legacy v00 certificates are gone; adapt and don't try to test them;

"sure" markus@ dtucker@

3 files changed, 67 insertions, 124 deletions

diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh
index 51685dc2b54..c99c2b1c36d 100644
--- a/regress/usr.bin/ssh/cert-hostkey.sh
+++ b/regress/usr.bin/ssh/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
 
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
 
-type_has_legacy() {
-	case $1 in
-		ed25519*|ecdsa*) return 1 ;;
-	esac
-	return 0
-}
-
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
 		fatal "KRL update failed"
 	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
 	serial=`expr $serial + 1`
-	type_has_legacy $ktype || continue
-	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
-	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
-	verbose "$tid: sign host ${ktype}_v00 cert"
-	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-	    -I "regress host key for $USER" \
-	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
-		fatal "couldn't sign cert_host_key_${ktype}_v00"
-	${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
-	    $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
-		fatal "KRL update failed"
-	cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
 done
 
 attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
 
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+	for ktype in $PLAIN_TYPES ; do 
 		verbose "$tid: host ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
 	printf '@cert-authority '
 	printf "$HOSTS "
 	cat $OBJ/host_ca_key.pub
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+	for ktype in $PLAIN_TYPES ; do
 		test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
 		printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
 	done
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+	for ktype in $PLAIN_TYPES ; do 
 		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
 	verbose "$tid: host ${ktype} revoked cert"
 	(
 		cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
 	result=$2
 	sign_opts=$3
 
-	for kt in rsa rsa_v00 ; do
-		case $kt in
-		*_v00) args="-t v00" ;;
-		*) args="" ;;
-		esac
-
-		verbose "$tid: host cert connect $ident $kt expect $result"
+	for kt in rsa ed25519 ; do
 		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
 		    -I "regress host key for $USER" \
-		    $sign_opts $args \
-		    $OBJ/cert_host_key_${kt} ||
+		    $sign_opts $OBJ/cert_host_key_${kt} ||
 			fail "couldn't sign cert_host_key_${kt}"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints"	failure "-h -Oforce-command=false"
 
 # Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ;  do 
-	for ktype in $PLAIN_TYPES ; do 
-		type_has_legacy $ktype || continue
-		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-		# Generate and sign a host key
-		${SSHKEYGEN} -q -N '' -t ${ktype} \
-		    -f $OBJ/cert_host_key_${ktype} || \
-			fail "ssh-keygen of cert_host_key_${ktype} failed"
-		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-		    -I "regress host key for $USER" \
-		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-			fail "couldn't sign cert_host_key_${ktype}"
-		(
-			printf "$HOSTS "
-			cat $OBJ/cert_host_key_${ktype}.pub
-		) > $OBJ/known_hosts-cert
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
-		
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy somehost true
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
-	done
+for ktype in $PLAIN_TYPES ; do 
+	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+	# Generate and sign a host key
+	${SSHKEYGEN} -q -N '' -t ${ktype} \
+	    -f $OBJ/cert_host_key_${ktype} || \
+		fail "ssh-keygen of cert_host_key_${ktype} failed"
+	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		fail "couldn't sign cert_host_key_${ktype}"
+	(
+		printf "$HOSTS "
+		cat $OBJ/cert_host_key_${ktype}.pub
+	) > $OBJ/known_hosts-cert
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+	
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
 done
 
 # Wrong certificate
@@ -281,33 +252,30 @@ done
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ;  do 
-	for kt in $PLAIN_TYPES ; do 
-		type_has_legacy $kt || continue
-		rm -f $OBJ/cert_host_key*
-		# Self-sign key
-		${SSHKEYGEN} -q -N '' -t ${kt} \
-		    -f $OBJ/cert_host_key_${kt} || \
-			fail "ssh-keygen of cert_host_key_${kt} failed"
-		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-		    -I "regress host key for $USER" \
-		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-			fail "couldn't sign cert_host_key_${kt}"
-		verbose "$tid: host ${kt} connect wrong cert"
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${kt}
-			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-		) > $OBJ/sshd_proxy
-	
-		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect $ident succeeded unexpectedly"
-		fi
-	done
+for kt in $PLAIN_TYPES ; do 
+	rm -f $OBJ/cert_host_key*
+	# Self-sign key
+	${SSHKEYGEN} -q -N '' -t ${kt} \
+	    -f $OBJ/cert_host_key_${kt} || \
+		fail "ssh-keygen of cert_host_key_${kt} failed"
+	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+		fail "couldn't sign cert_host_key_${kt}"
+	verbose "$tid: host ${kt} connect wrong cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${kt}
+		echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+	) > $OBJ/sshd_proxy
+
+	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
 done
 
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh
index b093a919614..d461b9e34ca 100644
--- a/regress/usr.bin/ssh/cert-userkey.sh
+++ b/regress/usr.bin/ssh/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 
-type_has_legacy() {
-	case $1 in
-		ed25519*|ecdsa*) return 1 ;;
-	esac
-	return 0
-}
-
 # Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
 	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
 	    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
-	type_has_legacy $ktype || continue
-	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
-	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
-	verbose "$tid: sign host ${ktype}_v00 cert"
-	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
-	    "regress user key for $USER" \
-	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-		fatal "couldn't sign cert_user_key_${ktype}_v00"
 done
 
 # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
 	for privsep in yes no ; do
 		_prefix="${ktype} privsep $privsep"
 
@@ -165,7 +150,7 @@ basic_tests() {
 		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
 	fi
 	
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+	for ktype in $PLAIN_TYPES ; do 
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
 			# Simple connect
@@ -257,12 +242,7 @@ test_one() {
 	fi
 
 	for auth in $auth_choice ; do
-		for ktype in rsa rsa_v00 ; do
-			case $ktype in
-			*_v00) keyv="-t v00" ;;
-			*) keyv="" ;;
-			esac
-
+		for ktype in rsa ed25519 ; do
 			cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
 			if test "x$auth" = "xauthorized_keys" ; then
 				# Add CA to authorized_keys
@@ -282,8 +262,7 @@ test_one() {
 			verbose "$tid: $ident auth $auth expect $result $ktype"
 			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
 			    -I "regress user key for $USER" \
-			    $sign_opts $keyv \
-			    $OBJ/cert_user_key_${ktype} ||
+			    $sign_opts $OBJ/cert_user_key_${ktype} ||
 				fail "couldn't sign cert_user_key_${ktype}"
 
 			${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
 
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
-	case $ktype in
-	*_v00) args="-t v00" ;;
-	*) args="" ;;
-	esac
+for ktype in $PLAIN_TYPES ; do 
 	# Self-sign
-	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c b/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c
index 7de652bfbc4..a2a2be7b0bc 100644
--- a/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c
+++ b/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */
+/* 	$OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
 /*
  * Regress test for sshkey.h key management API
  *
@@ -401,7 +401,7 @@ sshkey_tests(void)
 	ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
 	    &k1, NULL), 0);
 	k2 = get_private("ed25519_2");
-	ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0);
+	ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
 	ASSERT_PTR_NE(k1->cert, NULL);
 	k1->cert->type = SSH2_CERT_TYPE_USER;
 	k1->cert->serial = 1234;