openssh/regress/sshsig.sh

313 lines
12 KiB
Bash
Raw Normal View History

# $OpenBSD: sshsig.sh,v 1.8 2021/10/29 03:03:06 djm Exp $
2019-09-03 08:45:42 +00:00
# Placed in the Public Domain.
tid="sshsig"
DATA2=$OBJ/${DATANAME}.2
cat ${DATA} ${DATA} > ${DATA2}
rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
sig_namespace="test-$$"
sig_principal="user-$$@example.com"
# Make a "wrong key"
${SSHKEYGEN} -q -t ed25519 -f $OBJ/wrong-key \
-C "wrong trousers, Grommit" -N '' \
2019-09-03 08:45:42 +00:00
|| fatal "couldn't generate key"
WRONG=$OBJ/wrong-key.pub
# Make a CA key.
${SSHKEYGEN} -q -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
2019-09-03 08:45:42 +00:00
|| fatal "couldn't generate key"
CA_PRIV=$OBJ/sigca-key
CA_PUB=$OBJ/sigca-key.pub
trace "start agent"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fatal "could not start ssh-agent: exit code $r"
fi
2019-09-03 08:45:42 +00:00
SIGNKEYS="$SSH_KEYTYPES"
verbose "$tid: make certificates"
for t in $SSH_KEYTYPES ; do
${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
-I "regress signature key for $USER" \
-V "19840101:19860101" \
2019-09-03 08:45:42 +00:00
-n $sig_principal $OBJ/${t} || \
fatal "couldn't sign ${t}"
SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
done
for t in $SIGNKEYS; do
verbose "$tid: check signature for $t"
keybase=`basename $t .pub`
privkey=${OBJ}/`basename $t -cert.pub`
2019-09-03 08:45:42 +00:00
sigfile=${OBJ}/sshsig-${keybase}.sig
sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
2019-09-03 08:45:42 +00:00
pubkey=${OBJ}/${keybase}.pub
cert=${OBJ}/${keybase}-cert.pub
sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
2019-09-03 08:45:42 +00:00
${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 || \
fail "failed signature for $t key"
(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 || \
fail "failed signature for $t key w/ limited namespace"
(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-O print-pubkey \
< $DATA | cut -d' ' -f1-2 > ${OBJ}/${keybase}-fromsig.pub || \
fail "failed signature for $t key w/ print-pubkey"
cut -d' ' -f1-2 ${OBJ}/${keybase}.pub > ${OBJ}/${keybase}-strip.pub
diff -r ${OBJ}/${keybase}-strip.pub ${OBJ}/${keybase}-fromsig.pub || \
fail "print-pubkey differs from signature key"
2019-09-03 08:45:42 +00:00
# Invalid option
(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with bad signers option"
# Wrong key trusted.
(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with wrong key trusted"
# incorrect data
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA2 >/dev/null 2>&1 && \
fail "passed signature for wrong data with $t key"
# wrong principal in signers
(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with wrong principal"
# wrong namespace
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with wrong namespace"
# namespace excluded by option
(printf "$sig_principal namespaces=\"whatever\" " ;
cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with excluded namespace"
( printf "$sig_principal " ;
printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
cat $pubkey) > $OBJ/allowed_signers
# key lifespan valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19850101 \
< $DATA >/dev/null 2>&1 || \
fail "failed signature for $t key with valid expiry interval"
# key not yet valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19790101 \
< $DATA >/dev/null 2>&1 && \
fail "failed signature for $t not-yet-valid key"
# key expired
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19910101 \
< $DATA >/dev/null 2>&1 && \
fail "failed signature for $t with expired key"
# NB. assumes we're not running this test in the 1980s
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "failed signature for $t with expired key"
# public key in revoked keys file
cat $pubkey > $OBJ/revoked_keys
(printf "$sig_principal namespaces=\"whatever\" " ;
cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-r $OBJ/revoked_keys \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key, but key is in revoked_keys"
# public key not revoked, but others are present in revoked_keysfile
cat $WRONG > $OBJ/revoked_keys
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-r $OBJ/revoked_keys \
< $DATA >/dev/null 2>&1 || \
fail "couldn't verify signature for $t key, but key not in revoked_keys"
# check-novalidate with valid data
${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
< $DATA >/dev/null 2>&1 || \
fail "failed to check valid signature for $t key"
# check-novalidate with invalid data
${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
< $DATA2 >/dev/null 2>&1 && \
fail "succeeded checking signature for $t key with invalid data"
# find-principals with valid public key
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \
fail "failed to find valid principals in allowed_signers"
# find-principals with wrong key not in allowed_signers
(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \
fail "succeeded finding principal with invalid signers file"
# Check signing keys using ssh-agent.
${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
# Move private key to ensure agent key is used
mv ${privkey} ${privkey}.tmp
${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
< $DATA > $sigfile_agent 2>/dev/null || \
fail "ssh-agent based sign using $pubkey failed"
${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
-n $sig_namespace < $DATA >/dev/null 2>&1 || \
fail "failed to check valid signature for $t key"
# Move private key back
mv ${privkey}.tmp ${privkey}
2019-09-03 08:45:42 +00:00
# Remaining tests are for certificates only.
case "$keybase" in
*-cert) ;;
*) continue ;;
esac
2019-09-03 08:45:42 +00:00
# correct CA key
(printf "$sig_principal cert-authority " ;
cat $CA_PUB) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19850101 \
2019-09-03 08:45:42 +00:00
< $DATA >/dev/null 2>&1 || \
fail "failed signature for $t cert"
# signing key listed as cert-authority
(printf "$sig_principal cert-authority " ;
2019-09-03 08:45:42 +00:00
cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature with $t key listed as CA"
# CA key not flagged cert-authority
(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t cert with CA not marked"
# mismatch between cert principal and file
(printf "josef.k@example.com cert-authority " ;
2019-09-03 08:45:42 +00:00
cat $CA_PUB) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t cert with wrong principal"
# Cert valid but CA revoked
cat $CA_PUB > $OBJ/revoked_keys
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-r $OBJ/revoked_keys \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key, but CA key in revoked_keys"
# Set lifespan of CA key and verify signed user certs behave accordingly
( printf "$sig_principal " ;
printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" " ;
cat $CA_PUB) > $OBJ/allowed_signers
# CA key lifespan valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19850101 \
< $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \
fail "failed signature for $t key with valid CA expiry interval"
# CA lifespan is valid but user key not yet valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19810101 \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert"
# CA lifespan is valid but user key expired
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19890101 \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with valid CA expiry interval but expired cert"
# CA key not yet valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19790101 \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t not-yet-valid CA key"
# CA key expired
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19910101 \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t with expired CA key"
# NB. assumes we're not running this test in the 1980s
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t with expired CA key"
# Set lifespan of CA outside of the cert validity
( printf "$sig_principal " ;
printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ;
cat $CA_PUB) > $OBJ/allowed_signers
# valid cert validity but expired CA
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19840101 \
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with expired CA but valid cert"
2019-09-03 08:45:42 +00:00
done
trace "kill agent"
${SSHAGENT} -k > /dev/null
2019-09-03 08:45:42 +00:00