From 5c496acef7ec9c5d175f06f4e39fd8aa8755ae96 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 25 Nov 2025 18:49:56 +0100 Subject: [PATCH] pkd: Run openssh client with SK keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: #331 Signed-off-by: Jakub Jelen Reviewed-by: Pavol Žáčik Reviewed-by: Andreas Schneider --- tests/pkd/pkd_client.h | 8 ++++++++ tests/pkd/pkd_hello.c | 40 ++++++++++++++++++++++++++++++++++++++++ tests/pkd/pkd_keyutil.c | 19 +++++++++++++++++++ tests/pkd/pkd_keyutil.h | 2 ++ 4 files changed, 69 insertions(+) diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h index aa65593f..2019b34e 100644 --- a/tests/pkd/pkd_client.h +++ b/tests/pkd/pkd_client.h @@ -24,10 +24,18 @@ "-o PubkeyAcceptedKeyTypes=" \ OPENSSH_KEYS +#ifdef HAVE_SK_DUMMY +#define SECURITY_KEY_PROVIDER \ + "-oSecurityKeyProvider=\"" SK_DUMMY_LIBRARY_PATH "\" " +#else +#define SECURITY_KEY_PROVIDER "" +#endif + #define OPENSSH_CMD_START(hostkey_algos) \ OPENSSH_BINARY " " \ "-o UserKnownHostsFile=/dev/null " \ "-o StrictHostKeyChecking=no " \ + SECURITY_KEY_PROVIDER \ "-F /dev/null " \ hostkey_algos " " \ OPENSSH_PKACCEPTED_TYPES " " \ diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c index aaf9553a..bdfb33ee 100644 --- a/tests/pkd/pkd_hello.c +++ b/tests/pkd/pkd_hello.c @@ -615,6 +615,28 @@ PKDTESTS_MAC(emit_keytest, openssh_ed, OPENSSH_MAC_CMD) PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_ed, OPENSSH_MAC_CMD) #undef CLIENT_ID_FILE +#ifdef HAVE_SK_DUMMY +#define CLIENT_ID_FILE OPENSSH_ECDSA_SK_TESTKEY +PKDTESTS_DEFAULT(emit_keytest, openssh_ec_sk, OPENSSH_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_cert_ec_sk, OPENSSH_CERT_CMD) +PKDTESTS_KEX(emit_keytest, openssh_ec_sk, OPENSSH_KEX_CMD) +PKDTESTS_CIPHER(emit_keytest, openssh_ec_sk, OPENSSH_CIPHER_CMD) +PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_ec_sk, OPENSSH_CIPHER_CMD) +PKDTESTS_MAC(emit_keytest, openssh_ec_sk, OPENSSH_MAC_CMD) +PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_ec_sk, OPENSSH_MAC_CMD) +#undef CLIENT_ID_FILE + +#define CLIENT_ID_FILE OPENSSH_ED25519_SK_TESTKEY +PKDTESTS_DEFAULT(emit_keytest, openssh_ed_sk, OPENSSH_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_cert_ed_sk, OPENSSH_CERT_CMD) +PKDTESTS_KEX(emit_keytest, openssh_ed_sk, OPENSSH_KEX_CMD) +PKDTESTS_CIPHER(emit_keytest, openssh_ed_sk, OPENSSH_CIPHER_CMD) +PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_ed_sk, OPENSSH_CIPHER_CMD) +PKDTESTS_MAC(emit_keytest, openssh_ed_sk, OPENSSH_MAC_CMD) +PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_ed_sk, OPENSSH_MAC_CMD) +#undef CLIENT_ID_FILE +#endif /* HAVE_SK_DUMMY */ + #define CLIENT_ID_FILE DROPBEAR_RSA_TESTKEY PKDTESTS_DEFAULT(emit_keytest, dropbear_rsa, DROPBEAR_CMD) PKDTESTS_CIPHER(emit_keytest, dropbear_rsa, DROPBEAR_CIPHER_CMD) @@ -738,6 +760,24 @@ static int