From 08b3301e4fb73cd669243642ad7aff5b38ba4466 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Mon, 4 Mar 2019 19:29:30 -0700 Subject: [PATCH] tests/pkd: connect to openssh using certificates Signed-off-by: Ben Toews Reviewed-by: Jakub Jelen --- tests/pkd/pkd_client.h | 8 +++-- tests/pkd/pkd_hello.c | 12 +++++++ tests/pkd/pkd_keyutil.c | 72 +++++++++++++++++++++++++++++++---------- tests/pkd/pkd_keyutil.h | 12 +++++++ 4 files changed, 84 insertions(+), 20 deletions(-) diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h index 15d9172d..8912c31d 100644 --- a/tests/pkd/pkd_client.h +++ b/tests/pkd/pkd_client.h @@ -16,11 +16,11 @@ #define OPENSSH_KEYGEN "ssh-keygen" #define OPENSSH_HOSTKEY_ALGOS_DEFAULT "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa" -#define OPENSSH_PKACCEPTED_DEFAULT "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa" +#define OPENSSH_PKACCEPTED_DEFAULT "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com" #if HAVE_ECC #define OPENSSH_HOSTKEY_ALGOS_ECDSA ",ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521" -#define OPENSSH_PKACCEPTED_ECDSA ",ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521" +#define OPENSSH_PKACCEPTED_ECDSA ",ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com" #else /* HAVE_ECC */ #define OPENSSH_HOSTKEY_ALGOS_ECDSA "" #define OPENSSH_PKACCEPTED_ECDSA "" @@ -28,7 +28,7 @@ #if HAVE_DSA #define OPENSSH_HOSTKEY_ALGOS_DSA ",ssh-dss" -#define OPENSSH_PKACCEPTED_DSA ",ssh-dss" +#define OPENSSH_PKACCEPTED_DSA ",ssh-dss,ssh-dss-cert-v01@openssh.com" #else /* HAVE_DSA */ #define OPENSSH_HOSTKEY_ALGOS_DSA "" #define OPENSSH_PKACCEPTED_DSA "" @@ -75,6 +75,8 @@ #define OPENSSH_HOSTKEY_CMD(hostkeyalgo) \ OPENSSH_CMD_START("-o HostKeyAlgorithms=" hostkeyalgo " ") OPENSSH_CMD_END +#define OPENSSH_CERT_CMD \ + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o CertificateFile=" CLIENT_ID_FILE "-cert.pub " OPENSSH_CMD_END /* Dropbear */ diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c index 964a01fa..f493703b 100644 --- a/tests/pkd/pkd_hello.c +++ b/tests/pkd/pkd_hello.c @@ -603,6 +603,7 @@ static void torture_pkd_runtest(const char *testname, #ifdef HAVE_DSA #define CLIENT_ID_FILE OPENSSH_DSA_TESTKEY PKDTESTS_DEFAULT(emit_keytest, openssh_dsa, OPENSSH_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_cert_dsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_CMD) PKDTESTS_KEX(emit_keytest, openssh_dsa, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_KEX_CMD) @@ -615,6 +616,7 @@ PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD) #define CLIENT_ID_FILE OPENSSH_RSA_TESTKEY PKDTESTS_DEFAULT(emit_keytest, openssh_rsa, OPENSSH_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_cert_rsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_CMD) PKDTESTS_KEX(emit_keytest, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_KEX_CMD) @@ -627,6 +629,7 @@ PKDTESTS_HOSTKEY_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_HOSTKEY_CMD) #define CLIENT_ID_FILE OPENSSH_ECDSA256_TESTKEY PKDTESTS_DEFAULT(emit_keytest, openssh_e256, OPENSSH_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_cert_e256, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_e256, OPENSSH_CMD) PKDTESTS_KEX(emit_keytest, openssh_e256, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_e256, OPENSSH_KEX_CMD) @@ -642,6 +645,7 @@ PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_e256, OPENSSH_MAC_CMD) #define CLIENT_ID_FILE OPENSSH_ED25519_TESTKEY PKDTESTS_DEFAULT(emit_keytest, openssh_ed, OPENSSH_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_cert_ed, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_ed, OPENSSH_CMD) PKDTESTS_KEX(emit_keytest, openssh_ed, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_ed, OPENSSH_KEX_CMD) @@ -682,6 +686,7 @@ struct { /* OpenSSH */ #ifdef HAVE_DSA