From e48cdee8e19059203b1aeeabec2350b8375fa61f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:50:08 +0000 Subject: upstream: regress test for agent PKCS#11-backed certificates OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9 --- regress/Makefile | 5 ++- regress/agent-pkcs11-cert.sh | 92 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 regress/agent-pkcs11-cert.sh diff --git a/regress/Makefile b/regress/Makefile index 6394a2ada..f5cb9bd47 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.130 2023/12/18 14:49:39 djm Exp $ +# $OpenBSD: Makefile,v 1.131 2023/12/18 14:50:08 djm Exp $ tests: prep file-tests t-exec unit @@ -108,7 +108,8 @@ LTESTS= connect \ channel-timeout \ connection-timeout \ match-subsystem \ - agent-pkcs11-restrict + agent-pkcs11-restrict \ + agent-pkcs11-cert INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS+= dropbear-ciphers dropbear-kex diff --git a/regress/agent-pkcs11-cert.sh b/regress/agent-pkcs11-cert.sh new file mode 100644 index 000000000..4e8f74846 --- /dev/null +++ b/regress/agent-pkcs11-cert.sh @@ -0,0 +1,92 @@ +# $OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $ +# Placed in the Public Domain. + +tid="pkcs11 agent certificate test" + +SSH_AUTH_SOCK="$OBJ/agent.sock" +export SSH_AUTH_SOCK +LC_ALL=C +export LC_ALL +p11_setup || skip "No PKCS#11 library found" + +rm -f $SSH_AUTH_SOCK $OBJ/agent.log +rm -f $OBJ/output_* $OBJ/expect_* +rm -f $OBJ/ca* + +trace "generate CA key and certify keys" +$SSHKEYGEN -q -t ed25519 -C ca -N '' -f $OBJ/ca || fatal "ssh-keygen CA failed" +$SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub || + fatal "certify ECDSA key failed" +$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub || + fatal "certify RSA key failed" +$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub || + fatal "certify CA key failed" + +rm -f $SSH_AUTH_SOCK +trace "start agent" +${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 & +AGENT_PID=$! +trap "kill $AGENT_PID" EXIT +for x in 0 1 2 3 4 ; do + # Give it a chance to start + ${SSHADD} -l > /dev/null 2>&1 + r=$? + test $r -eq 1 && break + sleep 1 +done +if [ $r -ne 1 ]; then + fatal "ssh-add -l did not fail with exit code 1 (got $r)" +fi + +trace "load pkcs11 keys and certs" +# Note: deliberately contains non-cert keys and non-matching cert on commandline +p11_ssh_add -qs ${TEST_SSH_PKCS11} \ + $OBJ/ca.pub \ + ${SSH_SOFTHSM_DIR}/EC.pub \ + ${SSH_SOFTHSM_DIR}/EC-cert.pub \ + ${SSH_SOFTHSM_DIR}/RSA.pub \ + ${SSH_SOFTHSM_DIR}/RSA-cert.pub || + fatal "failed to add keys" +# Verify their presence +cut -d' ' -f1-2 \ + ${SSH_SOFTHSM_DIR}/EC.pub \ + ${SSH_SOFTHSM_DIR}/RSA.pub \ + ${SSH_SOFTHSM_DIR}/EC-cert.pub \ + ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list +$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list +diff $OBJ/expect_list $OBJ/output_list + +# Verify that all can perform signatures. +for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \ + ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do + $SSHADD -T $x || fail "Signing failed for $x" +done + +# Delete plain keys. +$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub +# Verify that certs can still perform signatures. +for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do + $SSHADD -T $x || fail "Signing failed for $x" +done + +$SSHADD -qD >/dev/null || fatal "clear agent failed" + +trace "load pkcs11 certs only" +p11_ssh_add -qCs ${TEST_SSH_PKCS11} \ + $OBJ/ca.pub \ + ${SSH_SOFTHSM_DIR}/EC.pub \ + ${SSH_SOFTHSM_DIR}/EC-cert.pub \ + ${SSH_SOFTHSM_DIR}/RSA.pub \ + ${SSH_SOFTHSM_DIR}/RSA-cert.pub || + fatal "failed to add keys" +# Verify their presence +cut -d' ' -f1-2 \ + ${SSH_SOFTHSM_DIR}/EC-cert.pub \ + ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list +$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list +diff $OBJ/expect_list $OBJ/output_list + +# Verify that certs can perform signatures. +for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do + $SSHADD -T $x || fail "Signing failed for $x" +done -- cgit v1.2.3