summaryrefslogtreecommitdiff
path: root/regress/krl.sh
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-01-30 01:11:39 +0000
committerDamien Miller <djm@mindrot.org>2015-01-30 12:19:29 +1100
commit86936ec245a15c7abe71a0722610998b0a28b194 (patch)
treef4f45b480fa6ff7a52b2e097ebb1c60e439fdcc9 /regress/krl.sh
parent4509b5d4a4fa645a022635bfa7e86d09b285001f (diff)
upstream commit
regression test for 'wildcard CA' serial/key ID revocations
Diffstat (limited to 'regress/krl.sh')
-rw-r--r--regress/krl.sh74
1 files changed, 44 insertions, 30 deletions
diff --git a/regress/krl.sh b/regress/krl.sh
index 799f9d09..1077358f 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: krl.sh,v 1.5 2015/01/19 17:31:13 djm Exp $
+# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
@@ -74,26 +74,26 @@ verbose "$tid: generating test keys"
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
for n in $REVOKED_SERIALS ; do
f=`keygen $n`
- REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
- REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
+ RKEYS="$RKEYS ${f}.pub"
+ RCERTS="$RCERTS ${f}-cert.pub"
done
UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
UNREVOKED=""
for n in $UNREVOKED_SERIALS ; do
f=`keygen $n`
- UNREVOKED_KEYS="$UNREVOKED_KEYS ${f}.pub"
- UNREVOKED_CERTS="$UNREVOKED_CERTS ${f}-cert.pub"
+ UKEYS="$UKEYS ${f}.pub"
+ UCERTS="$UCERTS ${f}-cert.pub"
done
genkrls() {
OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
@@ -102,14 +102,20 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
+# These should succeed; they specify an explicit CA key.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
+ $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
+ $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
+# These should succeed; they specify an wildcard CA key.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
# Revoke the same serials with the second CA key to ensure a multi-CA
# KRL is generated.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
- >/dev/null || fatal "$SSHKEYGEN KRL failed"
}
## XXX dump with trace and grep for set cert serials
@@ -131,7 +137,7 @@ check_krl() {
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
fi
}
-test_all() {
+test_rev() {
FILES=$1
TAG=$2
KEYS_RESULT=$3
@@ -140,32 +146,40 @@ test_all() {
KEYID_RESULT=$6
CERTS_RESULT=$7
CA_RESULT=$8
+ SERIAL_WRESULT=$9
+ KEYID_WRESULT=$10
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
- check_krl $f $OBJ/krl-empty no "$TAG"
- check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
- check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
- check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
- check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
- check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
- check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
+ check_krl $f $OBJ/krl-empty no "$TAG"
+ check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
+ check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
+ check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
+ check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
+ check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
+ check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
done
}
-# keys all serial keyid certs CA
-test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
-test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
-test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
-test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
+
+test_all() {
+ # wildcard
+ # keys all sr# k.ID cert CA sr.# k.ID
+ test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
+ test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
+ test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
+ test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
+}
+
+test_all
# Check update. Results should be identical.
verbose "$tid: testing KRL update"
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
- $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
+ $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
+ $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
cp -f $OBJ/krl-empty $f
genkrls -u
done
-# keys all serial keyid certs CA
-test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
-test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
-test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
-test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
+
+test_all