xref: /freebsd/crypto/openssh/regress/sshsig.sh (revision ec0ea6efa1ad229d75c394c1a9b9cac33af2b1d3)
1#	$OpenBSD: sshsig.sh,v 1.7 2021/08/11 08:55:04 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
16	-C "wrong trousers, Grommit" -N '' \
17	|| fatal "couldn't generate key"
18WRONG=$OBJ/wrong-key.pub
19
20# Make a CA key.
21${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
22	|| fatal "couldn't generate key"
23CA_PRIV=$OBJ/sigca-key
24CA_PUB=$OBJ/sigca-key.pub
25
26trace "start agent"
27eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
28r=$?
29if [ $r -ne 0 ]; then
30	fatal "could not start ssh-agent: exit code $r"
31fi
32
33SIGNKEYS="$SSH_KEYTYPES"
34verbose "$tid: make certificates"
35for t in $SSH_KEYTYPES ; do
36	${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
37	    -I "regress signature key for $USER" \
38	    -n $sig_principal $OBJ/${t} || \
39		fatal "couldn't sign ${t}"
40	SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
41done
42
43for t in $SIGNKEYS; do
44	verbose "$tid: check signature for $t"
45	keybase=`basename $t .pub`
46	privkey=${OBJ}/`basename $t -cert.pub`
47	sigfile=${OBJ}/sshsig-${keybase}.sig
48	sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
49	pubkey=${OBJ}/${keybase}.pub
50
51	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
52		< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
53
54	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
55	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
56		-I $sig_principal -f $OBJ/allowed_signers \
57		< $DATA >/dev/null 2>&1 || \
58		fail "failed signature for $t key"
59
60	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
61	 cat $pubkey) > $OBJ/allowed_signers
62	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
63		-I $sig_principal -f $OBJ/allowed_signers \
64		< $DATA >/dev/null 2>&1 || \
65		fail "failed signature for $t key w/ limited namespace"
66
67	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
68	 cat $pubkey) > $OBJ/allowed_signers
69	${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
70		-I $sig_principal -f $OBJ/allowed_signers \
71		-O print-pubkey \
72		< $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
73		fail "failed signature for $t key w/ print-pubkey"
74	cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
75	diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
76		fail "print-pubkey differs from signature key"
77
78	# Invalid option
79	(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
80	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
81		-I $sig_principal -f $OBJ/allowed_signers \
82		< $DATA >/dev/null 2>&1 && \
83		fail "accepted signature for $t key with bad signers option"
84
85	# Wrong key trusted.
86	(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
87	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
88		-I $sig_principal -f $OBJ/allowed_signers \
89		< $DATA >/dev/null 2>&1 && \
90		fail "accepted signature for $t key with wrong key trusted"
91
92	# incorrect data
93	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
94	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
95		-I $sig_principal -f $OBJ/allowed_signers \
96		< $DATA2 >/dev/null 2>&1 && \
97		fail "passed signature for wrong data with $t key"
98
99	# wrong principal in signers
100	(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
101	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
102		-I $sig_principal -f $OBJ/allowed_signers \
103		< $DATA >/dev/null 2>&1 && \
104		fail "accepted signature for $t key with wrong principal"
105
106	# wrong namespace
107	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
108	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
109		-I $sig_principal -f $OBJ/allowed_signers \
110		< $DATA >/dev/null 2>&1 && \
111		fail "accepted signature for $t key with wrong namespace"
112
113	# namespace excluded by option
114	(printf "$sig_principal namespaces=\"whatever\" " ;
115	 cat $pubkey) > $OBJ/allowed_signers
116	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
117		-I $sig_principal -f $OBJ/allowed_signers \
118		< $DATA >/dev/null 2>&1 && \
119		fail "accepted signature for $t key with excluded namespace"
120
121	( printf "$sig_principal " ;
122	  printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
123	  cat $pubkey) > $OBJ/allowed_signers
124
