mirror of git://anongit.mindrot.org/openssh.git
93 lines
2.9 KiB
Bash
93 lines
2.9 KiB
Bash
|
# $OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $
|
||
|
# Placed in the Public Domain.
|
||
|
|
||
|
tid="pkcs11 agent certificate test"
|
||
|
|
||
|
SSH_AUTH_SOCK="$OBJ/agent.sock"
|
||
|
export SSH_AUTH_SOCK
|
||
|
LC_ALL=C
|
||
|
export LC_ALL
|
||
|
p11_setup || skip "No PKCS#11 library found"
|
||
|
|
||
|
rm -f $SSH_AUTH_SOCK $OBJ/agent.log
|
||
|
rm -f $OBJ/output_* $OBJ/expect_*
|
||
|
rm -f $OBJ/ca*
|
||
|
|
||
|
trace "generate CA key and certify keys"
|
||
|
$SSHKEYGEN -q -t ed25519 -C ca -N '' -f $OBJ/ca || fatal "ssh-keygen CA failed"
|
||
|
$SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub ||
|
||
|
fatal "certify ECDSA key failed"
|
||
|
$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub ||
|
||
|
fatal "certify RSA key failed"
|
||
|
$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
|
||
|
fatal "certify CA key failed"
|
||
|
|
||
|
rm -f $SSH_AUTH_SOCK
|
||
|
trace "start agent"
|
||
|
${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
|
||
|
AGENT_PID=$!
|
||
|
trap "kill $AGENT_PID" EXIT
|
||
|
for x in 0 1 2 3 4 ; do
|
||
|
# Give it a chance to start
|
||
|
${SSHADD} -l > /dev/null 2>&1
|
||
|
r=$?
|
||
|
test $r -eq 1 && break
|
||
|
sleep 1
|
||
|
done
|
||
|
if [ $r -ne 1 ]; then
|
||
|
fatal "ssh-add -l did not fail with exit code 1 (got $r)"
|
||
|
fi
|
||
|
|
||
|
trace "load pkcs11 keys and certs"
|
||
|
# Note: deliberately contains non-cert keys and non-matching cert on commandline
|
||
|
p11_ssh_add -qs ${TEST_SSH_PKCS11} \
|
||
|
$OBJ/ca.pub \
|
||
|
${SSH_SOFTHSM_DIR}/EC.pub \
|
||
|
${SSH_SOFTHSM_DIR}/EC-cert.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
|
||
|
fatal "failed to add keys"
|
||
|
# Verify their presence
|
||
|
cut -d' ' -f1-2 \
|
||
|
${SSH_SOFTHSM_DIR}/EC.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA.pub \
|
||
|
${SSH_SOFTHSM_DIR}/EC-cert.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
|
||
|
$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
|
||
|
diff $OBJ/expect_list $OBJ/output_list
|
||
|
|
||
|
# Verify that all can perform signatures.
|
||
|
for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
|
||
|
${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
|
||
|
$SSHADD -T $x || fail "Signing failed for $x"
|
||
|
done
|
||
|
|
||
|
# Delete plain keys.
|
||
|
$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
|
||
|
# Verify that certs can still perform signatures.
|
||
|
for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
|
||
|
$SSHADD -T $x || fail "Signing failed for $x"
|
||
|
done
|
||
|
|
||
|
$SSHADD -qD >/dev/null || fatal "clear agent failed"
|
||
|
|
||
|
trace "load pkcs11 certs only"
|
||
|
p11_ssh_add -qCs ${TEST_SSH_PKCS11} \
|
||
|
$OBJ/ca.pub \
|
||
|
${SSH_SOFTHSM_DIR}/EC.pub \
|
||
|
${SSH_SOFTHSM_DIR}/EC-cert.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
|
||
|
fatal "failed to add keys"
|
||
|
# Verify their presence
|
||
|
cut -d' ' -f1-2 \
|
||
|
${SSH_SOFTHSM_DIR}/EC-cert.pub \
|
||
|
${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
|
||
|
$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
|
||
|
diff $OBJ/expect_list $OBJ/output_list
|
||
|
|
||
|
# Verify that certs can perform signatures.
|
||
|
for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
|
||
|
$SSHADD -T $x || fail "Signing failed for $x"
|
||
|
done
|