d31cbb3a7c
Some checks failed
CIFuzz / Fuzzing (push) Waiting to run
C/C++ CI self-hosted / win10 cygwin-release (push) Waiting to run
C/C++ CI self-hosted / ARM default (push) Waiting to run
C/C++ CI self-hosted / ARM64 default (push) Waiting to run
C/C++ CI self-hosted / alpine default (push) Waiting to run
C/C++ CI self-hosted / centos7 default (push) Waiting to run
C/C++ CI self-hosted / debian-i386 default (push) Waiting to run
C/C++ CI self-hosted / dfly30 default (push) Waiting to run
C/C++ CI self-hosted / dfly48 default (push) Waiting to run
C/C++ CI self-hosted / dfly60 default (push) Waiting to run
C/C++ CI self-hosted / dfly62 default (push) Waiting to run
C/C++ CI self-hosted / dfly64 default (push) Waiting to run
C/C++ CI self-hosted / fbsd10 default (push) Waiting to run
C/C++ CI self-hosted / fbsd12 default (push) Waiting to run
C/C++ CI self-hosted / fbsd13 default (push) Waiting to run
C/C++ CI self-hosted / fbsd14 default (push) Waiting to run
C/C++ CI self-hosted / nbsd10 default (push) Waiting to run
C/C++ CI self-hosted / nbsd3 default (push) Waiting to run
C/C++ CI self-hosted / nbsd4 default (push) Waiting to run
C/C++ CI self-hosted / nbsd8 default (push) Waiting to run
C/C++ CI self-hosted / nbsd9 default (push) Waiting to run
C/C++ CI self-hosted / obsd51 default (push) Waiting to run
C/C++ CI self-hosted / obsd67 default (push) Waiting to run
C/C++ CI self-hosted / obsd72 default (push) Waiting to run
C/C++ CI self-hosted / obsd73 default (push) Waiting to run
C/C++ CI self-hosted / obsd74 default (push) Waiting to run
C/C++ CI self-hosted / obsdsnap default (push) Waiting to run
C/C++ CI self-hosted / obsdsnap-i386 default (push) Waiting to run
C/C++ CI self-hosted / omnios default (push) Waiting to run
C/C++ CI self-hosted / openindiana default (push) Waiting to run
C/C++ CI self-hosted / ubuntu-2204 default (push) Waiting to run
C/C++ CI self-hosted / obsd-arm64 default (push) Waiting to run
C/C++ CI self-hosted / aix51 default (push) Waiting to run
C/C++ CI self-hosted / fbsd14-ppc64 default (push) Waiting to run
C/C++ CI self-hosted / sol10 default (push) Waiting to run
C/C++ CI self-hosted / sol11 default (push) Waiting to run
C/C++ CI self-hosted / win10 default (push) Waiting to run
C/C++ CI self-hosted / debian-riscv64 default (push) Waiting to run
C/C++ CI self-hosted / openwrt-mips default (push) Waiting to run
C/C++ CI self-hosted / openwrt-mipsel default (push) Waiting to run
C/C++ CI self-hosted / ARM64 pam (push) Waiting to run
C/C++ CI self-hosted / centos7 pam (push) Waiting to run
C/C++ CI self-hosted / debian-i386 pam (push) Waiting to run
C/C++ CI self-hosted / dfly48 pam (push) Waiting to run
C/C++ CI self-hosted / dfly58 pam (push) Waiting to run
C/C++ CI self-hosted / dfly60 pam (push) Waiting to run
C/C++ CI self-hosted / dfly62 pam (push) Waiting to run
C/C++ CI self-hosted / dfly64 pam (push) Waiting to run
C/C++ CI self-hosted / fbsd10 pam (push) Waiting to run
C/C++ CI self-hosted / fbsd12 pam (push) Waiting to run
C/C++ CI self-hosted / fbsd13 pam (push) Waiting to run
C/C++ CI self-hosted / fbsd14 pam (push) Waiting to run
C/C++ CI self-hosted / nbsd10 pam (push) Waiting to run
C/C++ CI self-hosted / nbsd8 pam (push) Waiting to run
C/C++ CI self-hosted / nbsd9 pam (push) Waiting to run
C/C++ CI self-hosted / omnios pam (push) Waiting to run
C/C++ CI self-hosted / openindiana pam (push) Waiting to run
C/C++ CI self-hosted / sol10 pam (push) Waiting to run
C/C++ CI self-hosted / sol11 pam-krb5 (push) Waiting to run
C/C++ CI self-hosted / sol11 sol64 (push) Waiting to run
C/C++ CI self-hosted / dfly30 without-openssl (push) Waiting to run
C/C++ CI / ubuntu-latest aws-lc (push) Failing after 31s
C/C++ CI / ubuntu-latest boringssl (push) Failing after 31s
C/C++ CI / ubuntu-latest clang-15 (push) Failing after 31s
C/C++ CI / ubuntu-latest clang-19 (push) Failing after 19s
C/C++ CI / ubuntu-latest default (push) Failing after 3s
C/C++ CI / ubuntu-latest gcc-14 (push) Failing after 4s
C/C++ CI / ubuntu-latest libressl-3.2.6 (push) Failing after 4s
C/C++ CI / ubuntu-latest libressl-3.3.6 (push) Failing after 3s
C/C++ CI / ubuntu-latest libressl-3.4.3 (push) Failing after 3s
C/C++ CI / ubuntu-latest libressl-3.5.3 (push) Failing after 4s
C/C++ CI / ubuntu-latest libressl-3.6.1 (push) Failing after 4s
C/C++ CI / ubuntu-latest libressl-3.7.2 (push) Failing after 4s
C/C++ CI / ubuntu-latest libressl-3.8.4 (push) Failing after 3s
C/C++ CI / ubuntu-latest libressl-3.9.2 (push) Failing after 3s
C/C++ CI / ubuntu-latest libressl-4.0.0 (push) Failing after 4s
C/C++ CI / ubuntu-latest libressl-master (push) Failing after 4s
C/C++ CI / ubuntu-latest musl (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-1.1.1 (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-1.1.1_stable (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-1.1.1t (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-1.1.1w (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-3.0 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-3.0.0 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-3.0.15 (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-3.1 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-3.1.0 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-3.1.7 (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-3.2 (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-3.2.3 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-3.3 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-3.3.2 (push) Failing after 4s
