diff options
-rw-r--r-- | regress/sshsig.sh | 72 |
1 files changed, 68 insertions, 4 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh index d4daa5c9d..dae03706d 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshsig.sh,v 1.14 2022/02/01 23:37:15 djm Exp $ +# $OpenBSD: sshsig.sh,v 1.15 2023/10/12 03:51:08 djm Exp $ # Placed in the Public Domain. tid="sshsig" @@ -51,6 +51,7 @@ for t in $SIGNKEYS; do cert=${OBJ}/${keybase}-cert.pub sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig + trace "$tid: key type $t check bad hashlg" ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \ fail "sign using $t with bad hash algorithm succeeded" @@ -60,16 +61,19 @@ for t in $SIGNKEYS; do default) hashalg_arg="" ;; *) hashalg_arg="-Ohashalg=$h" ;; esac + trace "$tid: key type $t sign with hash $h" ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ $hashalg_arg < $DATA > $sigfile 2>/dev/null || \ fail "sign using $t / $h failed" (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers + trace "$tid: key type $t verify with hash $h" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ < $DATA >/dev/null 2>&1 || \ fail "failed signature for $t / $h key" done + trace "$tid: key type $t verify with limited namespace" (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -77,6 +81,7 @@ for t in $SIGNKEYS; do < $DATA >/dev/null 2>&1 || \ fail "failed signature for $t key w/ limited namespace" + trace "$tid: key type $t print-pubkey" (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -q -Y verify -s $sigfile -n $sig_namespace \ @@ -89,6 +94,7 @@ for t in $SIGNKEYS; do fail "print-pubkey differs from signature key" # Invalid option + trace "$tid: key type $t verify with bad signers" (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ @@ -96,6 +102,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t key with bad signers option" # Wrong key trusted. + trace "$tid: key type $t verify with wrong key" (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ @@ -103,6 +110,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t key with wrong key trusted" # incorrect data + trace "$tid: key type $t verify with wrong data" (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ @@ -110,6 +118,7 @@ for t in $SIGNKEYS; do fail "passed signature for wrong data with $t key" # wrong principal in signers + trace "$tid: key type $t verify with wrong principal" (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ @@ -117,6 +126,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t key with wrong principal" # wrong namespace + trace "$tid: key type $t verify with wrong namespace" (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \ -I $sig_principal -f $OBJ/allowed_signers \ @@ -124,6 +134,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t key with wrong namespace" # namespace excluded by option + trace "$tid: key type $t verify with excluded namespace" (printf "$sig_principal namespaces=\"whatever\" " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -136,50 +147,59 @@ for t in $SIGNKEYS; do cat $pubkey) > $OBJ/allowed_signers # key lifespan valid + trace "$tid: key type $t verify with valid lifespan" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19850101 \ < $DATA >/dev/null 2>&1 || \ fail "failed signature for $t key with valid expiry interval" # key not yet valid + trace "$tid: key type $t verify with not-yet-valid lifespan" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19790101 \ < $DATA >/dev/null 2>&1 && \ fail "failed signature for $t not-yet-valid key" # key expired + trace "$tid: key type $t verify with expired lifespan" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19910101 \ < $DATA >/dev/null 2>&1 && \ fail "failed signature for $t with expired key" # NB. assumes we're not running this test in the 1980s + trace "$tid: key type $t verify with expired lifespan (now)" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ < $DATA >/dev/null 2>&1 && \ fail "failed signature for $t with expired key" # key lifespan valid + trace "$tid: key type $t find-principals with valid lifespan" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19850101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed find-principals for $t key with valid expiry interval" # key not yet valid + trace "$tid: key type $t find principals with not-yet-valid lifespan" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19790101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "failed find-principals for $t not-yet-valid key" # key expired + trace "$tid: key type $t find-principals with expired lifespan" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19990101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "failed find-principals for $t with expired key" # NB. assumes we're not running this test in the 1980s + trace "$tid: key type $t find-principals with expired lifespan (now)" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "failed find-principals for $t with expired key" # public key in revoked keys file + trace "$tid: key type $t verify with revoked key" cat $pubkey > $OBJ/revoked_keys (printf "$sig_principal namespaces=\"whatever\" " ; cat $pubkey) > $OBJ/allowed_signers @@ -190,6 +210,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t key, but key is in revoked_keys" # public key not revoked, but others are present in revoked_keysfile + trace "$tid: key type $t verify with unrevoked key" cat $WRONG > $OBJ/revoked_keys (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -199,26 +220,31 @@ for t in $SIGNKEYS; do fail "couldn't verify signature for $t key, but key not in revoked_keys" # check-novalidate with valid data + trace "$tid: key type $t check-novalidate with valid data" ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ < $DATA >/dev/null 2>&1 || \ fail "failed to check valid signature for $t key" # check-novalidate with invalid data + trace "$tid: key type $t check-novalidate with invalid data" ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \ < $DATA2 >/dev/null 2>&1 && \ fail "succeeded checking signature for $t key with invalid data" # find-principals with valid public key + trace "$tid: key type $t find-principals with valid key" (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed to find valid principals in allowed_signers" # find-principals with wrong key not in allowed_signers + trace "$tid: key type $t find-principals with wrong key" (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "succeeded finding principal with invalid signers file" # find-principals with a configured namespace but none on command-line + trace "$tid: key type $t find-principals with missing namespace" (printf "$sig_principal " ; printf "namespaces=\"test1,test2\" "; cat $pubkey) > $OBJ/allowed_signers @@ -227,18 +253,27 @@ for t in $SIGNKEYS; do fail "failed finding principal when namespaces are configured" # Check signing keys using ssh-agent. + trace "$tid: key type $t prepare agent" ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys. ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed" # Move private key to ensure agent key is used mv ${privkey} ${privkey}.tmp + trace "$tid: key type $t sign with agent" ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \ < $DATA > $sigfile_agent 2>/dev/null || \ fail "ssh-agent based sign using $pubkey failed" + trace "$tid: key type $t check signature w/ agent" ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \ -n $sig_namespace < $DATA >/dev/null 2>&1 || \ fail "failed to check valid signature for $t key" + (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; + cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile_agent -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 || \ + fail "failed signature for $t key w/ limited namespace" # Move private key back mv ${privkey}.tmp ${privkey} @@ -252,45 +287,53 @@ for t in $SIGNKEYS; do cat $pubkey) > $OBJ/allowed_signers # find-principals outside of any validity lifespan + trace "$tid: key type $t find principals outside multiple validities" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="20100101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "succeeded find-principals for $t verify-time outside of validity" # find-principals matching only the first lifespan + trace "$tid: key type $t find principals matching one validity (1st)" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19830101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed find-principals for $t verify-time within first span" # find-principals matching both lifespans + trace "$tid: key type $t find principals matching two validities" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19880101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed find-principals for $t verify-time within both spans" # find-principals matching only the second lifespan + trace "$tid: key type $t find principals matching one validity (2nd)" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19950101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed find-principals for $t verify-time within second span" # verify outside of any validity lifespan + trace "$tid: key type $t verify outside multiple validities" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -Overify-time="20100101" -I $sig_principal \ -r $OBJ/revoked_keys -f $OBJ/allowed_signers \ < $DATA >/dev/null 2>&1 && \ fail "succeeded verify for $t verify-time outside of validity" # verify matching only the first lifespan + trace "$tid: key type $t verify matching one validity (1st)" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -Overify-time="19830101" -I $sig_principal \ -r $OBJ/revoked_keys -f $OBJ/allowed_signers \ < $DATA >/dev/null 2>&1 || \ fail "failed verify for $t verify-time within first span" # verify matching both lifespans + trace "$tid: key type $t verify matching two validities" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -Overify-time="19880101" -I $sig_principal \ -r $OBJ/revoked_keys -f $OBJ/allowed_signers \ < $DATA >/dev/null 2>&1 || \ fail "failed verify for $t verify-time within both spans" # verify matching only the second lifespan + trace "$tid: key type $t verify matching one validity (2nd)" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -Overify-time="19950101" -I $sig_principal \ -r $OBJ/revoked_keys -f $OBJ/allowed_signers \ @@ -308,26 +351,31 @@ for t in $SIGNKEYS; do printf "cert-authority,valid-after=\"19800101\",valid-before=\"19900101\" "; cat $CA_PUB) > $OBJ/allowed_signers # key lifespan valid + trace "$tid: key type $t find-principals cert lifetime valid" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19850101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed find-principals for $t key with valid expiry interval" # key not yet valid + trace "$tid: key type $t find-principals cert lifetime not-yet-valid" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19790101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "failed find-principals