upstream: regression tests for certificates with empty principals

sections (which are now unconditionally refused) and for certificates with
wildcard principals (which should only be accepted in host certs)

OpenBSD-Regress-ID: fdca88845a68424060547b4f9f32f90a7cf82e73

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index bfdd3588d98f41e59e33bed1991dd4220ddece1a..9061cc702a0568fd72f706bde7c8c11d933fa63e 100644 (file)
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-hostkey.sh,v 1.28 2025/05/06 06:05:48 djm Exp $
+#      $OpenBSD: cert-hostkey.sh,v 1.29 2025/12/22 01:50:46 djm Exp $
 #      Placed in the Public Domain.
 
 tid="certified host keys"
@@ -208,9 +208,12 @@ kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 
 test_one() {
-       ident=$1
-       result=$2
-       sign_opts=$3
+       ident="$1"
+       result="$2"
+       hosts="$3"
+       sign_opts="$4"
+
+       test -z "$hosts" || sign_opts="$sign_opts -n $hosts"
 
        for kt in $PLAIN_TYPES; do
                case $ktype in
@@ -243,13 +246,16 @@ test_one() {
        done
 }
 
-test_one "user-certificate"    failure "-n $HOSTS"
-test_one "empty principals"    success "-h"
-test_one "wrong principals"    failure "-h -n foo"
-test_one "cert not yet valid"  failure "-h -V20300101:20320101"
-test_one "cert expired"                failure "-h -V19800101:19900101"
-test_one "cert valid interval" success "-h -V-1w:+2w"
-test_one "cert has constraints"        failure "-h -Oforce-command=false"
+test_one "simple"              success $HOSTS  "-h"
+test_one "wildcard"            success "loc*"  "-h"
+test_one "user-certificate"    failure $HOSTS
+test_one "wildcard user"       failure "local*"
+test_one "empty principals"    failure ""      "-h"
+test_one "wrong principals"    failure foo     "-h"
+test_one "cert not yet valid"  failure $HOSTS  "-h -V20300101:20320101"
+test_one "cert expired"                failure $HOSTS  "-h -V19800101:19900101"
+test_one "cert valid interval" success $HOSTS  "-h -V-1w:+2w"
+test_one "cert has constraints"        failure $HOSTS  "-h -Oforce-command=false"
 
 # Check downgrade of cert to raw key when no CA found
 for ktype in $PLAIN_TYPES ; do

diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index fde2caefbd4f9f2e86299fcdeead71402f07a370..6e2713bdd04b1d662ac1977693dfaa2102bba2c4 100644 (file)
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-userkey.sh,v 1.30 2025/05/06 06:05:48 djm Exp $
+#      $OpenBSD: cert-userkey.sh,v 1.31 2025/12/22 01:50:46 djm Exp $
 #      Placed in the Public Domain.
 
 tid="certified user keys"
@@ -340,16 +340,15 @@ test_one() {
 }
 
 test_one "correct principal"   success "-n ${USER}"
+test_one "correct principal"   success "-n ${USER},*"
 test_one "host-certificate"    failure "-n ${USER} -h"
-test_one "wrong principals"    failure "-n foo"
+test_one "wrong principals"    failure "-n foo,*"
 test_one "cert not yet valid"  failure "-n ${USER} -V20300101:20320101"
 test_one "cert expired"                failure "-n ${USER} -V19800101:19900101"
 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
 test_one "wrong source-address"        failure "-n ${USER} -Osource-address=10.0.0.0/8"
 test_one "force-command"       failure "-n ${USER} -Oforce-command=false"
-
-# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
-test_one "empty principals"    success "" authorized_keys
+test_one "empty principals"    failure "" authorized_keys
 test_one "empty principals"    failure "" TrustedUserCAKeys
 
 # Check explicitly-specified principals: an empty principals list in the cert