Home | History | Annotate | Download | only in regress 
      1 #	$OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
      2 #	Placed in the Public Domain.
      3 
      4 tid="key revocation lists"
      5 
      6 # If we don't support ecdsa keys then this tell will be much slower.
      7 ECDSA=ecdsa
      8 if test "x$TEST_SSH_ECC" != "xyes"; then
      9 	ECDSA=rsa
     10 fi
     11 
     12 # Do most testing with ssh-keygen; it uses the same verification code as sshd.
     13 
     14 # Old keys will interfere with ssh-keygen.
     15 rm -f $OBJ/revoked-* $OBJ/krl-*
     16 
     17 # Generate a CA key
     18 $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
     19 	fatal "$SSHKEYGEN CA failed"
     20 $SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2  -C "" -N "" > /dev/null ||
     21 	fatal "$SSHKEYGEN CA2 failed"
     22 
     23 # A specification that revokes some certificates by serial numbers
     24 # The serial pattern is chosen to ensure the KRL includes list, range and
     25 # bitmap sections.
     26 cat << EOF >> $OBJ/revoked-serials
     27 serial: 1-4
     28 serial: 10
     29 serial: 15
     30 serial: 30
     31 serial: 50
     32 serial: 999
     33 # The following sum to 500-799
     34 serial: 500
     35 serial: 501
     36 serial: 502
     37 serial: 503-600
     38 serial: 700-797
     39 serial: 798
     40 serial: 799
     41 serial: 599-701
     42 # Some multiple consecutive serial number ranges
     43 serial: 10000-20000
     44 serial: 30000-40000
     45 EOF
     46 
     47 # A specification that revokes some certificated by key ID.
     48 touch $OBJ/revoked-keyid
     49 for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
     50 	test "x$n" = "x499" && continue
     51 	# Fill in by-ID revocation spec.
     52 	echo "id: revoked $n" >> $OBJ/revoked-keyid
     53 done
     54 
     55 keygen() {
     56 	N=$1
     57 	f=$OBJ/revoked-`printf "%04d" $N`
     58 	# Vary the keytype. We use mostly ECDSA since this is fastest by far.
     59 	keytype=$ECDSA
     60 	case $N in
     61 	2 | 10 | 510 | 1001)	keytype=rsa;;
     62 	4 | 30 | 520 | 1002)	keytype=ed25519;;
     63 	esac
     64 	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
     65 		|| fatal "$SSHKEYGEN failed"
     66 	# Sign cert
     67 	$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
     68 		|| fatal "$SSHKEYGEN sign failed"
     69 	echo $f
     70 }
     71 
     72 # Generate some keys.
     73 verbose "$tid: generating test keys"
     74 REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
     75 for n in $REVOKED_SERIALS ; do
     76 	f=`keygen $n`
     77 	RKEYS="$RKEYS ${f}.pub"
     78 	RCERTS="$RCERTS ${f}-cert.pub"
     79 done
     80 UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
     81 UNREVOKED=""
     82 for n in $UNREVOKED_SERIALS ; do
     83 	f=`keygen $n`
     84 	UKEYS="$UKEYS ${f}.pub"
     85 	UCERTS="$UCERTS ${f}-cert.pub"
     86 done
     87 
     88 genkrls() {
     89 	OPTS=$1
     90 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
     91 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
     92 $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
     93 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
     94 $SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
     95 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
     96 $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
     97 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
     98 $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
     99 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
    100 # This should fail as KRLs from serial/key-id spec need the CA specified.
    101 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
    102 	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
    103 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
    104 	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
    105 # These should succeed; they specify an explicit CA key.
    106 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
    107 	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
    108 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
    109 	$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
    110 # These should succeed; they specify an wildcard CA key.
    111 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
    112 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
    113 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
    114 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
    115 # Revoke the same serials with the second CA key to ensure a multi-CA
    116 # KRL is generated.
    117 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
    118 	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
    119 }
    120 
    121 ## XXX dump with trace and grep for set cert serials
    122 ## XXX test ranges near (u64)-1, etc.
    123 
    124 verbose "$tid: generating KRLs"
    125 genkrls
    126 
    127 check_krl() {
    128 	KEY=$1
    129 	KRL=$2
    130 	EXPECT_REVOKED=$3
    131 	TAG=$4
    132 	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
    133 	result=$?
    134 	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
    135 		fatal "key $KEY not revoked by KRL $KRL: $TAG"
    136 	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
    137 		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
    138 	fi
    139 }
    140 test_rev() {
    141 	FILES=$1
    142 	TAG=$2
    143 	KEYS_RESULT=$3
    144 	ALL_RESULT=$4
    145 	SERIAL_RESULT=$5
    146 	KEYID_RESULT=$6
    147 	CERTS_RESULT=$7
    148 	CA_RESULT=$8
    149 	SERIAL_WRESULT=$9
    150 	KEYID_WRESULT=$10
    151 	verbose "$tid: checking revocations for $TAG"
    152 	for f in $FILES ; do
    153 		check_krl $f $OBJ/krl-empty		no		"$TAG"
    154 		check_krl $f $OBJ/krl-keys		$KEYS_RESULT	"$TAG"
    155 		check_krl $f $OBJ/krl-all		$ALL_RESULT	"$TAG"
    156 		check_krl $f $OBJ/krl-serial		$SERIAL_RESULT	"$TAG"
    157 		check_krl $f $OBJ/krl-keyid		$KEYID_RESULT	"$TAG"
    158 		check_krl $f $OBJ/krl-cert		$CERTS_RESULT	"$TAG"
    159 		check_krl $f $OBJ/krl-ca		$CA_RESULT	"$TAG"
    160 		check_krl $f $OBJ/krl-serial-wild	$SERIAL_WRESULT	"$TAG"
    161 		check_krl $f $OBJ/krl-keyid-wild	$KEYID_WRESULT	"$TAG"
    162 	done
    163 }
    164 
    165 test_all() {
    166 	#                                                               wildcard
    167 	#                                   keys all sr# k.ID cert  CA sr.# k.ID
    168 	test_rev "$RKEYS"     "revoked keys" yes yes  no   no   no  no   no   no
    169 	test_rev "$UKEYS"   "unrevoked keys"  no  no  no   no   no  no   no   no
    170 	test_rev "$RCERTS"   "revoked certs" yes yes yes  yes  yes yes  yes  yes
    171 	test_rev "$UCERTS" "unrevoked certs"  no  no  no   no   no yes   no   no
    172 }
    173 
    174 test_all
    175 
    176 # Check update. Results should be identical.
    177 verbose "$tid: testing KRL update"
    178 for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
    179     $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
    180     $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
    181 	cp -f $OBJ/krl-empty $f
    182 	genkrls -u
    183 done
    184 
    185 test_all
    186