mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-24 19:02:06 +00:00
upstream: Make certificate tests work with the supported key
algorithms. Allows tests to pass when built without OpenSSL. OpenBSD-Regress-ID: 617169a6dd9d06db3697a449d9a26c284eca20fc
This commit is contained in:
parent
26bf693661
commit
1e94afdfa8
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $
|
||||
# $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified host keys"
|
||||
@ -7,6 +7,7 @@ rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
|
||||
rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
|
||||
|
||||
# Allow all hostkey/pubkey types, prefer certs for the client
|
||||
rsa=0
|
||||
types=""
|
||||
for i in `$SSH -Q key`; do
|
||||
if [ -z "$types" ]; then
|
||||
@ -19,6 +20,7 @@ for i in `$SSH -Q key`; do
|
||||
types="rsa-sha2-256-cert-v01@openssh.com,$i,$types"
|
||||
types="rsa-sha2-512-cert-v01@openssh.com,$types";;
|
||||
*rsa*)
|
||||
rsa=1
|
||||
types="$types,rsa-sha2-512,rsa-sha2-256,$i";;
|
||||
# Prefer certificate to plain keys.
|
||||
*cert*) types="$i,$types";;
|
||||
@ -51,10 +53,12 @@ kh_revoke() {
|
||||
}
|
||||
|
||||
# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
|
||||
# RSA for testing RSA/SHA2 signatures.
|
||||
# RSA for testing RSA/SHA2 signatures if supported.
|
||||
ktype2=ed25519
|
||||
[ "x$rsa" = "x1" ] && ktype2=rsa
|
||||
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
|
||||
fail "ssh-keygen of host_ca_key failed"
|
||||
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\
|
||||
${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/host_ca_key2 ||\
|
||||
fail "ssh-keygen of host_ca_key failed"
|
||||
|
||||
kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
|
||||
@ -214,7 +218,7 @@ test_one() {
|
||||
result=$2
|
||||
sign_opts=$3
|
||||
|
||||
for kt in rsa ed25519 ; do
|
||||
for kt in $PLAIN_TYPES; do
|
||||
case $ktype in
|
||||
rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
|
||||
*) tflag=""; ca="$OBJ/host_ca_key" ;;
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $
|
||||
# $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified user keys"
|
||||
@ -9,8 +9,10 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
|
||||
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
|
||||
EXTRA_TYPES=""
|
||||
rsa=""
|
||||
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
rsa=rsa
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
fi
|
||||
|
||||
@ -20,11 +22,20 @@ kname() {
|
||||
# subshell because some seds will add a newline
|
||||
*) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
|
||||
esac
|
||||
echo "$n*,ssh-rsa*,ssh-ed25519*"
|
||||
if [ -z "$rsa" ]; then
|
||||
echo "$n*,ssh-ed25519*"
|
||||
else
|
||||
echo "$n*,ssh-rsa*,ssh-ed25519*"
|
||||
fi
|
||||
}
|
||||
|
||||
# Create a CA key
|
||||
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
|
||||
if [ ! -z "$rsa" ]; then
|
||||
catype=rsa
|
||||
else
|
||||
catype=ed25519
|
||||
fi
|
||||
${SSHKEYGEN} -q -N '' -t $catype -f $OBJ/user_ca_key ||\
|
||||
fail "ssh-keygen of user_ca_key failed"
|
||||
|
||||
# Generate and sign user keys
|
||||
@ -283,7 +294,7 @@ test_one() {
|
||||
fi
|
||||
|
||||
for auth in $auth_choice ; do
|
||||
for ktype in rsa ed25519 ; do
|
||||
for ktype in $rsa ed25519 ; do
|
||||
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||
if test "x$auth" = "xauthorized_keys" ; then
|
||||
# Add CA to authorized_keys
|
||||
|
Loading…
Reference in New Issue
Block a user