Hi,
The final OpenSSH key revocation list (KRL) diff for now :)
This extends the existing krl.sh regression test to exercise signing and
verification. (This depends on the last two diffs)
ok?
Index: krl.sh
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/krl.sh,v
retrieving revision 1.12
diff -u -p -r1.12 krl.sh
--- krl.sh 16 Jan 2023 04:11:29 -0000 1.12
+++ krl.sh 16 Jan 2023 08:00:35 -0000
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.12 2023/01/16 04:11:29 djm Exp $
+# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -22,7 +22,16 @@ done
# Old keys will interfere with ssh-keygen.
rm -f $OBJ/revoked-* $OBJ/krl-*
-# Generate a CA key
+# Generate some KRL signing keys
+$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN signing key failed"
+$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign-wrong -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN signing key-wrong failed"
+$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign2 -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN signing key2 failed"
+$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign3 -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN signing key3 failed"
+# Generate some CA keys
$SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
fatal "$SSHKEYGEN CA failed"
$SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
@@ -108,7 +117,14 @@ for rkey in $RKEYS; do
done
genkrls() {
- OPTS=$1
+ #OPTS="-vvv $@"
+ OPTS="$@"
+
+$SSHKEYGEN $OPTS -kf $OBJ/krl-revoked-signing $OBJ/krl-sign2.pub \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-revoked-signing2 \
+ $OBJ/krl-sign2.pub $OBJ/krl-sign3.pub \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
@@ -136,9 +152,9 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
# These should succeed; they specify an wildcard CA key.
-$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-srl-wild -s NONE $OBJ/revoked-serials \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-id-wild -s NONE $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
# Revoke the same serials with the second CA key to ensure a multi-CA
# KRL is generated.
@@ -149,16 +165,18 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u
## XXX dump with trace and grep for set cert serials
## XXX test ranges near (u64)-1, etc.
-verbose "$tid: generating KRLs"
-genkrls
-
check_krl() {
KEY=$1
KRL=$2
EXPECT_REVOKED=$3
TAG=$4
- $SSHKEYGEN -Qf $KRL $KEY >/dev/null
+ ARG=$5
+ $SSHKEYGEN $ARG -Qf $KRL $KEY >/dev/null 2>&1
result=$?
+ case "x$EXPECT_REVOKED" in
+ xx|xy) ;;
+ default) fatal "bad expectation $EXPECT_REVOKED"
+ esac
if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
fatal "key $KEY not revoked by KRL $KRL: $TAG"
elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
@@ -177,41 +195,107 @@ test_rev() {
CA_RESULT=$9
SERIAL_WRESULT=${10}
KEYID_WRESULT=${11}
+ ARG=${12}
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
- check_krl $f $OBJ/krl-empty no "$TAG"
- check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
- check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
- check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
- check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
- check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
- check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
- check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
- check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
- check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
- check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
- check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
+ check_krl $f $OBJ/krl-empty no "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-srl-wild $SERIAL_WRESULT "$TAG" "$ARG"
+ check_krl $f $OBJ/krl-id-wild $KEYID_WRESULT "$TAG" "$ARG"
done
}
-test_all() {
+test_files_expect_fail()
+{
+ s="$@"
# wildcard
- # keys all hash sr# ID cert CA srl ID
- test_rev "$RKEYS" "revoked keys" y y y n n n n n n
- test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
- test_rev "$RCERTS" "revoked certs" y y y y y y y y y
- test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
+ # keys all hash sr# ID cert CA srl ID
+ test_rev "$RKEYS" "revoked keys" y y y y y y y y y $s
+ test_rev "$UKEYS" "unrevoked keys" y y y y y y y y y $s
+ test_rev "$RCERTS" "revoked certs" y y y y y y y y y $s
+ test_rev "$UCERTS" "unrevoked certs" y y y y y y y y y $s
}
-test_all
+test_files() {
+ s="$@"
+ # wildcard
+ # keys all hash sr# ID cert CA srl ID
+ test_rev "$RKEYS" "revoked keys" y y y n n n n n n $s
+ test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n $s
+ test_rev "$RCERTS" "revoked certs" y y y y y y y y y $s
+ test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n $s
+}
-# Check update. Results should be identical.
-verbose "$tid: testing KRL update"
-for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
- $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
- $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
- cp -f $OBJ/krl-empty $f
- genkrls -u
-done
+test_all() {
+ signed=$1
+
+ verbose "$tid: verifying KRL without signature check"
+ test_files
+
+ if [ "x$signed" = "xn" ] ; then
+ verbose "$tid: verifying unsigned KRL (expecting a signing key)"
+ test_files_expect_fail "-Osigning-key=$OBJ/krl-sign"
+ else
+ verbose "$tid: verifying signed KRL (one correct key)"
+ test_files "-Osigning-key=$OBJ/krl-sign"
+
+ verbose "$tid: verifying signed KRL (two correct keys)"
+ test_files "-Osigning-key=$OBJ/krl-sign" \
+ "-Osigning-key=$OBJ/krl-sign2"
+
+ verbose "$tid: verifying signed KRL (wrong key)"
+ test_files_expect_fail "-Osigning-key=$OBJ/krl-sign-wrong"
+
+ verbose "$tid: verifying signed KRL (1of2 correct keys)"
+ test_files "-Osigning-key=$OBJ/krl-sign" \
+ "-Osigning-key=$OBJ/krl-sign-wrong"
+
+ verbose "$tid: verifying signed KRL (one good key, one revoked)"
+ $SSHKEYGEN -Osigning-key=$OBJ/krl-sign \
+ -Osigning-key=$OBJ/krl-sign2 -Qf $OBJ/krl-revoked-signing \
+ $OBJ/revoked-ca.pub >/dev/null 2>&1
+ [ $? -eq 0 ] || fail "key revoked from KRL unexpectedly"
+
+ verbose "$tid: verifying signed KRL (2x revoked)"
+ $SSHKEYGEN -Osigning-key=$OBJ/krl-sign2 \
+ -Osigning-key=$OBJ/krl-sign3 -Qf $OBJ/krl-revoked-signing2 \
+ $OBJ/revoked-ca.pub >/dev/null 2>&1
+ [ $? -eq 0 ] && fail "key passed from KRL unexpectedly"
+
+ verbose "$tid: verifying signed KRL (one wrong, one revoked)"
+ $SSHKEYGEN -Osigning-key=$OBJ/krl-sign-wrong \
+ -Osigning-key=$OBJ/krl-sign2 -Qf $OBJ/krl-revoked-signing2 \
+ $OBJ/revoked-ca.pub >/dev/null 2>&1
+ [ $? -eq 0 ] && fail "key passed from KRL unexpectedly"
+ fi
+}
-test_all
+for signed in n y ; do
+ arg=""
+ if [ "x$signed" = "xy" ] ; then
+ arg="-Osigning-key=$OBJ/krl-sign"
+ arg="$arg -Osigning-key=$OBJ/krl-sign2"
+ fi
+ verbose "$tid: generating KRLs, signed=$signed"
+ genkrls $arg
+ test_all $signed
+
+ # Check update. Results should be identical.
+ verbose "$tid: testing KRL update, signed=$signed"
+ for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
+ $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
+ $OBJ/krl-srl-wild $OBJ/krl-id-wild $OBJ/krl-revoked-signing \
+ $OBJ/krl-revoked-signing2; do
+ cp -f $OBJ/krl-empty $f
+ genkrls -u $arg
+ done
+ test_all $signed
+done
