pkd: Run openssh client with SK keys

Fixes: #331 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-11 02:38:09 +09:00 · 2025-11-25 18:49:56 +01:00
parent 3e074a3fba
commit 5c496acef7
4 changed files with 69 additions and 0 deletions
--- a/tests/pkd/pkd_client.h
+++ b/tests/pkd/pkd_client.h
@@ -24,10 +24,18 @@
  "-o PubkeyAcceptedKeyTypes="  \
  OPENSSH_KEYS
 #ifdef HAVE_SK_DUMMY
 #define SECURITY_KEY_PROVIDER \
    "-oSecurityKeyProvider=\"" SK_DUMMY_LIBRARY_PATH "\" "
 #else
 #define SECURITY_KEY_PROVIDER ""
 #endif
 #define OPENSSH_CMD_START(hostkey_algos) \
    OPENSSH_BINARY " "                  \
    "-o UserKnownHostsFile=/dev/null "  \
    "-o StrictHostKeyChecking=no "      \
    SECURITY_KEY_PROVIDER               \
    "-F /dev/null "                     \
    hostkey_algos " "                   \
    OPENSSH_PKACCEPTED_TYPES " "        \
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -615,6 +615,28 @@ PKDTESTS_MAC(emit_keytest, openssh_ed, OPENSSH_MAC_CMD)
 PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_ed, OPENSSH_MAC_CMD)
 #undef CLIENT_ID_FILE
 #ifdef HAVE_SK_DUMMY
 #define CLIENT_ID_FILE OPENSSH_ECDSA_SK_TESTKEY
 PKDTESTS_DEFAULT(emit_keytest, openssh_ec_sk, OPENSSH_CMD)
 PKDTESTS_DEFAULT(emit_keytest, openssh_cert_ec_sk, OPENSSH_CERT_CMD)
 PKDTESTS_KEX(emit_keytest, openssh_ec_sk, OPENSSH_KEX_CMD)
 PKDTESTS_CIPHER(emit_keytest, openssh_ec_sk, OPENSSH_CIPHER_CMD)
 PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_ec_sk, OPENSSH_CIPHER_CMD)
 PKDTESTS_MAC(emit_keytest, openssh_ec_sk, OPENSSH_MAC_CMD)
 PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_ec_sk, OPENSSH_MAC_CMD)
 #undef CLIENT_ID_FILE
 #define CLIENT_ID_FILE OPENSSH_ED25519_SK_TESTKEY
 PKDTESTS_DEFAULT(emit_keytest, openssh_ed_sk, OPENSSH_CMD)
 PKDTESTS_DEFAULT(emit_keytest, openssh_cert_ed_sk, OPENSSH_CERT_CMD)
 PKDTESTS_KEX(emit_keytest, openssh_ed_sk, OPENSSH_KEX_CMD)
 PKDTESTS_CIPHER(emit_keytest, openssh_ed_sk, OPENSSH_CIPHER_CMD)
 PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_ed_sk, OPENSSH_CIPHER_CMD)
 PKDTESTS_MAC(emit_keytest, openssh_ed_sk, OPENSSH_MAC_CMD)
 PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_ed_sk, OPENSSH_MAC_CMD)
 #undef CLIENT_ID_FILE
 #endif /* HAVE_SK_DUMMY */
 #define CLIENT_ID_FILE DROPBEAR_RSA_TESTKEY
 PKDTESTS_DEFAULT(emit_keytest, dropbear_rsa, DROPBEAR_CMD)
 PKDTESTS_CIPHER(emit_keytest, dropbear_rsa, DROPBEAR_CIPHER_CMD)
@@ -738,6 +760,24 @@ static int pkd_run_tests(void) {
        PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_ed, OPENSSH_CIPHER_CMD)
        PKDTESTS_MAC(emit_unit_test_comma, openssh_ed, OPENSSH_MAC_CMD)
        PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_ed, OPENSSH_MAC_CMD)
 #ifdef HAVE_SK_DUMMY
        PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_ec_sk, OPENSSH_CMD)
        PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_ec_sk, OPENSSH_CERT_CMD)
        PKDTESTS_KEX(emit_unit_test_comma, openssh_ec_sk, OPENSSH_KEX_CMD)
        PKDTESTS_CIPHER(emit_unit_test_comma, openssh_ec_sk, OPENSSH_CIPHER_CMD)
        PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_ec_sk, OPENSSH_CIPHER_CMD)
        PKDTESTS_MAC(emit_unit_test_comma, openssh_ec_sk, OPENSSH_MAC_CMD)
        PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_ec_sk, OPENSSH_MAC_CMD)
        PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_ed_sk, OPENSSH_CMD)
        PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_ed_sk, OPENSSH_CERT_CMD)
        PKDTESTS_KEX(emit_unit_test_comma, openssh_ed_sk, OPENSSH_KEX_CMD)
        PKDTESTS_CIPHER(emit_unit_test_comma, openssh_ed_sk, OPENSSH_CIPHER_CMD)
        PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_ed_sk, OPENSSH_CIPHER_CMD)
        PKDTESTS_MAC(emit_unit_test_comma, openssh_ed_sk, OPENSSH_MAC_CMD)
        PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_ed_sk, OPENSSH_MAC_CMD)
 #endif /* HAVE_SK_DUMMY */
    };
    /* It is not possible to test hostkey and kex algorithms, because
--- a/tests/pkd/pkd_keyutil.c
+++ b/tests/pkd/pkd_keyutil.c
@@ -153,6 +153,21 @@ void setup_openssh_client_keys(void) {
        }
        assert_int_equal(rc, 0);
    }
 #ifdef HAVE_SK_DUMMY
    setenv("SSH_SK_PROVIDER", SK_DUMMY_LIBRARY_PATH, 1);
    if (access(OPENSSH_ECDSA_SK_TESTKEY, F_OK) != 0) {
        rc = system_checked(OPENSSH_KEYGEN " -t ecdsa-sk -q -N \"\" -f "
                            OPENSSH_ECDSA_SK_TESTKEY);
    }
    assert_int_equal(rc, 0);
    if (access(OPENSSH_ED25519_SK_TESTKEY, F_OK) != 0) {
        rc = system_checked(OPENSSH_KEYGEN " -t ed25519-sk -q -N \"\" -f "
                            OPENSSH_ED25519_SK_TESTKEY);
    }
    assert_int_equal(rc, 0);
 #endif
 }
 void cleanup_openssh_client_keys(void) {
@@ -165,6 +180,10 @@ void cleanup_openssh_client_keys(void) {
    if (!ssh_fips_mode()) {
        cleanup_key(OPENSSH_ED25519_TESTKEY);
    }
 #ifdef HAVE_SK_DUMMY
    cleanup_key(OPENSSH_ECDSA_SK_TESTKEY);
    cleanup_key(OPENSSH_ED25519_SK_TESTKEY);
 #endif
 }
 void setup_dropbear_client_keys(void)
--- a/tests/pkd/pkd_keyutil.h
+++ b/tests/pkd/pkd_keyutil.h
@@ -30,6 +30,8 @@ void cleanup_ecdsa_keys(void);
 #define OPENSSH_ECDSA521_TESTKEY  "openssh_testkey.id_ecdsa521"
 #define OPENSSH_ED25519_TESTKEY   "openssh_testkey.id_ed25519"
 #define OPENSSH_CA_TESTKEY        "libssh_testkey.ca"
 #define OPENSSH_ECDSA_SK_TESTKEY  "openssh_testkey.id_ecdsa-sk"
 #define OPENSSH_ED25519_SK_TESTKEY "openssh_testkey.id_ed25519-sk"
 #define DROPBEAR_RSA_TESTKEY      "dropbear_testkey.id_rsa"
 #define DROPBEAR_ECDSA256_TESTKEY "dropbear_testkey.id_ecdsa256"