summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2014-11-17 00:21:41 +0000
committerDamien Miller <djm@cvs.openbsd.org>2014-11-17 00:21:41 +0000
commit882f236011421171b95dede9640543610ec7d633 (patch)
treeaa9e7f9811c703eb4fe327088318d306acceb34d /regress
parentb70ce01628cd5072c969d0d542d3b005b8ad5c2f (diff)
fix KRL generation when multiple CAs are in use
We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org
Diffstat (limited to 'regress')
-rw-r--r--regress/usr.bin/ssh/krl.sh10
1 files changed, 8 insertions, 2 deletions
diff --git a/regress/usr.bin/ssh/krl.sh b/regress/usr.bin/ssh/krl.sh
index 8a09340795e..4d6364c8c53 100644
--- a/regress/usr.bin/ssh/krl.sh
+++ b/regress/usr.bin/ssh/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $
+# $OpenBSD: krl.sh,v 1.4 2014/11/17 00:21:40 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -11,6 +11,8 @@ rm -f $OBJ/revoked-* $OBJ/krl-*
# Generate a CA key
$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
fatal "$SSHKEYGEN CA failed"
+$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN CA2 failed"
# A specification that revokes some certificates by serial numbers
# The serial pattern is chosen to ensure the KRL includes list, range and
@@ -87,13 +89,17 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
-# KRLs from serial/key-id spec need the CA specified.
+# This should fail as KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
+# Revoke the same serials with the second CA key to ensure a multi-CA
+# KRL is generated.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
+ $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
}