test in the 1980s
490	trace "$tid: key type $t verify cert CA expired (now)"
491	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
492		-I $sig_principal -f $OBJ/allowed_signers \
493		< $DATA >/dev/null 2>&1 && \
494		fail "accepted signature for $t with expired CA key"
495
496	# Set lifespan of CA outside of the cert validity
497	trace "$tid: key type $t verify CA/cert lifespan mismatch"
498	( printf "$sig_principal " ;
499	  printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
500	  cat $CA_PUB) > $OBJ/allowed_signers
501	# valid cert validity but expired CA
502	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
503		-I $sig_principal -f $OBJ/allowed_signers \
504		-Overify-time=19840101 \
505		< $DATA >/dev/null 2>&1 && \
506		fail "accepted signature for $t key with expired CA but valid cert"
507
508done
509
510# Test key independant match-principals
511(
512	printf "principal1 " ; cat $pubkey;
513	printf "princi* " ; cat $pubkey;
514	printf "unique " ; cat $pubkey;
515) > $OBJ/allowed_signers
516
517verbose "$tid: match principals"
518${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \
519    fgrep "unique" >/dev/null || \
520	fail "failed to match static principal"
521
522trace "$tid: match principals wildcard"
523${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \
524    fgrep "princi*" >/dev/null || \
525	fail "failed to match wildcard principal"
526
527trace "$tid: match principals static/wildcard"
528${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \
529    fgrep -e "principal1" -e "princi*" >/dev/null || \
530	fail "failed to match static and wildcard principal"
531verbose "$tid: nomatch principals"
532for x in princ prince unknown ; do
533	${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \
534	    -I $x >/dev/null 2>&1 && \
535		fail "succeeded to match unknown principal \"$x\""
536done
537
538trace "kill agent"
539${SSHAGENT} -k > /dev/null
540
541