PKDTESTS_DEFAULT(emit_testmap, openssh_dsa, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_testmap, openssh_cert_dsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_CMD) PKDTESTS_KEX(emit_testmap, openssh_dsa, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_KEX_CMD) @@ -692,6 +697,7 @@ struct { #endif PKDTESTS_DEFAULT(emit_testmap, openssh_rsa, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_testmap, openssh_cert_rsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_CMD) PKDTESTS_KEX(emit_testmap, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_KEX_CMD) @@ -702,6 +708,7 @@ struct { PKDTESTS_HOSTKEY_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_HOSTKEY_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_e256, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_testmap, openssh_cert_e256, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_e256, OPENSSH_CMD) PKDTESTS_KEX(emit_testmap, openssh_e256, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_e256, OPENSSH_KEX_CMD) @@ -711,6 +718,7 @@ struct { PKDTESTS_MAC_OPENSSHONLY(emit_testmap, openssh_e256, OPENSSH_MAC_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_ed, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_testmap, openssh_cert_ed, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_ed, OPENSSH_CMD) PKDTESTS_KEX(emit_testmap, openssh_ed, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_ed, OPENSSH_KEX_CMD) @@ -742,6 +750,7 @@ static int pkd_run_tests(void) { const struct CMUnitTest openssh_tests[] = { #ifdef HAVE_DSA PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_dsa, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_dsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_CMD) PKDTESTS_KEX(emit_unit_test_comma, openssh_dsa, OPENSSH_KEX_CMD) PKDTESTS_CIPHER(emit_unit_test_comma, openssh_dsa, OPENSSH_CIPHER_CMD) @@ -751,6 +760,7 @@ static int pkd_run_tests(void) { #endif PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD) PKDTESTS_KEX(emit_unit_test_comma, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_CIPHER(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD) @@ -759,6 +769,7 @@ static int pkd_run_tests(void) { PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_rsa, OPENSSH_MAC_CMD) PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_e256, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_e256, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_e256, OPENSSH_CMD) PKDTESTS_KEX(emit_unit_test_comma, openssh_e256, OPENSSH_KEX_CMD) PKDTESTS_CIPHER(emit_unit_test_comma, openssh_e256, OPENSSH_CIPHER_CMD) @@ -767,6 +778,7 @@ static int pkd_run_tests(void) { PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_e256, OPENSSH_MAC_CMD) PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_ed, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_ed, OPENSSH_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_ed, OPENSSH_CMD) PKDTESTS_KEX(emit_unit_test_comma, openssh_ed, OPENSSH_KEX_CMD) PKDTESTS_CIPHER(emit_unit_test_comma, openssh_ed, OPENSSH_CIPHER_CMD) diff --git a/tests/pkd/pkd_keyutil.c b/tests/pkd/pkd_keyutil.c index 14856d3c..c8cea4f2 100644 --- a/tests/pkd/pkd_keyutil.c +++ b/tests/pkd/pkd_keyutil.c @@ -67,40 +67,47 @@ void setup_ecdsa_keys() { } } -static void cleanup_key(const char *privkey, const char *pubkey) { - unlink(privkey); - unlink(pubkey); -} - void cleanup_rsa_key() { - cleanup_key(LIBSSH_RSA_TESTKEY, LIBSSH_RSA_TESTKEY ".pub"); + cleanup_key(LIBSSH_RSA_TESTKEY); } void cleanup_ed25519_key() { - cleanup_key(LIBSSH_ED25519_TESTKEY, LIBSSH_ED25519_TESTKEY ".pub"); + cleanup_key(LIBSSH_ED25519_TESTKEY); } #ifdef HAVE_DSA void cleanup_dsa_key() { - cleanup_key(LIBSSH_DSA_TESTKEY, LIBSSH_DSA_TESTKEY ".pub"); + cleanup_key(LIBSSH_DSA_TESTKEY); } #endif void cleanup_ecdsa_keys() { - cleanup_key(LIBSSH_ECDSA_256_TESTKEY, LIBSSH_ECDSA_256_TESTKEY ".pub"); - cleanup_key(LIBSSH_ECDSA_384_TESTKEY, LIBSSH_ECDSA_384_TESTKEY ".pub"); - cleanup_key(LIBSSH_ECDSA_521_TESTKEY, LIBSSH_ECDSA_521_TESTKEY ".pub"); + cleanup_key(LIBSSH_ECDSA_256_TESTKEY); + cleanup_key(LIBSSH_ECDSA_384_TESTKEY); + cleanup_key(LIBSSH_ECDSA_521_TESTKEY); } void setup_openssh_client_keys() { int rc = 0; + if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f " + OPENSSH_CA_TESTKEY); + } + assert_int_equal(rc, 0); + #ifdef HAVE_DSA if (access(OPENSSH_DSA_TESTKEY, F_OK) != 0) { rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f " OPENSSH_DSA_TESTKEY); } assert_int_equal(rc, 0); + + if (access(OPENSSH_DSA_TESTKEY "-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY + " " OPENSSH_DSA_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); #endif if (access(OPENSSH_RSA_TESTKEY, F_OK) != 0) { @@ -109,40 +116,71 @@ void setup_openssh_client_keys() { } assert_int_equal(rc, 0); + if (access(OPENSSH_RSA_TESTKEY "-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY " " + OPENSSH_RSA_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA256_TESTKEY, F_OK) != 0) { rc = system_checked(OPENSSH_KEYGEN " -t ecdsa -b 256 -q -N \"\" -f " OPENSSH_ECDSA256_TESTKEY); } assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA256_TESTKEY "-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY " " + OPENSSH_ECDSA256_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA384_TESTKEY, F_OK) != 0) { rc = system_checked(OPENSSH_KEYGEN " -t ecdsa -b 384 -q -N \"\" -f " OPENSSH_ECDSA384_TESTKEY); } assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA384_TESTKEY "-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY " " + OPENSSH_ECDSA384_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA521_TESTKEY, F_OK) != 0) { rc = system_checked(OPENSSH_KEYGEN " -t ecdsa -b 521 -q -N \"\" -f " OPENSSH_ECDSA521_TESTKEY); } assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA521_TESTKEY "-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY " " + OPENSSH_ECDSA521_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); + if (access(OPENSSH_ED25519_TESTKEY, F_OK) != 0) { rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f " OPENSSH_ED25519_TESTKEY); } assert_int_equal(rc, 0); + + if (access(OPENSSH_ED25519_TESTKEY "-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY " " + OPENSSH_ED25519_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); } void cleanup_openssh_client_keys() { + cleanup_key(OPENSSH_CA_TESTKEY); #ifdef HAVE_DSA - cleanup_key(OPENSSH_DSA_TESTKEY, OPENSSH_DSA_TESTKEY ".pub"); + cleanup_key(OPENSSH_DSA_TESTKEY); #endif - cleanup_key(OPENSSH_RSA_TESTKEY, OPENSSH_RSA_TESTKEY ".pub"); - cleanup_key(OPENSSH_ECDSA256_TESTKEY, OPENSSH_ECDSA256_TESTKEY ".pub"); - cleanup_key(OPENSSH_ECDSA384_TESTKEY, OPENSSH_ECDSA384_TESTKEY ".pub"); - cleanup_key(OPENSSH_ECDSA521_TESTKEY, OPENSSH_ECDSA521_TESTKEY ".pub"); - cleanup_key(OPENSSH_ED25519_TESTKEY, OPENSSH_ED25519_TESTKEY ".pub"); + cleanup_key(OPENSSH_RSA_TESTKEY); + cleanup_key(OPENSSH_ECDSA256_TESTKEY); + cleanup_key(OPENSSH_ECDSA384_TESTKEY); + cleanup_key(OPENSSH_ECDSA521_TESTKEY); + cleanup_key(OPENSSH_ED25519_TESTKEY); } void setup_dropbear_client_rsa_key() { diff --git a/tests/pkd/pkd_keyutil.h b/tests/pkd/pkd_keyutil.h index b0750066..7b189040 100644 --- a/tests/pkd/pkd_keyutil.h +++ b/tests/pkd/pkd_keyutil.h @@ -41,6 +41,7 @@ void cleanup_ecdsa_keys(void); #define OPENSSH_ECDSA384_TESTKEY "openssh_testkey.id_ecdsa384" #define OPENSSH_ECDSA521_TESTKEY "openssh_testkey.id_ecdsa521" #define OPENSSH_ED25519_TESTKEY "openssh_testkey.id_ed25519" +#define OPENSSH_CA_TESTKEY "libssh_testkey.ca" #define DROPBEAR_RSA_TESTKEY "dropbear_testkey.id_rsa" @@ -50,4 +51,15 @@ void cleanup_openssh_client_keys(void); void setup_dropbear_client_rsa_key(void); void cleanup_dropbear_client_rsa_key(void); +#define cleanup_file(name) do {\ + if (access((name), F_OK) != -1) {\ + unlink((name));\ + }} while (0) + +#define cleanup_key(name) do {\ + cleanup_file((name));\ + cleanup_file((name ".pub"));\ + cleanup_file((name "-cert.pub"));\ + } while (0) + #endif /* __PKD_KEYUTIL_H__ */