[openssh-commits] [openssh] 10/12: upstream: regress test for agent PKCS#11-backed certificates
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Dec 19 02:08:10 AEDT 2023
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch V_9_6
in repository openssh.
commit e48cdee8e19059203b1aeeabec2350b8375fa61f
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Dec 18 14:50:08 2023 +0000
upstream: regress test for agent PKCS#11-backed certificates
OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
---
regress/Makefile | 5 ++-
regress/agent-pkcs11-cert.sh | 92 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 95 insertions(+), 2 deletions(-)
diff --git a/regress/Makefile b/regress/Makefile
index 6394a2ad..f5cb9bd4 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.130 2023/12/18 14:49:39 djm Exp $
+# $OpenBSD: Makefile,v 1.131 2023/12/18 14:50:08 djm Exp $
tests: prep file-tests t-exec unit
@@ -108,7 +108,8 @@ LTESTS= connect \
channel-timeout \
connection-timeout \
match-subsystem \
- agent-pkcs11-restrict
+ agent-pkcs11-restrict \
+ agent-pkcs11-cert
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
INTEROP_TESTS+= dropbear-ciphers dropbear-kex
diff --git a/regress/agent-pkcs11-cert.sh b/regress/agent-pkcs11-cert.sh
new file mode 100644
index 00000000..4e8f7484
--- /dev/null
+++ b/regress/agent-pkcs11-cert.sh
@@ -0,0 +1,92 @@
+# $OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $
+# Placed in the Public Domain.
+
+tid="pkcs11 agent certificate test"
+
+SSH_AUTH_SOCK="$OBJ/agent.sock"
+export SSH_AUTH_SOCK
+LC_ALL=C
+export LC_ALL
+p11_setup || skip "No PKCS#11 library found"
+
+rm -f $SSH_AUTH_SOCK $OBJ/agent.log
+rm -f $OBJ/output_* $OBJ/expect_*
+rm -f $OBJ/ca*
+
+trace "generate CA key and certify keys"
+$SSHKEYGEN -q -t ed25519 -C ca -N '' -f $OBJ/ca || fatal "ssh-keygen CA failed"
+$SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub ||
+ fatal "certify ECDSA key failed"
+$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub ||
+ fatal "certify RSA key failed"
+$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
+ fatal "certify CA key failed"
+
+rm -f $SSH_AUTH_SOCK
+trace "start agent"
+${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
+AGENT_PID=$!
+trap "kill $AGENT_PID" EXIT
+for x in 0 1 2 3 4 ; do
+ # Give it a chance to start
+ ${SSHADD} -l > /dev/null 2>&1
+ r=$?
+ test $r -eq 1 && break
+ sleep 1
+done
+if [ $r -ne 1 ]; then
+ fatal "ssh-add -l did not fail with exit code 1 (got $r)"
+fi
+
+trace "load pkcs11 keys and certs"
+# Note: deliberately contains non-cert keys and non-matching cert on commandline
+p11_ssh_add -qs ${TEST_SSH_PKCS11} \
+ $OBJ/ca.pub \
+ ${SSH_SOFTHSM_DIR}/EC.pub \
+ ${SSH_SOFTHSM_DIR}/EC-cert.pub \
+ ${SSH_SOFTHSM_DIR}/RSA.pub \
+ ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
+ fatal "failed to add keys"
+# Verify their presence
+cut -d' ' -f1-2 \
+ ${SSH_SOFTHSM_DIR}/EC.pub \
+ ${SSH_SOFTHSM_DIR}/RSA.pub \
+ ${SSH_SOFTHSM_DIR}/EC-cert.pub \
+ ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
+$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
+diff $OBJ/expect_list $OBJ/output_list
+
+# Verify that all can perform signatures.
+for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
+ ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+ $SSHADD -T $x || fail "Signing failed for $x"
+done
+
+# Delete plain keys.
+$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
+# Verify that certs can still perform signatures.
+for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+ $SSHADD -T $x || fail "Signing failed for $x"
+done
+
+$SSHADD -qD >/dev/null || fatal "clear agent failed"
+
+trace "load pkcs11 certs only"
+p11_ssh_add -qCs ${TEST_SSH_PKCS11} \
+ $OBJ/ca.pub \
+ ${SSH_SOFTHSM_DIR}/EC.pub \
+ ${SSH_SOFTHSM_DIR}/EC-cert.pub \
+ ${SSH_SOFTHSM_DIR}/RSA.pub \
+ ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
+ fatal "failed to add keys"
+# Verify their presence
+cut -d' ' -f1-2 \
+ ${SSH_SOFTHSM_DIR}/EC-cert.pub \
+ ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
+$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
+diff $OBJ/expect_list $OBJ/output_list
+
+# Verify that certs can perform signatures.
+for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+ $SSHADD -T $x || fail "Signing failed for $x"
+done
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list