upstream commit

regression test for 'wildcard CA' serial/key ID revocations
This commit is contained in:
djm@openbsd.org 2015-01-30 01:11:39 +00:00 committed by Damien Miller
parent 4509b5d4a4
commit 86936ec245

View File

@ -1,4 +1,4 @@
# $OpenBSD: krl.sh,v 1.5 2015/01/19 17:31:13 djm Exp $
# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@ -74,26 +74,26 @@ verbose "$tid: generating test keys"
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
for n in $REVOKED_SERIALS ; do
f=`keygen $n`
REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
RKEYS="$RKEYS ${f}.pub"
RCERTS="$RCERTS ${f}-cert.pub"
done
UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
UNREVOKED=""
for n in $UNREVOKED_SERIALS ; do
f=`keygen $n`
UNREVOKED_KEYS="$UNREVOKED_KEYS ${f}.pub"
UNREVOKED_CERTS="$UNREVOKED_CERTS ${f}-cert.pub"
UKEYS="$UKEYS ${f}.pub"
UCERTS="$UCERTS ${f}-cert.pub"
done
genkrls() {
OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
@ -102,14 +102,20 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
# These should succeed; they specify an explicit CA key.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
# These should succeed; they specify an wildcard CA key.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
# Revoke the same serials with the second CA key to ensure a multi-CA
# KRL is generated.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
}
## XXX dump with trace and grep for set cert serials
@ -131,7 +137,7 @@ check_krl() {
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
fi
}
test_all() {
test_rev() {
FILES=$1
TAG=$2
KEYS_RESULT=$3
@ -140,32 +146,40 @@ test_all() {
KEYID_RESULT=$6
CERTS_RESULT=$7
CA_RESULT=$8
SERIAL_WRESULT=$9
KEYID_WRESULT=$10
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
check_krl $f $OBJ/krl-empty no "$TAG"
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
check_krl $f $OBJ/krl-empty no "$TAG"
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
done
}
# keys all serial keyid certs CA
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
test_all() {
# wildcard
# keys all sr# k.ID cert CA sr.# k.ID
test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
}
test_all
# Check update. Results should be identical.
verbose "$tid: testing KRL update"
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
$OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
cp -f $OBJ/krl-empty $f
genkrls -u
done
# keys all serial keyid certs CA
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
test_all