summaryrefslogtreecommitdiff
path: root/regress/krl.sh
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2014-11-17 00:21:40 +0000
committerDamien Miller <djm@mindrot.org>2014-11-19 09:20:14 +1100
commit51b64e44121194ae4bf153dee391228dada2abcb (patch)
treecb352d2f03691add43b55b566f3aca434d664bbb /regress/krl.sh
parentd2d51003a623e21fb2b25567c4878d915e90aa2a (diff)
upstream commit
fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org
Diffstat (limited to 'regress/krl.sh')
-rw-r--r--regress/krl.sh10
1 files changed, 8 insertions, 2 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
index 287384b4..a672e0da 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $
+# $OpenBSD: krl.sh,v 1.4 2014/11/17 00:21:40 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -17,6 +17,8 @@ rm -f $OBJ/revoked-* $OBJ/krl-*
# Generate a CA key
$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
fatal "$SSHKEYGEN CA failed"
+$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN CA2 failed"
# A specification that revokes some certificates by serial numbers
# The serial pattern is chosen to ensure the KRL includes list, range and
@@ -93,13 +95,17 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
-# KRLs from serial/key-id spec need the CA specified.
+# This should fail as KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
+# Revoke the same serials with the second CA key to ensure a multi-CA
+# KRL is generated.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
+ $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
}