1 # $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="certified host keys" 5 6 # used to disable ECC based tests on platforms without ECC 7 ecdsa="" 8 if test "x$TEST_SSH_ECC" = "xyes"; then 9 ecdsa=ecdsa 10 fi 11 12 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 13 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 14 15 HOSTS='localhost-with-alias,127.0.0.1,::1' 16 17 # Create a CA key and add it to known hosts 18 ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 19 fail "ssh-keygen of host_ca_key failed" 20 ( 21 echon '@cert-authority ' 22 echon "$HOSTS " 23 cat $OBJ/host_ca_key.pub 24 ) > $OBJ/known_hosts-cert 25 26 # Generate and sign host keys 27 for ktype in rsa dsa $ecdsa ; do 28 verbose "$tid: sign host ${ktype} cert" 29 # Generate and sign a host key 30 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 31 -f $OBJ/cert_host_key_${ktype} || \ 32 fail "ssh-keygen of cert_host_key_${ktype} failed" 33 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \ 34 -I "regress host key for $USER" \ 35 -n $HOSTS $OBJ/cert_host_key_${ktype} || 36 fail "couldn't sign cert_host_key_${ktype}" 37 # v00 ecdsa certs do not exist 38 test "${ktype}" = "ecdsa" && continue 39 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 40 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 41 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 42 -I "regress host key for $USER" \ 43 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 44 fail "couldn't sign cert_host_key_${ktype}_v00" 45 done 46 47 # Basic connect tests 48 for privsep in yes no ; do 49 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 50 verbose "$tid: host ${ktype} cert connect privsep $privsep" 51 ( 52 cat $OBJ/sshd_proxy_bak 53 echo HostKey $OBJ/cert_host_key_${ktype} 54 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 55 echo UsePrivilegeSeparation $privsep 56 ) > $OBJ/sshd_proxy 57 58 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 59 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 60 -F $OBJ/ssh_proxy somehost true 61 if [ $? -ne 0 ]; then 62 fail "ssh cert connect failed" 63 fi 64 done 65 done 66 67 # Revoked certificates with key present 68 ( 69 echon '@cert-authority ' 70 echon "$HOSTS " 71 cat $OBJ/host_ca_key.pub 72 echon '@revoked ' 73 echon "* " 74 cat $OBJ/cert_host_key_rsa.pub 75 if test "x$TEST_SSH_ECC" = "xyes"; then 76 echon '@revoked ' 77 echon "* " 78 cat $OBJ/cert_host_key_ecdsa.pub 79 fi 80 echon '@revoked ' 81 echon "* " 82 cat $OBJ/cert_host_key_dsa.pub 83 echon '@revoked ' 84 echon "* " 85 cat $OBJ/cert_host_key_rsa_v00.pub 86 echon '@revoked ' 87 echon "* " 88 cat $OBJ/cert_host_key_dsa_v00.pub 89 ) > $OBJ/known_hosts-cert 90 for privsep in yes no ; do 91 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 92 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 93 ( 94 cat $OBJ/sshd_proxy_bak 95 echo HostKey $OBJ/cert_host_key_${ktype} 96 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 97 echo UsePrivilegeSeparation $privsep 98 ) > $OBJ/sshd_proxy 99 100 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 101 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 102 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 103 if [ $? -eq 0 ]; then 104 fail "ssh cert connect succeeded unexpectedly" 105 fi 106 done 107 done 108 109 # Revoked CA 110 ( 111 echon '@cert-authority ' 112 echon "$HOSTS " 113 cat $OBJ/host_ca_key.pub 114 echon '@revoked ' 115 echon "* " 116 cat $OBJ/host_ca_key.pub 117 ) > $OBJ/known_hosts-cert 118 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 119 verbose "$tid: host ${ktype} revoked cert" 120 ( 121 cat $OBJ/sshd_proxy_bak 122 echo HostKey $OBJ/cert_host_key_${ktype} 123 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 124 ) > $OBJ/sshd_proxy 125 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 126 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 127 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 128 if [ $? -eq 0 ]; then 129 fail "ssh cert connect succeeded unexpectedly" 130 