summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2018-09-12 01:23:49 +0000
committerDamien Miller <djm@cvs.openbsd.org>2018-09-12 01:23:49 +0000
commit2369369435149ddcd5c9d4d176bd1a85f21a9e3a (patch)
treedf653cc5c378831b9615f8c0f2f02931647414a7 /regress
parent7628792690b9b61d631186a927a75671cf6b2ff3 (diff)
test revocation by explicit hash and by fingerprint
Diffstat (limited to 'regress')
-rw-r--r--regress/usr.bin/ssh/krl.sh49
1 files changed, 34 insertions, 15 deletions
diff --git a/regress/usr.bin/ssh/krl.sh b/regress/usr.bin/ssh/krl.sh
index 7a8ffa82aa2..eaef545a111 100644
--- a/regress/usr.bin/ssh/krl.sh
+++ b/regress/usr.bin/ssh/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
+# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -79,6 +79,15 @@ for n in $UNREVOKED_SERIALS ; do
UCERTS="$UCERTS ${f}-cert.pub"
done
+# Specifications that revoke keys by hash.
+touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
+for rkey in $RKEYS; do
+ (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
+ (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
+ (printf "hash: "; $SSHKEYGEN -lf $rkey | \
+ awk '{ print $2 }') >> $OBJ/revoked-hash
+done
+
genkrls() {
OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
@@ -91,6 +100,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
# This should fail as KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
@@ -125,9 +140,9 @@ check_krl() {
TAG=$4
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
result=$?
- if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+ if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
fatal "key $KEY not revoked by KRL $KRL: $TAG"
- elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+ elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
fi
}
@@ -136,17 +151,21 @@ test_rev() {
TAG=$2
KEYS_RESULT=$3
ALL_RESULT=$4
- SERIAL_RESULT=$5
- KEYID_RESULT=$6
- CERTS_RESULT=$7
- CA_RESULT=$8
- SERIAL_WRESULT=$9
- KEYID_WRESULT=$10
+ HASH_RESULT=$5
+ SERIAL_RESULT=$6
+ KEYID_RESULT=$7
+ CERTS_RESULT=$8
+ CA_RESULT=$9
+ SERIAL_WRESULT=$10
+ KEYID_WRESULT=$11
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
check_krl $f $OBJ/krl-empty no "$TAG"
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
+ check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
+ check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
@@ -157,12 +176,12 @@ test_rev() {
}
test_all() {
- # wildcard
- # keys all sr# k.ID cert CA sr.# k.ID
- test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
- test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
- test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
- test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
+ # wildcard
+ # keys all hash sr# ID cert CA srl ID
+ test_rev "$RKEYS" "revoked keys" y y y n n n n n n
+ test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
+ test_rev "$RCERTS" "revoked certs" y y y y y y y y y
+ test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
}
test_all