upstream commit

unit and regress tests for SHA256/512; ok markus Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
2025-02-16 13:56:52 +00:00 · 2016-05-02 09:52:00 +00:00 · 2016-05-02 09:52:00 +00:00 · 67f1459efd
commit 67f1459efd
parent 0e8eeec8e7
3 changed files with 102 additions and 77 deletions
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
 #	Placed in the Public Domain.

 tid="certified host keys"
@ -30,29 +30,46 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

 HOSTS='localhost-with-alias,127.0.0.1,::1'

-# Create a CA key and add it to known hosts. Ed25519 chosed for speed.
+kh_ca() {
+	for k in "$@" ; do
+		printf "@cert-authority $HOSTS "
+		cat $OBJ/$k || fatal "couldn't cat $k"
+	done
+}
+kh_revoke() {
+	for k in "$@" ; do
+		printf "@revoked * "
+		cat $OBJ/$k || fatal "couldn't cat $k"
+	done
+}
+
+# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
+# RSA for testing RSA/SHA2 signatures.
 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/host_ca_key ||\
 	fail "ssh-keygen of host_ca_key failed"
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key2 ||\
+	fail "ssh-keygen of host_ca_key failed"
+
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert

 # Plain text revocation files
 touch $OBJ/host_revoked_empty
 touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
-cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
+cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca

 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`

+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
+
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
-${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \
+${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
 	|| fatal "KRL init failed"

 # Generate and sign host keys
@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
 	${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
 	    $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
 	cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
-	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \
+	case $ktype in
+	rsa-sha2-*)	tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+	*)		tflag=""; ca="$OBJ/host_ca_key" ;;
+	esac
+	${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
 		fatal "couldn't sign cert_host_key_${ktype}"
@ -131,15 +152,11 @@ for privsep in yes no ; do
 done

 # Revoked certificates with key present
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-	for ktype in $PLAIN_TYPES ; do
-		test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
-		printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
-	done
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
+for ktype in $PLAIN_TYPES ; do
+	test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
+	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
+done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
 	for ktype in $PLAIN_TYPES ; do
@ -162,14 +179,8 @@ for privsep in yes no ; do
 done

 # Revoked CA
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
+kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for ktype in $PLAIN_TYPES ; do
 	verbose "$tid: host ${ktype} revoked cert"
@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
 done

 # Create a CA key and add it to known hosts
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert

 test_one() {
@ -201,10 +208,13 @@ test_one() {
 	sign_opts=$3

 	for kt in rsa ed25519 ; do
-		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-		    -I "regress host key for $USER" \
+		case $ktype in
+		rsa-sha2-*)	tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+		*)		tflag=""; ca="$OBJ/host_ca_key" ;;
+		esac
+		${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
 		    $sign_opts $OBJ/cert_host_key_${kt} ||
-			fail "couldn't sign cert_host_key_${kt}"
+			fatal "couldn't sign cert_host_key_${kt}"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/cert_host_key_${kt}
@ -241,13 +251,16 @@ for ktype in $PLAIN_TYPES ; do
 	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
 	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
 	# Generate and sign a host key
-	${SSHKEYGEN} -q -N '' -t ${ktype} \
-	    -f $OBJ/cert_host_key_${ktype} || \
+	${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \
 		fail "ssh-keygen of cert_host_key_${ktype} failed"
-	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+	case $ktype in
+	rsa-sha2-*)	tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
+	*)		tflag=""; ca="$OBJ/host_ca_key" ;;
+	esac
+	${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-		fail "couldn't sign cert_host_key_${ktype}"
+		fatal "couldn't sign cert_host_key_${ktype}"
 	(
 		printf "$HOSTS "
 		cat $OBJ/cert_host_key_${ktype}.pub
@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
 done

 # Wrong certificate
-(
-	printf '@cert-authority '
-	printf "$HOSTS "
-	cat $OBJ/host_ca_key.pub
-) > $OBJ/known_hosts-cert.orig
+kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for kt in $PLAIN_TYPES ; do
+	verbose "$tid: host ${kt} connect wrong cert"
 	rm -f $OBJ/cert_host_key*
 	# Self-sign key
-	${SSHKEYGEN} -q -N '' -t ${kt} \
-	    -f $OBJ/cert_host_key_${kt} || \
+	${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \
 		fail "ssh-keygen of cert_host_key_${kt} failed"
-	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+	case $kt in
+	rsa-sha2-*)	tflag="-t $kt" ;;
+	*)		tflag="" ;;
+	esac
+	${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-		fail "couldn't sign cert_host_key_${kt}"
-	verbose "$tid: host ${kt} connect wrong cert"
+		fatal "couldn't sign cert_host_key_${kt}"
 	(
 		cat $OBJ/sshd_proxy_bak
 		echo HostKey $OBJ/cert_host_key_${kt}
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.15 2016/05/02 09:52:00 djm Exp $
 #	Placed in the Public Domain.

 tid="certified user keys"
@ -9,9 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak

 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`

+if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+fi
+
 kname() {
-	n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
-	echo "$n*,ssh-rsa*,ssh-ed25519*"
+	case $ktype in
+	rsa-sha2-*) ;;
+	*) printf $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/' ;;
+	esac
+ 	echo "*,ssh-rsa*,ssh-ed25519*"
 }

 # Create a CA key
@ -19,18 +26,24 @@ ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"

 # Generate and sign user keys
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
 	verbose "$tid: sign user ${ktype} cert"
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
 	    -f $OBJ/cert_user_key_${ktype} || \
-		fail "ssh-keygen of cert_user_key_${ktype} failed"
-	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-	    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
-		fail "couldn't sign cert_user_key_${ktype}"
+		fatal "ssh-keygen of cert_user_key_${ktype} failed"
+	# Generate RSA/SHA2 certs for rsa-sha2* keys.
+	case $ktype in
+	rsa-sha2-*)	tflag="-t $ktype" ;;
+	*)		tflag="" ;;
+	esac
+	${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
+	    -I "regress user key for $USER" \
+	    -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \
+		fatal "couldn't sign cert_user_key_${ktype}"
 done

 # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES ; do 
+for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
 	for privsep in yes no ; do
 		_prefix="${ktype} privsep $privsep"
@ -348,7 +361,7 @@ for ktype in $PLAIN_TYPES ; do
 	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
 	    "regress user key for $USER" \
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
-		fail "couldn't sign cert_user_key_${ktype}"
+		fatal "couldn't sign cert_user_key_${ktype}"
 	verbose "$tid: user ${ktype} connect wrong cert"
 	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 	    somehost true >/dev/null 2>&1
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */
+/* 	$OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */
 /*
 * Regress test for sshkey.h key management API
 *
@ -455,7 +455,7 @@ sshkey_tests(void)
 	put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);
 	put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);
 	ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);
-	ASSERT_INT_EQ(sshkey_certify(k1, k2), 0);
+	ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL), 0);
 	b = sshbuf_new();
 	ASSERT_PTR_NE(b, NULL);
 	ASSERT_INT_EQ(sshkey_putb(k1, b), 0);