1# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $ 2# Placed in the Public Domain. 3 4tid="key revocation lists" 5 6# Do most testing with ssh-keygen; it uses the same verification code as sshd. 7 8# Old keys will interfere with ssh-keygen. 9rm -f $OBJ/revoked-* $OBJ/krl-* 10 11# Generate a CA key 12$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 13 fatal "$SSHKEYGEN CA failed" 14$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || 15 fatal "$SSHKEYGEN CA2 failed" 16 17# A specification that revokes some certificates by serial numbers 18# The serial pattern is chosen to ensure the KRL includes list, range and 19# bitmap sections. 20cat << EOF >> $OBJ/revoked-serials 21serial: 1-4 22serial: 10 23serial: 15 24serial: 30 25serial: 50 26serial: 999 27# The following sum to 500-799 28serial: 500 29serial: 501 30serial: 502 31serial: 503-600 32serial: 700-797 33serial: 798 34serial: 799 35serial: 599-701 36# Some multiple consecutive serial number ranges 37serial: 10000-20000 38serial: 30000-40000 39EOF 40 41# A specification that revokes some certificated by key ID. 42touch $OBJ/revoked-keyid 43for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 44 test "x$n" = "x499" && continue 45 # Fill in by-ID revocation spec. 46 echo "id: revoked $n" >> $OBJ/revoked-keyid 47done 48 49keygen() { 50 N=$1 51 f=$OBJ/revoked-`printf "%04d" $N` 52 # Vary the keytype. We use mostly ECDSA since this is fastest by far. 53 keytype=ecdsa 54 case $N in 55 2 | 10 | 510 | 1001) keytype=rsa;; 56 4 | 30 | 520 | 1002) keytype=ed25519;; 57 esac 58 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 59 || fatal "$SSHKEYGEN failed" 60 # Sign cert 61 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ 62 || fatal "$SSHKEYGEN sign failed" 63 echo $f 64} 65 66# Generate some keys. 67verbose "$tid: generating test keys" 68REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" 69for n in $REVOKED_SERIALS ; do 70 f=`keygen $n` 71 RKEYS="$RKEYS ${f}.pub" 72 RCERTS="$RCERTS ${f}-cert.pub" 73done 74UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011" 75UNREVOKED="" 76for n in $UNREVOKED_SERIALS ; do 77 f=`keygen $n` 78 UKEYS="$UKEYS ${f}.pub" 79 UCERTS="$UCERTS ${f}-cert.pub" 80done 81 82genkrls() { 83 OPTS=$1 84$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ 85 >/dev/null || fatal "$SSHKEYGEN KRL failed" 86$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \ 87 >/dev/null || fatal "$SSHKEYGEN KRL failed" 88$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \ 89 >/dev/null || fatal "$SSHKEYGEN KRL failed" 90$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \ 91 >/dev/null || fatal "$SSHKEYGEN KRL failed" 92$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ 93 >/dev/null || fatal "$SSHKEYGEN KRL failed" 94# This should fail as KRLs from serial/key-id spec need the CA specified. 95$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ 96 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 97$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ 98 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" 99# These should succeed; they specify an explicit CA key. 100$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \ 101 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" 102$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \ 103 $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed" 104# These should succeed; they specify an wildcard CA key. 105$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \ 106 >/dev/null || fatal "$SSHKEYGEN KRL failed" 107$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \ 108 >/dev/null || fatal "$SSHKEYGEN KRL failed" 109# Revoke the same serials with the second CA key to ensure a multi-CA 110# KRL is generated. 111$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \ 112 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" 113} 114 115## XXX dump with trace and grep for set cert serials 116## XXX test ranges near (u64)-1, etc. 117 118verbose "$tid: generating KRLs" 119genkrls 120 121check_krl() { 122 KEY=$1 123 KRL=$2 124 EXPECT_REVOKED=$3 125 TAG=$4 126 $SSHKEYGEN -Qf $KRL $KEY >/dev/null 127 result=$? 128 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then 129 fatal "key $KEY not revoked by KRL $KRL: $TAG" 130 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then 131 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" 132 fi 133} 134test_rev() { 135 FILES=$1 136 TAG=$2 137 KEYS_RESULT=$3 138 ALL_RESULT=$4 139 SERIAL_RESULT=$5 140 KEYID_RESULT=$6 141 CERTS_RESULT=$7 142 CA_RESULT=$8 143 SERIAL_WRESULT=$9 144 KEYID_WRESULT=$10 145 verbose "$tid: checking revocations for $TAG" 146 for f in $FILES ; do 147 check_krl $f $OBJ/krl-empty no "$TAG" 148 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" 149 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" 150 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" 151 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" 152 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" 153 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" 154 check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG" 155 check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG" 156 done 157} 158 159test_all() { 160 # wildcard 161 # keys all sr# k.ID cert CA sr.# k.ID 162 test_rev "$RKEYS" "revoked keys" yes yes no no no no no no 163 test_rev "$UKEYS" "unrevoked keys" no no no no no no no no 164 test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes 165 test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no 166} 167 168test_all 169 170# Check update. Results should be identical. 171verbose "$tid: testing KRL update" 172for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ 173 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \ 174 $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do 175 cp -f $OBJ/krl-empty $f 176 genkrls -u 177done 178 179test_all 180