upstream: more sshsig regress tests: check key revocation, the

check-novalidate signature test mode and signing keys in ssh-agent.

From Sebastian Kinne (slightly tweaked)

OpenBSD-Regress-ID: b39566f5cec70140674658cdcedf38752a52e2e2

diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index 8af06e49e4fbc8f45ebb47aab45355c179b47c07..eb99486ae68cc504e6655e5faa96c0757a26fb69 100644 (file)
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: sshsig.sh,v 1.1 2019/09/03 08:37:45 djm Exp $
+#      $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
 #      Placed in the Public Domain.
 
 tid="sshsig"
@@ -22,6 +22,13 @@ ${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
 CA_PRIV=$OBJ/sigca-key
 CA_PUB=$OBJ/sigca-key.pub
 
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+       fatal "could not start ssh-agent: exit code $r"
+fi
+
 SIGNKEYS="$SSH_KEYTYPES"
 verbose "$tid: make certificates"
 for t in $SSH_KEYTYPES ; do
@@ -35,7 +42,9 @@ done
 for t in $SIGNKEYS; do
        verbose "$tid: check signature for $t"
        keybase=`basename $t .pub`
+       privkey=${OBJ}/`basename $t -cert.pub`
        sigfile=${OBJ}/sshsig-${keybase}.sig
+       sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
        pubkey=${OBJ}/${keybase}.pub
 
        ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
@@ -97,12 +106,59 @@ for t in $SIGNKEYS; do
                < $DATA >/dev/null 2>&1 && \
                fail "accepted signature for $t key with excluded namespace"
 
+       # public key in revoked keys file
+       cat $pubkey > $OBJ/revoked_keys
+       (printf "$sig_principal namespaces=\"whatever\" " ;
+        cat $pubkey) > $OBJ/allowed_signers
+       ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+               -I $sig_principal -f $OBJ/allowed_signers \
+               -r $OBJ/revoked_keys \
+               < $DATA >/dev/null 2>&1 && \
+               fail "accepted signature for $t key, but key is in revoked_keys"
+
+       # public key not revoked, but other are present in revoked_keysfile
+       cat $WRONG > $OBJ/revoked_keys
+       (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+       ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+               -I $sig_principal -f $OBJ/allowed_signers \
+               -r $OBJ/revoked_keys \
+               < $DATA >/dev/null 2>&1 || \
+               fail "couldn't verify signature for $t key, but key not in revoked_keys"
+
+       # check-novalidate with valid data
+       ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
+               < $DATA >/dev/null 2>&1 || \
+               fail "failed to check valid signature for $t key"
+
+       # check-novalidate with invalid data
+       ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
+               < $DATA2 >/dev/null 2>&1 && \
+               fail "sucessfully checked signature for $t key with invalid data"
+
+       # Check signing keys using ssh-agent.
+       ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
+       ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
+
+       # Move private key to ensure agent key is used
+       mv ${privkey} ${privkey}.tmp
+
+       ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
+               < $DATA > $sigfile_agent 2>/dev/null || \
+               fail "ssh-agent based sign using $pubkey failed"
+       ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
+               -n $sig_namespace < $DATA >/dev/null 2>&1 || \
+               fail "failed to check valid signature for $t key"
+
+       # Move private key back
+       mv ${privkey}.tmp ${privkey}
+
        # Remaining tests are for certificates only.
        case "$keybase" in
                *-cert) ;;
                *) continue ;;
        esac
 
+
        # correct CA key
        (printf "$sig_principal cert-authority " ;
         cat $CA_PUB) > $OBJ/allowed_signers
@@ -135,6 +191,6 @@ for t in $SIGNKEYS; do
                fail "accepted signature for $t cert with wrong principal"
 done
 
-# XXX test keys in agent.
-# XXX test revocation
+trace "kill agent"
+${SSHAGENT} -k > /dev/null