[openssh-commits] [openssh] 10/11: upstream: test revocation by explicit hash and by fingerprint
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Sep 12 16:52:21 AEST 2018
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit f803b2682992cfededd40c91818b653b5d923ef5
Author: djm at openbsd.org <djm at openbsd.org>
Date: Wed Sep 12 01:23:48 2018 +0000
upstream: test revocation by explicit hash and by fingerprint
OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8
---
regress/krl.sh | 49 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 34 insertions(+), 15 deletions(-)
diff --git a/regress/krl.sh b/regress/krl.sh
index 1077358f..a70c79c6 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
+# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -85,6 +85,15 @@ for n in $UNREVOKED_SERIALS ; do
UCERTS="$UCERTS ${f}-cert.pub"
done
+# Specifications that revoke keys by hash.
+touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
+for rkey in $RKEYS; do
+ (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
+ (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
+ (printf "hash: "; $SSHKEYGEN -lf $rkey | \
+ awk '{ print $2 }') >> $OBJ/revoked-hash
+done
+
genkrls() {
OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
@@ -97,6 +106,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
# This should fail as KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
@@ -131,9 +146,9 @@ check_krl() {
TAG=$4
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
result=$?
- if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+ if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
fatal "key $KEY not revoked by KRL $KRL: $TAG"
- elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+ elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
fi
}
@@ -142,17 +157,21 @@ test_rev() {
TAG=$2
KEYS_RESULT=$3
ALL_RESULT=$4
- SERIAL_RESULT=$5
- KEYID_RESULT=$6
- CERTS_RESULT=$7
- CA_RESULT=$8
- SERIAL_WRESULT=$9
- KEYID_WRESULT=$10
+ HASH_RESULT=$5
+ SERIAL_RESULT=$6
+ KEYID_RESULT=$7
+ CERTS_RESULT=$8
+ CA_RESULT=$9
+ SERIAL_WRESULT=$10
+ KEYID_WRESULT=$11
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
check_krl $f $OBJ/krl-empty no "$TAG"
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
+ check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
+ check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
@@ -163,12 +182,12 @@ test_rev() {
}
test_all() {
- # wildcard
- # keys all sr# k.ID cert CA sr.# k.ID
- test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
- test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
- test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
- test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
+ # wildcard
+ # keys all hash sr# ID cert CA srl ID
+ test_rev "$RKEYS" "revoked keys" y y y n n n n n n
+ test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
+ test_rev "$RCERTS" "revoked certs" y y y y y y y y y
+ test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
}
test_all
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list