mirror of git://anongit.mindrot.org/openssh.git
oops; missed including the actual file
This commit is contained in:
parent
1a72c0dd89
commit
b08a6bc1cc
|
@ -0,0 +1,140 @@
|
|||
# $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="sshsig"
|
||||
|
||||
DATA2=$OBJ/${DATANAME}.2
|
||||
cat ${DATA} ${DATA} > ${DATA2}
|
||||
|
||||
rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
|
||||
|
||||
sig_namespace="test-$$"
|
||||
sig_principal="user-$$@example.com"
|
||||
|
||||
# Make a "wrong key"
|
||||
${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
|
||||
|| fatal "couldn't generate key"
|
||||
WRONG=$OBJ/wrong-key.pub
|
||||
|
||||
# Make a CA key.
|
||||
${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
|
||||
|| fatal "couldn't generate key"
|
||||
CA_PRIV=$OBJ/sigca-key
|
||||
CA_PUB=$OBJ/sigca-key.pub
|
||||
|
||||
SIGNKEYS="$SSH_KEYTYPES"
|
||||
verbose "$tid: make certificates"
|
||||
for t in $SSH_KEYTYPES ; do
|
||||
${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
|
||||
-I "regress signature key for $USER" \
|
||||
-n $sig_principal $OBJ/${t} || \
|
||||
fatal "couldn't sign ${t}"
|
||||
SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
|
||||
done
|
||||
|
||||
for t in $SIGNKEYS; do
|
||||
verbose "$tid: check signature for $t"
|
||||
keybase=`basename $t .pub`
|
||||
sigfile=${OBJ}/sshsig-${keybase}.sig
|
||||
pubkey=${OBJ}/${keybase}.pub
|
||||
|
||||
${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
|
||||
< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
|
||||
|
||||
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 || \
|
||||
fail "failed signature for $t key"
|
||||
|
||||
(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
|
||||
cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 || \
|
||||
fail "failed signature for $t key w/ limited namespace"
|
||||
|
||||
# Invalid option
|
||||
(printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t key with bad signers option"
|
||||
|
||||
# Wrong key trusted.
|
||||
(printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t key with wrong key trusted"
|
||||
|
||||
# incorrect data
|
||||
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA2 >/dev/null 2>&1 && \
|
||||
fail "passed signature for wrong data with $t key"
|
||||
|
||||
# wrong principal in signers
|
||||
(printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t key with wrong principal"
|
||||
|
||||
# wrong namespace
|
||||
(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t key with wrong namespace"
|
||||
|
||||
# namespace excluded by option
|
||||
(printf "$sig_principal namespaces=\"whatever\" " ;
|
||||
cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t key with excluded namespace"
|
||||
|
||||
# Remaining tests are for certificates only.
|
||||
case "$keybase" in
|
||||
*-cert) ;;
|
||||
*) continue ;;
|
||||
esac
|
||||
|
||||
# correct CA key
|
||||
(printf "$sig_principal cert-authority " ;
|
||||
cat $CA_PUB) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 || \
|
||||
fail "failed signature for $t cert"
|
||||
|
||||
# signing key listed as cert-authority
|
||||
(printf "$sig_principal cert-authority" ;
|
||||
cat $pubkey) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature with $t key listed as CA"
|
||||
|
||||
# CA key not flagged cert-authority
|
||||
(printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t cert with CA not marked"
|
||||
|
||||
# mismatch between cert principal and file
|
||||
(printf "josef.k@example.com cert-authority" ;
|
||||
cat $CA_PUB) > $OBJ/allowed_signers
|
||||
${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
|
||||
-I $sig_principal -f $OBJ/allowed_signers \
|
||||
< $DATA >/dev/null 2>&1 && \
|
||||
fail "accepted signature for $t cert with wrong principal"
|
||||
done
|
||||
|
||||
# XXX test keys in agent.
|
||||
# XXX test revocation
|
||||
|
Loading…
Reference in New Issue