for $t not-yet-valid key" # key expired + trace "$tid: key type $t find-principals cert lifetime expired" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time="19990101" \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "failed find-principals for $t with expired key" # NB. assumes we're not running this test in the 1980s + trace "$tid: key type $t find-principals cert lifetime expired (now)" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -f $OBJ/allowed_signers >/dev/null 2>&1 && \ fail "failed find-principals for $t with expired key" # correct CA key + trace "$tid: key type $t verify cert good CA" (printf "$sig_principal cert-authority " ; cat $CA_PUB) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -337,12 +385,14 @@ for t in $SIGNKEYS; do fail "failed signature for $t cert" # find-principals + trace "$tid: key type $t find-principals cert good CA" ${SSHKEYGEN} -vvv -Y find-principals -s $sigfile \ -Overify-time=19850101 \ -f $OBJ/allowed_signers >/dev/null 2>&1 || \ fail "failed find-principals for $t with ca key" # CA with wildcard principal + trace "$tid: key type $t find-principals cert good wildcard CA" (printf "*@example.com cert-authority " ; cat $CA_PUB) > $OBJ/allowed_signers # find-principals CA with wildcard principal @@ -353,6 +403,7 @@ for t in $SIGNKEYS; do fail "failed find-principals for $t with ca key using wildcard principal" # verify CA with wildcard principal + trace "$tid: key type $t verify cert good wildcard CA" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19850101 \ @@ -360,6 +411,7 @@ for t in $SIGNKEYS; do fail "failed signature for $t cert using wildcard principal" # signing key listed as cert-authority + trace "$tid: key type $t verify signing key listed as CA" (printf "$sig_principal cert-authority " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -368,6 +420,7 @@ for t in $SIGNKEYS; do fail "accepted signature with $t key listed as CA" # CA key not flagged cert-authority + trace "$tid: key type $t verify key not marked as CA" (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ @@ -375,6 +428,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t cert with CA not marked" # mismatch between cert principal and file + trace "$tid: key type $t verify cert with wrong principal" (printf "josef.k@example.com cert-authority " ; cat $CA_PUB) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -383,6 +437,7 @@ for t in $SIGNKEYS; do fail "accepted signature for $t cert with wrong principal" # Cert valid but CA revoked + trace "$tid: key type $t verify cert with revoked CA" cat $CA_PUB > $OBJ/revoked_keys (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ @@ -397,42 +452,49 @@ for t in $SIGNKEYS; do cat $CA_PUB) > $OBJ/allowed_signers # CA key lifespan valid + trace "$tid: key type $t verify cert valid CA lifespan" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19850101 \ < $DATA >/dev/null 2>&1 >/dev/null 2>&1 || \ fail "failed signature for $t key with valid CA expiry interval" # CA lifespan is valid but user key not yet valid + trace "$tid: key type $t verify cert valid CA lifespan, not-yet-valid cert" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19810101 \ < $DATA >/dev/null 2>&1 && \ fail "accepted signature for $t key with valid CA expiry interval but not yet valid cert" # CA lifespan is valid but user key expired + trace "$tid: key type $t verify cert valid CA lifespan, expired cert" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19890101 \ < $DATA >/dev/null 2>&1 && \ fail "accepted signature for $t key with valid CA expiry interval but expired cert" # CA key not yet valid + trace "$tid: key type $t verify cert CA not-yet-valid" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19790101 \ < $DATA >/dev/null 2>&1 && \ fail "accepted signature for $t not-yet-valid CA key" # CA key expired + trace "$tid: key type $t verify cert CA expired" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ -Overify-time=19910101 \ < $DATA >/dev/null 2>&1 && \ fail "accepted signature for $t with expired CA key" # NB. assumes we're not running this test in the 1980s + trace "$tid: key type $t verify cert CA expired (now)" ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ -I $sig_principal -f $OBJ/allowed_signers \ < $DATA >/dev/null 2>&1 && \ fail "accepted signature for $t with expired CA key" # Set lifespan of CA outside of the cert validity + trace "$tid: key type $t verify CA/cert lifespan mismatch" ( printf "$sig_principal " ; printf "cert-authority,valid-after=\"19800101\",valid-before=\"19820101\" " ; cat $CA_PUB) > $OBJ/allowed_signers @@ -455,15 +517,17 @@ done verbose "$tid: match principals" ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "unique" | \ fgrep "unique" >/dev/null || \ - fail "faild to match static principal" + fail "failed to match static principal" +trace "$tid: match principals wildcard" ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "princip" | \ fgrep "princi*" >/dev/null || \ - fail "faild to match wildcard principal" + fail "failed to match wildcard principal" +trace "$tid: match principals static/wildcard" ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers -I "principal1" | \ fgrep -e "principal1" -e "princi*" >/dev/null || \ - fail "faild to match static and wildcard principal" + fail "failed to match static and wildcard principal" verbose "$tid: nomatch principals" for x in princ prince unknown ; do ${SSHKEYGEN} -Y match-principals -f $OBJ/allowed_signers \ |