From: djm@openbsd.org Date: Mon, 22 Dec 2025 01:50:46 +0000 (+0000) Subject: upstream: regression tests for certificates with empty principals X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ecdf9b9f8e89aae65d4a12fe5a25c560eea08393;p=thirdparty%2Fopenssh-portable.git upstream: regression tests for certificates with empty principals sections (which are now unconditionally refused) and for certificates with wildcard principals (which should only be accepted in host certs) OpenBSD-Regress-ID: fdca88845a68424060547b4f9f32f90a7cf82e73 --- diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index bfdd3588d..9061cc702 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.28 2025/05/06 06:05:48 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.29 2025/12/22 01:50:46 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -208,9 +208,12 @@ kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert test_one() { - ident=$1 - result=$2 - sign_opts=$3 + ident="$1" + result="$2" + hosts="$3" + sign_opts="$4" + + test -z "$hosts" || sign_opts="$sign_opts -n $hosts" for kt in $PLAIN_TYPES; do case $ktype in @@ -243,13 +246,16 @@ test_one() { done } -test_one "user-certificate" failure "-n $HOSTS" -test_one "empty principals" success "-h" -test_one "wrong principals" failure "-h -n foo" -test_one "cert not yet valid" failure "-h -V20300101:20320101" -test_one "cert expired" failure "-h -V19800101:19900101" -test_one "cert valid interval" success "-h -V-1w:+2w" -test_one "cert has constraints" failure "-h -Oforce-command=false" +test_one "simple" success $HOSTS "-h" +test_one "wildcard" success "loc*" "-h" +test_one "user-certificate" failure $HOSTS +test_one "wildcard user" failure "local*" +test_one "empty principals" failure "" "-h" +test_one "wrong principals" failure foo "-h" +test_one "cert not yet valid" failure $HOSTS "-h -V20300101:20320101" +test_one "cert expired" failure $HOSTS "-h -V19800101:19900101" +test_one "cert valid interval" success $HOSTS "-h -V-1w:+2w" +test_one "cert has constraints" failure $HOSTS "-h -Oforce-command=false" # Check downgrade of cert to raw key when no CA found for ktype in $PLAIN_TYPES ; do diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index fde2caefb..6e2713bdd 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.30 2025/05/06 06:05:48 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.31 2025/12/22 01:50:46 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -340,16 +340,15 @@ test_one() { } test_one "correct principal" success "-n ${USER}" +test_one "correct principal" success "-n ${USER},*" test_one "host-certificate" failure "-n ${USER} -h" -test_one "wrong principals" failure "-n foo" +test_one "wrong principals" failure "-n foo,*" test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101" test_one "cert expired" failure "-n ${USER} -V19800101:19900101" test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" test_one "force-command" failure "-n ${USER} -Oforce-command=false" - -# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals -test_one "empty principals" success "" authorized_keys +test_one "empty principals" failure "" authorized_keys test_one "empty principals" failure "" TrustedUserCAKeys # Check explicitly-specified principals: an empty principals list in the cert