125	# key lifespan valid
126	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
127		-I $sig_principal -f $OBJ/allowed_signers \
128		-Overify-time=19850101 \
129		< $DATA >/dev/null 2>&1 || \
130		fail "failed signature for $t key with valid expiry interval"
131	# key not yet valid
132	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
133		-I $sig_principal -f $OBJ/allowed_signers \
134		-Overify-time=19790101 \
135		< $DATA >/dev/null 2>&1 && \
136		fail "failed signature for $t not-yet-valid key"
137	# key expired
138	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
139		-I $sig_principal -f $OBJ/allowed_signers \
140		-Overify-time=19910101 \
141		< $DATA >/dev/null 2>&1 && \
142		fail "failed signature for $t with expired key"
143	# NB. assumes we're not running this test in the 1980s
144	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
145		-I $sig_principal -f $OBJ/allowed_signers \
146		< $DATA >/dev/null 2>&1 && \
147		fail "failed signature for $t with expired key"
148
149	# public key in revoked keys file
150	cat $pubkey > $OBJ/revoked_keys
151	(printf "$sig_principal namespaces=\"whatever\" " ;
152	 cat $pubkey) > $OBJ/allowed_signers
153	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
154		-I $sig_principal -f $OBJ/allowed_signers \
155		-r $OBJ/revoked_keys \
156		< $DATA >/dev/null 2>&1 && \
157		fail "accepted signature for $t key, but key is in revoked_keys"
158
159	# public key not revoked, but others are present in revoked_keysfile
160	cat $WRONG > $OBJ/revoked_keys
161	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
162	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
163		-I $sig_principal -f $OBJ/allowed_signers \
164		-r $OBJ/revoked_keys \
165		< $DATA >/dev/null 2>&1 || \
166		fail "couldn't verify signature for $t key, but key not in revoked_keys"
167
168	# check-novalidate with valid data
169	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
170		< $DATA >/dev/null 2>&1 || \
171		fail "failed to check valid signature for $t key"
172
173	# check-novalidate with invalid data
174	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
175		< $DATA2 >/dev/null 2>&1 && \
176		fail "succeeded checking signature for $t key with invalid data"
177
178	# Check signing keys using ssh-agent.
179	${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
180	${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
181
182	# Move private key to ensure agent key is used
183	mv ${privkey} ${privkey}.tmp
184
185	${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
186		< $DATA > $sigfile_agent 2>/dev/null || \
187		fail "ssh-agent based sign using $pubkey failed"
188	${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
189		-n $sig_namespace < $DATA >/dev/null 2>&1 || \
190		fail "failed to check valid signature for $t key"
191
192	# Move private key back
193	mv ${privkey}.tmp ${privkey}
194
195	# Remaining tests are for certificates only.
196	case "$keybase" in
197		*-cert) ;;
198		*) continue ;;
199	esac
200
201
202	# correct CA key
203	(printf "$sig_principal cert-authority " ;
204	 cat $CA_PUB) > $OBJ/allowed_signers
205	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
206		-I $sig_principal -f $OBJ/allowed_signers \
207		< $DATA >/dev/null 2>&1 || \
208		fail "failed signature for $t cert"
209
210	# signing key listed as cert-authority
211	(printf "$sig_principal cert-authority " ;
212	 cat $pubkey) > $OBJ/allowed_signers
213	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
214		-I $sig_principal -f $OBJ/allowed_signers \
215		< $DATA >/dev/null 2>&1 && \
216		fail "accepted signature with $t key listed as CA"
217
218	# CA key not flagged cert-authority
219	(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
220	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
221		-I $sig_principal -f $OBJ/allowed_signers \
222		< $DATA >/dev/null 2>&1 && \
223		fail "accepted signature for $t cert with CA not marked"
224
225	# mismatch between cert principal and file
226	(printf "josef.k@example.com cert-authority " ;
227	 cat $CA_PUB) > $OBJ/allowed_signers
228	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
229		-I $sig_principal -f $OBJ/allowed_signers \
230		< $DATA >/dev/null 2>&1 && \
231		fail "accepted signature for $t cert with wrong principal"
232done
233
234trace "kill agent"
235${SSHAGENT} -k > /dev/null
236
237