Hi, The final OpenSSH key revocation list (KRL) diff for now :)
This extends the existing krl.sh regression test to exercise signing and verification. (This depends on the last two diffs) ok? Index: krl.sh =================================================================== RCS file: /cvs/src/regress/usr.bin/ssh/krl.sh,v retrieving revision 1.12 diff -u -p -r1.12 krl.sh --- krl.sh 16 Jan 2023 04:11:29 -0000 1.12 +++ krl.sh 16 Jan 2023 08:00:35 -0000 @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.12 2023/01/16 04:11:29 djm Exp $ +# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -22,7 +22,16 @@ done # Old keys will interfere with ssh-keygen. rm -f $OBJ/revoked-* $OBJ/krl-* -# Generate a CA key +# Generate some KRL signing keys +$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN signing key failed" +$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign-wrong -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN signing key-wrong failed" +$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign2 -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN signing key2 failed" +$SSHKEYGEN -t ed25519 -f $OBJ/krl-sign3 -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN signing key3 failed" +# Generate some CA keys $SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null || fatal "$SSHKEYGEN CA failed" $SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || @@ -108,7 +117,14 @@ for rkey in $RKEYS; do done genkrls() { - OPTS=$1 + #OPTS="-vvv $@" + OPTS="$@" + +$SSHKEYGEN $OPTS -kf $OBJ/krl-revoked-signing $OBJ/krl-sign2.pub \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" +$SSHKEYGEN $OPTS -kf $OBJ/krl-revoked-signing2 \ + $OBJ/krl-sign2.pub $OBJ/krl-sign3.pub \ + >/dev/null || fatal "$SSHKEYGEN KRL failed" $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ >/dev/null || fatal "$SSHKEYGEN KRL failed" $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \ @@ -136,9 +152,9 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \ $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed" # These should succeed; they specify an wildcard CA key. -$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \ +$SSHKEYGEN $OPTS -kf $OBJ/krl-srl-wild -s NONE $OBJ/revoked-serials \ >/dev/null || fatal "$SSHKEYGEN KRL failed" -$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \ +$SSHKEYGEN $OPTS -kf $OBJ/krl-id-wild -s NONE $OBJ/revoked-keyid \ >/dev/null || fatal "$SSHKEYGEN KRL failed" # Revoke the same serials with the second CA key to ensure a multi-CA # KRL is generated. @@ -149,16 +165,18 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u ## XXX dump with trace and grep for set cert serials ## XXX test ranges near (u64)-1, etc. -verbose "$tid: generating KRLs" -genkrls - check_krl() { KEY=$1 KRL=$2 EXPECT_REVOKED=$3 TAG=$4 - $SSHKEYGEN -Qf $KRL $KEY >/dev/null + ARG=$5 + $SSHKEYGEN $ARG -Qf $KRL $KEY >/dev/null 2>&1 result=$? + case "x$EXPECT_REVOKED" in + xx|xy) ;; + default) fatal "bad expectation $EXPECT_REVOKED" + esac if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then fatal "key $KEY not revoked by KRL $KRL: $TAG" elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then @@ -177,41 +195,107 @@ test_rev() { CA_RESULT=$9 SERIAL_WRESULT=${10} KEYID_WRESULT=${11} + ARG=${12} verbose "$tid: checking revocations for $TAG" for f in $FILES ; do - check_krl $f $OBJ/krl-empty no "$TAG" - check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" - check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" - check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" - check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" - check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" - check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" - check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" - check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" - check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" - check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG" - check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG" + check_krl $f $OBJ/krl-empty no "$TAG" "$ARG" + check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-srl-wild $SERIAL_WRESULT "$TAG" "$ARG" + check_krl $f $OBJ/krl-id-wild $KEYID_WRESULT "$TAG" "$ARG" done } -test_all() { +test_files_expect_fail() +{ + s="$@" # wildcard - # keys all hash sr# ID cert CA srl ID - test_rev "$RKEYS" "revoked keys" y y y n n n n n n - test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n - test_rev "$RCERTS" "revoked certs" y y y y y y y y y - test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n + # keys all hash sr# ID cert CA srl ID + test_rev "$RKEYS" "revoked keys" y y y y y y y y y $s + test_rev "$UKEYS" "unrevoked keys" y y y y y y y y y $s + test_rev "$RCERTS" "revoked certs" y y y y y y y y y $s + test_rev "$UCERTS" "unrevoked certs" y y y y y y y y y $s } -test_all +test_files() { + s="$@" + # wildcard + # keys all hash sr# ID cert CA srl ID + test_rev "$RKEYS" "revoked keys" y y y n n n n n n $s + test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n $s + test_rev "$RCERTS" "revoked certs" y y y y y y y y y $s + test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n $s +} -# Check update. Results should be identical. -verbose "$tid: testing KRL update" -for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ - $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \ - $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do - cp -f $OBJ/krl-empty $f - genkrls -u -done +test_all() { + signed=$1 + + verbose "$tid: verifying KRL without signature check" + test_files + + if [ "x$signed" = "xn" ] ; then + verbose "$tid: verifying unsigned KRL (expecting a signing key)" + test_files_expect_fail "-Osigning-key=$OBJ/krl-sign" + else + verbose "$tid: verifying signed KRL (one correct key)" + test_files "-Osigning-key=$OBJ/krl-sign" + + verbose "$tid: verifying signed KRL (two correct keys)" + test_files "-Osigning-key=$OBJ/krl-sign" \ + "-Osigning-key=$OBJ/krl-sign2" + + verbose "$tid: verifying signed KRL (wrong key)" + test_files_expect_fail "-Osigning-key=$OBJ/krl-sign-wrong" + + verbose "$tid: verifying signed KRL (1of2 correct keys)" + test_files "-Osigning-key=$OBJ/krl-sign" \ + "-Osigning-key=$OBJ/krl-sign-wrong" + + verbose "$tid: verifying signed KRL (one good key, one revoked)" + $SSHKEYGEN -Osigning-key=$OBJ/krl-sign \ + -Osigning-key=$OBJ/krl-sign2 -Qf $OBJ/krl-revoked-signing \ + $OBJ/revoked-ca.pub >/dev/null 2>&1 + [ $? -eq 0 ] || fail "key revoked from KRL unexpectedly" + + verbose "$tid: verifying signed KRL (2x revoked)" + $SSHKEYGEN -Osigning-key=$OBJ/krl-sign2 \ + -Osigning-key=$OBJ/krl-sign3 -Qf $OBJ/krl-revoked-signing2 \ + $OBJ/revoked-ca.pub >/dev/null 2>&1 + [ $? -eq 0 ] && fail "key passed from KRL unexpectedly" + + verbose "$tid: verifying signed KRL (one wrong, one revoked)" + $SSHKEYGEN -Osigning-key=$OBJ/krl-sign-wrong \ + -Osigning-key=$OBJ/krl-sign2 -Qf $OBJ/krl-revoked-signing2 \ + $OBJ/revoked-ca.pub >/dev/null 2>&1 + [ $? -eq 0 ] && fail "key passed from KRL unexpectedly" + fi +} -test_all +for signed in n y ; do + arg="" + if [ "x$signed" = "xy" ] ; then + arg="-Osigning-key=$OBJ/krl-sign" + arg="$arg -Osigning-key=$OBJ/krl-sign2" + fi + verbose "$tid: generating KRLs, signed=$signed" + genkrls $arg + test_all $signed + + # Check update. Results should be identical. + verbose "$tid: testing KRL update, signed=$signed" + for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ + $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \ + $OBJ/krl-srl-wild $OBJ/krl-id-wild $OBJ/krl-revoked-signing \ + $OBJ/krl-revoked-signing2; do + cp -f $OBJ/krl-empty $f + genkrls -u $arg + done + test_all $signed +done