diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-09-12 01:23:49 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-09-12 01:23:49 +0000 |
| commit | 2369369435149ddcd5c9d4d176bd1a85f21a9e3a (patch) | |
| tree | df653cc5c378831b9615f8c0f2f02931647414a7 /regress/usr.bin | |
| parent | 7628792690b9b61d631186a927a75671cf6b2ff3 (diff) | |
test revocation by explicit hash and by fingerprint
Diffstat (limited to 'regress/usr.bin')
| -rw-r--r-- | regress/usr.bin/ssh/krl.sh | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/regress/usr.bin/ssh/krl.sh b/regress/usr.bin/ssh/krl.sh index 7a8ffa82aa2..eaef545a111 100644 --- a/regress/usr.bin/ssh/krl.sh +++ b/regress/usr.bin/ssh/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ +# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -79,6 +79,15 @@ for n in $UNREVOKED_SERIALS ; do UCERTS="$UCERTS ${f}-cert.pub" done +# Specifications that revoke keys by hash. +touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash +for rkey in $RKEYS; do + (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1 + (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256 + (printf "hash: "; $SSHKEYGEN -lf $rkey | \ + awk '{ print $2 }') >> $OBJ/revoked-hash +done + genkrls() { OPTS=$1 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ @@ -91,6 +100,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ >/dev/null || fatal "$SSHKEYGEN KRL failed" $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \ + >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \ + >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \ + >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed" # This should fail as KRLs from serial/key-id spec need the CA specified. $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" @@ -125,9 +140,9 @@ check_krl() { TAG=$4 $SSHKEYGEN -Qf $KRL $KEY >/dev/null result=$? - if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then + if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then fatal "key $KEY not revoked by KRL $KRL: $TAG" - elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then + elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" fi } @@ -136,17 +151,21 @@ test_rev() { TAG=$2 KEYS_RESULT=$3 ALL_RESULT=$4 - SERIAL_RESULT=$5 - KEYID_RESULT=$6 - CERTS_RESULT=$7 - CA_RESULT=$8 - SERIAL_WRESULT=$9 - KEYID_WRESULT=$10 + HASH_RESULT=$5 + SERIAL_RESULT=$6 + KEYID_RESULT=$7 + CERTS_RESULT=$8 + CA_RESULT=$9 + SERIAL_WRESULT=$10 + KEYID_WRESULT=$11 verbose "$tid: checking revocations for $TAG" for f in $FILES ; do check_krl $f $OBJ/krl-empty no "$TAG" check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" + check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" + check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" + check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" @@ -157,12 +176,12 @@ test_rev() { } test_all() { - # wildcard - # keys all sr# k.ID cert CA sr.# k.ID - test_rev "$RKEYS" "revoked keys" yes yes no no no no no no - test_rev "$UKEYS" "unrevoked keys" no no no no no no no no - test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes - test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no + # wildcard + # keys all hash sr# ID cert CA srl ID + test_rev "$RKEYS" "revoked keys" y y y n n n n n n + test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n + test_rev "$RCERTS" "revoked certs" y y y y y y y y y + test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n } test_all |