upstream: Make certificate tests work with the supported key

algorithms.  Allows tests to pass when built without OpenSSL.

OpenBSD-Regress-ID: 617169a6dd9d06db3697a449d9a26c284eca20fc

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3ce777967a5d03353b6680cdc02bd77e0c62211f..86ea62504061440d531e85387f391da90254e335 100644 (file)
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $
+#      $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="certified host keys"
@@ -7,6 +7,7 @@ rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
 rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
 
 # Allow all hostkey/pubkey types, prefer certs for the client
+rsa=0
 types=""
 for i in `$SSH -Q key`; do
        if [ -z "$types" ]; then
@@ -19,6 +20,7 @@ for i in `$SSH -Q key`; do
                types="rsa-sha2-256-cert-v01@openssh.com,$i,$types"
                types="rsa-sha2-512-cert-v01@openssh.com,$types";;
        *rsa*)
+               rsa=1
                types="$types,rsa-sha2-512,rsa-sha2-256,$i";;
        # Prefer certificate to plain keys.
        *cert*) types="$i,$types";;
@@ -51,10 +53,12 @@ kh_revoke() {
 }
 
 # Create a CA key and add it to known hosts. Ed25519 chosen for speed.
-# RSA for testing RSA/SHA2 signatures.
+# RSA for testing RSA/SHA2 signatures if supported.
+ktype2=ed25519
+[ "x$rsa" = "x1" ] && ktype2=rsa
 ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/host_ca_key ||\
        fail "ssh-keygen of host_ca_key failed"
-${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key2 ||\
+${SSHKEYGEN} -q -N '' -t $ktype2  -f $OBJ/host_ca_key2 ||\
        fail "ssh-keygen of host_ca_key failed"
 
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -214,7 +218,7 @@ test_one() {
        result=$2
        sign_opts=$3
 
-       for kt in rsa ed25519 ; do
+       for kt in $PLAIN_TYPES; do
                case $ktype in
                rsa-sha2-*)     tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
                *)              tflag=""; ca="$OBJ/host_ca_key" ;;

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6849e99226493445c10ec498b5188b8b8106ac65..38c14a698092398a7362a668b92f8449b71f2611 100644 (file)
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $
+#      $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="certified user keys"
@@ -9,8 +9,10 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 EXTRA_TYPES=""
+rsa=""
 
 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+       rsa=rsa
        PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
 fi
 
@@ -20,11 +22,20 @@ kname() {
        # subshell because some seds will add a newline
        *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
        esac
-       echo "$n*,ssh-rsa*,ssh-ed25519*"
+       if [ -z "$rsa" ]; then
+               echo "$n*,ssh-ed25519*"
+       else
+               echo "$n*,ssh-rsa*,ssh-ed25519*"
+       fi
 }
 
 # Create a CA key
-${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
+if [ ! -z "$rsa" ]; then
+       catype=rsa
+else
+       catype=ed25519
+fi
+${SSHKEYGEN} -q -N '' -t $catype  -f $OBJ/user_ca_key ||\
        fail "ssh-keygen of user_ca_key failed"
 
 # Generate and sign user keys
@@ -283,7 +294,7 @@ test_one() {
        fi
 
        for auth in $auth_choice ; do
-               for ktype in rsa ed25519 ; do
+               for ktype in $rsa ed25519 ; do
                        cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
                        if test "x$auth" = "xauthorized_keys" ; then
                                # Add CA to authorized_keys