fi 131 done 132 133 # Create a CA key and add it to known hosts 134 ( 135 echon '@cert-authority ' 136 echon "$HOSTS " 137 cat $OBJ/host_ca_key.pub 138 ) > $OBJ/known_hosts-cert 139 140 test_one() { 141 ident=$1 142 result=$2 143 sign_opts=$3 144 145 for kt in rsa rsa_v00 ; do 146 case $kt in 147 *_v00) args="-t v00" ;; 148 *) args="" ;; 149 esac 150 151 verbose "$tid: host cert connect $ident $kt expect $result" 152 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 153 -I "regress host key for $USER" \ 154 $sign_opts $args \ 155 $OBJ/cert_host_key_${kt} || 156 fail "couldn't sign cert_host_key_${kt}" 157 ( 158 cat $OBJ/sshd_proxy_bak 159 echo HostKey $OBJ/cert_host_key_${kt} 160 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 161 ) > $OBJ/sshd_proxy 162 163 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 164 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 165 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 166 rc=$? 167 if [ "x$result" = "xsuccess" ] ; then 168 if [ $rc -ne 0 ]; then 169 fail "ssh cert connect $ident failed unexpectedly" 170 fi 171 else 172 if [ $rc -eq 0 ]; then 173 fail "ssh cert connect $ident succeeded unexpectedly" 174 fi 175 fi 176 done 177 } 178 179 test_one "user-certificate" failure "-n $HOSTS" 180 test_one "empty principals" success "-h" 181 test_one "wrong principals" failure "-h -n foo" 182 test_one "cert not yet valid" failure "-h -V20200101:20300101" 183 test_one "cert expired" failure "-h -V19800101:19900101" 184 test_one "cert valid interval" success "-h -V-1w:+2w" 185 test_one "cert has constraints" failure "-h -Oforce-command=false" 186 187 # Check downgrade of cert to raw key when no CA found 188 for v in v01 v00 ; do 189 for ktype in rsa dsa $ecdsa ; do 190 # v00 ecdsa certs do not exist. 191 test "${v}${ktype}" = "v00ecdsa" && continue 192 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 193 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 194 # Generate and sign a host key 195 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 196 -f $OBJ/cert_host_key_${ktype} || \ 197 fail "ssh-keygen of cert_host_key_${ktype} failed" 198 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 199 -I "regress host key for $USER" \ 200 -n $HOSTS $OBJ/cert_host_key_${ktype} || 201 fail "couldn't sign cert_host_key_${ktype}" 202 ( 203 echon "$HOSTS " 204 cat $OBJ/cert_host_key_${ktype}.pub 205 ) > $OBJ/known_hosts-cert 206 ( 207 cat $OBJ/sshd_proxy_bak 208 echo HostKey $OBJ/cert_host_key_${ktype} 209 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 210 ) > $OBJ/sshd_proxy 211 212 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 213 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 214 -F $OBJ/ssh_proxy somehost true 215 if [ $? -ne 0 ]; then 216 fail "ssh cert connect failed" 217 fi 218 done 219 done 220 221 # Wrong certificate 222 ( 223 echon '@cert-authority ' 224 echon "$HOSTS " 225 cat $OBJ/host_ca_key.pub 226 ) > $OBJ/known_hosts-cert 227 for v in v01 v00 ; do 228 for kt in rsa dsa $ecdsa ; do 229 # v00 ecdsa certs do not exist. 230 test "${v}${ktype}" = "v00ecdsa" && continue 231 rm -f $OBJ/cert_host_key* 232 # Self-sign key 233 ${SSHKEYGEN} -q -N '' -t ${kt} \ 234 -f $OBJ/cert_host_key_${kt} || \ 235 fail "ssh-keygen of cert_host_key_${kt} failed" 236 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 237 -I "regress host key for $USER" \ 238 -n $HOSTS $OBJ/cert_host_key_${kt} || 239 fail "couldn't sign cert_host_key_${kt}" 240 verbose "$tid: host ${kt} connect wrong cert" 241 ( 242 cat $OBJ/sshd_proxy_bak 243 echo HostKey $OBJ/cert_host_key_${kt} 244 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 245 ) > $OBJ/sshd_proxy 246 247 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 248 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 249 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 250 if [ $? -eq 0 ]; then 251 fail "ssh cert connect $ident succeeded unexpectedly" 252 fi 253 done 254 done 255 256 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 257