-# $OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $
+# $OpenBSD: agent-pkcs11-cert.sh,v 1.2 2025/05/24 04:41:12 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent certificate test"
-SSH_AUTH_SOCK="$OBJ/agent.sock"
-export SSH_AUTH_SOCK
LC_ALL=C
export LC_ALL
p11_setup || skip "No PKCS#11 library found"
-rm -f $SSH_AUTH_SOCK $OBJ/agent.log
rm -f $OBJ/output_* $OBJ/expect_*
rm -f $OBJ/ca*
$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
fatal "certify CA key failed"
-rm -f $SSH_AUTH_SOCK
-trace "start agent"
-${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
-AGENT_PID=$!
-trap "kill $AGENT_PID" EXIT
-for x in 0 1 2 3 4 ; do
- # Give it a chance to start
- ${SSHADD} -l > /dev/null 2>&1
- r=$?
- test $r -eq 1 && break
- sleep 1
-done
-if [ $r -ne 1 ]; then
- fatal "ssh-add -l did not fail with exit code 1 (got $r)"
-fi
+start_ssh_agent
-trace "load pkcs11 keys and certs"
+verbose "load pkcs11 keys and certs"
# Note: deliberately contains non-cert keys and non-matching cert on commandline
p11_ssh_add -qs ${TEST_SSH_PKCS11} \
$OBJ/ca.pub \
${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
fatal "failed to add keys"
# Verify their presence
+verbose "verify presence"
cut -d' ' -f1-2 \
${SSH_SOFTHSM_DIR}/EC.pub \
${SSH_SOFTHSM_DIR}/RSA.pub \
diff $OBJ/expect_list $OBJ/output_list
# Verify that all can perform signatures.
+verbose "check signatures"
for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
$SSHADD -T $x || fail "Signing failed for $x"
done
# Delete plain keys.
+verbose "delete plain keys"
$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
# Verify that certs can still perform signatures.
+verbose "reverify certificate signatures"
for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
$SSHADD -T $x || fail "Signing failed for $x"
done
$SSHADD -qD >/dev/null || fatal "clear agent failed"
-trace "load pkcs11 certs only"
+verbose "load pkcs11 certs only"
p11_ssh_add -qCs ${TEST_SSH_PKCS11} \
$OBJ/ca.pub \
${SSH_SOFTHSM_DIR}/EC.pub \
${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
fatal "failed to add keys"
# Verify their presence
+verbose "verify presence"
cut -d' ' -f1-2 \
${SSH_SOFTHSM_DIR}/EC-cert.pub \
${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
diff $OBJ/expect_list $OBJ/output_list
# Verify that certs can perform signatures.
+verbose "check signatures"
for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
$SSHADD -T $x || fail "Signing failed for $x"
done
-# $OpenBSD: agent-pkcs11-restrict.sh,v 1.1 2023/12/18 14:49:39 djm Exp $
+# $OpenBSD: agent-pkcs11-restrict.sh,v 1.2 2025/05/24 04:41:12 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent constraint test"
p11_setup || skip "No PKCS#11 library found"
-rm -f $SSH_AUTH_SOCK $OBJ/agent.log $OBJ/host_[abcx]* $OBJ/user_[abcx]*
+rm -f $OBJ/host_[abcx]* $OBJ/user_[abcx]*
rm -f $OBJ/sshd_proxy_host* $OBJ/ssh_output* $OBJ/expect_*
rm -f $OBJ/ssh_proxy[._]* $OBJ/command $OBJ/authorized_keys_*
export K
}
-SSH_AUTH_SOCK="$OBJ/agent.sock"
-export SSH_AUTH_SOCK
-rm -f $SSH_AUTH_SOCK
-trace "start agent"
-${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
-AGENT_PID=$!
-trap "kill $AGENT_PID" EXIT
-for x in 0 1 2 3 4 ; do
- # Give it a chance to start
- ${SSHADD} -l > /dev/null 2>&1
- r=$?
- test $r -eq 1 && break
- sleep 1
-done
-if [ $r -ne 1 ]; then
- fatal "ssh-add -l did not fail with exit code 1 (got $r)"
-fi
+start_ssh_agent
# XXX a lot of this is a copy of agent-restrict.sh, but I couldn't see a nice
# way to factor it out -djm
cat $K) >> $OBJ/authorized_keys_$USER
done
-trace "unrestricted keys"
+verbose "unrestricted keys"
$SSHADD -qD >/dev/null || fatal "clear agent failed"
p11_ssh_add -qs ${TEST_SSH_PKCS11} ||
fatal "failed to add keys"
cmp $OBJ/expect_$h $OBJ/ssh_output || fatal "unexpected output"
done
-trace "restricted to different host"
+verbose "restricted to different host"
$SSHADD -qD >/dev/null || fatal "clear agent failed"
p11_ssh_add -q -h host_x -s ${TEST_SSH_PKCS11} -H $OBJ/known_hosts ||
fatal "failed to add keys"
host_$h true > $OBJ/ssh_output && fatal "test ssh $h succeeded"
done
-trace "restricted to destination host"
+verbose "restricted to destination host"
$SSHADD -qD >/dev/null || fatal "clear agent failed"
p11_ssh_add -q -h host_a -h host_b -s ${TEST_SSH_PKCS11} -H $OBJ/known_hosts ||
fatal "failed to add keys"
cmp $OBJ/expect_$h $OBJ/ssh_output || fatal "unexpected output"
done
-trace "restricted multihop"
+verbose "restricted multihop"
$SSHADD -qD >/dev/null || fatal "clear agent failed"
p11_ssh_add -q -h host_a -h "host_a>host_b" \
-s ${TEST_SSH_PKCS11} -H $OBJ/known_hosts || fatal "failed to add keys"
projects / thirdparty / openssh-portable.git / commitdiff
