upstream: regression test for time-limited signature keys

OpenBSD-Regress-ID: 2a6f3bd900dbee0a3c96f1ff23e032c93ab392bc
This commit is contained in:
djm@openbsd.org 2021-07-23 03:54:55 +00:00 committed by Darren Tucker
parent 9e1882ef64
commit 441095d4a3
1 changed files with 29 additions and 1 deletions

View File

@ -1,4 +1,4 @@
# $OpenBSD: sshsig.sh,v 1.5 2021/07/12 02:12:22 djm Exp $ # $OpenBSD: sshsig.sh,v 1.6 2021/07/23 03:54:55 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="sshsig" tid="sshsig"
@ -107,6 +107,34 @@ for t in $SIGNKEYS; do
< $DATA >/dev/null 2>&1 && \ < $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with excluded namespace" fail "accepted signature for $t key with excluded namespace"
( printf "$sig_principal " ;
printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
cat $pubkey) > $OBJ/allowed_signers
# key lifespan valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19850101 \
< $DATA >/dev/null 2>&1 || \
fail "failed signature for $t key with valid expiry interval"
# key not yet valid
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19790101 \
< $DATA >/dev/null 2>&1 && \
fail "failed signature for $t not-yet-valid key"
# key expired
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
-Overify-time=19910101 \
< $DATA >/dev/null 2>&1 && \
fail "failed signature for $t with expired key"
# NB. assumes we're not running this test in the 1980s
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-I $sig_principal -f $OBJ/allowed_signers \
< $DATA >/dev/null 2>&1 && \
fail "failed signature for $t with expired key"
# public key in revoked keys file # public key in revoked keys file
cat $pubkey > $OBJ/revoked_keys cat $pubkey > $OBJ/revoked_keys
(printf "$sig_principal namespaces=\"whatever\" " ; (printf "$sig_principal namespaces=\"whatever\" " ;