pkd_run_tests(void) { PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_ed, OPENSSH_CIPHER_CMD) PKDTESTS_MAC(emit_unit_test_comma, openssh_ed, OPENSSH_MAC_CMD) PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_ed, OPENSSH_MAC_CMD) + +#ifdef HAVE_SK_DUMMY + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_ec_sk, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_ec_sk, OPENSSH_CERT_CMD) + PKDTESTS_KEX(emit_unit_test_comma, openssh_ec_sk, OPENSSH_KEX_CMD) + PKDTESTS_CIPHER(emit_unit_test_comma, openssh_ec_sk, OPENSSH_CIPHER_CMD) + PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_ec_sk, OPENSSH_CIPHER_CMD) + PKDTESTS_MAC(emit_unit_test_comma, openssh_ec_sk, OPENSSH_MAC_CMD) + PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_ec_sk, OPENSSH_MAC_CMD) + + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_ed_sk, OPENSSH_CMD) + PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_ed_sk, OPENSSH_CERT_CMD) + PKDTESTS_KEX(emit_unit_test_comma, openssh_ed_sk, OPENSSH_KEX_CMD) + PKDTESTS_CIPHER(emit_unit_test_comma, openssh_ed_sk, OPENSSH_CIPHER_CMD) + PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_ed_sk, OPENSSH_CIPHER_CMD) + PKDTESTS_MAC(emit_unit_test_comma, openssh_ed_sk, OPENSSH_MAC_CMD) + PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_ed_sk, OPENSSH_MAC_CMD) +#endif /* HAVE_SK_DUMMY */ }; /* It is not possible to test hostkey and kex algorithms, because diff --git a/tests/pkd/pkd_keyutil.c b/tests/pkd/pkd_keyutil.c index bf4428bf..834b1d04 100644 --- a/tests/pkd/pkd_keyutil.c +++ b/tests/pkd/pkd_keyutil.c @@ -153,6 +153,21 @@ void setup_openssh_client_keys(void) { } assert_int_equal(rc, 0); } + +#ifdef HAVE_SK_DUMMY + setenv("SSH_SK_PROVIDER", SK_DUMMY_LIBRARY_PATH, 1); + if (access(OPENSSH_ECDSA_SK_TESTKEY, F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -t ecdsa-sk -q -N \"\" -f " + OPENSSH_ECDSA_SK_TESTKEY); + } + assert_int_equal(rc, 0); + + if (access(OPENSSH_ED25519_SK_TESTKEY, F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -t ed25519-sk -q -N \"\" -f " + OPENSSH_ED25519_SK_TESTKEY); + } + assert_int_equal(rc, 0); +#endif } void cleanup_openssh_client_keys(void) { @@ -165,6 +180,10 @@ void cleanup_openssh_client_keys(void) { if (!ssh_fips_mode()) { cleanup_key(OPENSSH_ED25519_TESTKEY); } +#ifdef HAVE_SK_DUMMY + cleanup_key(OPENSSH_ECDSA_SK_TESTKEY); + cleanup_key(OPENSSH_ED25519_SK_TESTKEY); +#endif } void setup_dropbear_client_keys(void) diff --git a/tests/pkd/pkd_keyutil.h b/tests/pkd/pkd_keyutil.h index 0b0b2e80..5c39eee0 100644 --- a/tests/pkd/pkd_keyutil.h +++ b/tests/pkd/pkd_keyutil.h @@ -30,6 +30,8 @@ void cleanup_ecdsa_keys(void); #define OPENSSH_ECDSA521_TESTKEY "openssh_testkey.id_ecdsa521" #define OPENSSH_ED25519_TESTKEY "openssh_testkey.id_ed25519" #define OPENSSH_CA_TESTKEY "libssh_testkey.ca" +#define OPENSSH_ECDSA_SK_TESTKEY "openssh_testkey.id_ecdsa-sk" +#define OPENSSH_ED25519_SK_TESTKEY "openssh_testkey.id_ed25519-sk" #define DROPBEAR_RSA_TESTKEY "dropbear_testkey.id_rsa" #define DROPBEAR_ECDSA256_TESTKEY "dropbear_testkey.id_ecdsa256"