[openssh-commits] [openssh] 01/03: upstream: regression test for time-limited signature keys
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Jul 23 15:25:44 AEST 2021
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 441095d4a3e5048fe3c87a6c5db5bc3383d767fb
Author: djm at openbsd.org <djm at openbsd.org>
Date: Fri Jul 23 03:54:55 2021 +0000
upstream: regression test for time-limited signature keys
OpenBSD-Regress-ID: 2a6f3bd900dbee0a3c96f1ff23e032c93ab392bc
---
regress/sshsig.sh | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index 8401b6c0..29601361 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: sshsig.sh,v 1.5 2021/07/12 02:12:22 djm Exp $
+# $OpenBSD: sshsig.sh,v 1.6 2021/07/23 03:54:55 djm Exp $
# Placed in the Public Domain.
tid="sshsig"
@@ -107,6 +107,34 @@ for t in $SIGNKEYS; do
< $DATA >/dev/null 2>&1 && \
fail "accepted signature for $t key with excluded namespace"
+ ( printf "$sig_principal " ;
+ printf "valid-after=\"19800101\",valid-before=\"19900101\" " ;
+ cat $pubkey) > $OBJ/allowed_signers
+
+ # key lifespan valid
+ ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+ -I $sig_principal -f $OBJ/allowed_signers \
+ -Overify-time=19850101 \
+ < $DATA >/dev/null 2>&1 || \
+ fail "failed signature for $t key with valid expiry interval"
+ # key not yet valid
+ ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+ -I $sig_principal -f $OBJ/allowed_signers \
+ -Overify-time=19790101 \
+ < $DATA >/dev/null 2>&1 && \
+ fail "failed signature for $t not-yet-valid key"
+ # key expired
+ ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+ -I $sig_principal -f $OBJ/allowed_signers \
+ -Overify-time=19910101 \
+ < $DATA >/dev/null 2>&1 && \
+ fail "failed signature for $t with expired key"
+ # NB. assumes we're not running this test in the 1980s
+ ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+ -I $sig_principal -f $OBJ/allowed_signers \
+ < $DATA >/dev/null 2>&1 && \
+ fail "failed signature for $t with expired key"
+
# public key in revoked keys file
cat $pubkey > $OBJ/revoked_keys
(printf "$sig_principal namespaces=\"whatever\" " ;
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list