C/C++ CI / ubuntu-latest openssl-3.4.0 (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-master (push) Failing after 3s
C/C++ CI / ubuntu-latest openssl-noec (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.71 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.72 (push) Failing after 3s
C/C++ CI / ubuntu-latest putty-0.73 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.74 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.75 (push) Failing after 3s
C/C++ CI / ubuntu-latest putty-0.76 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.77 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.78 (push) Failing after 3s
C/C++ CI / ubuntu-latest putty-0.79 (push) Failing after 3s
C/C++ CI / ubuntu-latest putty-0.80 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.81 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-0.82 (push) Failing after 3s
C/C++ CI / ubuntu-latest putty-0.83 (push) Failing after 4s
C/C++ CI / ubuntu-latest putty-snapshot (push) Failing after 4s
C/C++ CI / ubuntu-latest tcmalloc (push) Failing after 3s
C/C++ CI / ubuntu-latest zlib-develop (push) Failing after 3s
C/C++ CI / ubuntu-22.04 c89 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 clang-11 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 clang-12-Werror (push) Has been cancelled
C/C++ CI / ubuntu-22.04 clang-14 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 clang-sanitize-address (push) Has been cancelled
C/C++ CI / ubuntu-22.04 clang-sanitize-undefined (push) Has been cancelled
C/C++ CI / windows-2019 cygwin-release (push) Has been cancelled
C/C++ CI / windows-2022 cygwin-release (push) Has been cancelled
C/C++ CI / macos-13 default (push) Has been cancelled
C/C++ CI / macos-14 default (push) Has been cancelled
C/C++ CI / macos-15 default (push) Has been cancelled
C/C++ CI / ubuntu-22.04 default (push) Has been cancelled
C/C++ CI / ubuntu-22.04-arm default (push) Has been cancelled
C/C++ CI / ubuntu-24.04-arm default (push) Has been cancelled
C/C++ CI / windows-2019 default (push) Has been cancelled
C/C++ CI / windows-2022 default (push) Has been cancelled
C/C++ CI / ubuntu-22.04 gcc-11-Werror (push) Has been cancelled
C/C++ CI / ubuntu-22.04 gcc-12-Werror (push) Has been cancelled
C/C++ CI / ubuntu-22.04 gcc-9 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 gcc-sanitize-address (push) Has been cancelled
C/C++ CI / ubuntu-22.04 gcc-sanitize-undefined (push) Has been cancelled
C/C++ CI / ubuntu-22.04 hardenedmalloc (push) Has been cancelled
C/C++ CI / ubuntu-22.04 heimdal (push) Has been cancelled
C/C++ CI / ubuntu-22.04 kitchensink (push) Has been cancelled
C/C++ CI / ubuntu-22.04-arm kitchensink (push) Has been cancelled
C/C++ CI / ubuntu-24.04-arm kitchensink (push) Has been cancelled
C/C++ CI / ubuntu-22.04 krb5 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 libedit (push) Has been cancelled
C/C++ CI / macos-13 pam (push) Has been cancelled
C/C++ CI / macos-14 pam (push) Has been cancelled
C/C++ CI / macos-15 pam (push) Has been cancelled
C/C++ CI / ubuntu-22.04 pam (push) Has been cancelled
C/C++ CI / ubuntu-22.04 selinux (push) Has been cancelled
C/C++ CI / ubuntu-22.04 sk (push) Has been cancelled
C/C++ CI / ubuntu-22.04 valgrind-1 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 valgrind-2 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 valgrind-3 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 valgrind-4 (push) Has been cancelled
C/C++ CI / ubuntu-22.04 valgrind-unit (push) Has been cancelled
C/C++ CI / ubuntu-22.04 without-openssl (push) Has been cancelled
218 lines
7.0 KiB
Bash
218 lines
7.0 KiB
Bash
# $OpenBSD: krl.sh,v 1.12 2023/01/16 04:11:29 djm Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="key revocation lists"
|
|
|
|
# Use ed25519 by default since it's fast and it's supported when building
|
|
# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
|
|
ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
|
|
ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
|
|
for t in $SSH_KEYTYPES; do
|
|
case "$t" in
|
|
ecdsa*) ktype2=ecdsa ;;
|
|
ssh-rsa) ktype3=rsa ;;
|
|
ssh-dss) ktype4=dsa ;;
|
|
sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;;
|
|
sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;;
|
|
esac
|
|
done
|
|
|
|
# Do most testing with ssh-keygen; it uses the same verification code as sshd.
|
|
|
|
# Old keys will interfere with ssh-keygen.
|
|
rm -f $OBJ/revoked-* $OBJ/krl-*
|
|
|
|
# Generate a CA key
|
|
$SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
|
|
fatal "$SSHKEYGEN CA failed"
|
|
$SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
|
|
fatal "$SSHKEYGEN CA2 failed"
|
|
|
|
# A specification that revokes some certificates by serial numbers
|
|
# The serial pattern is chosen to ensure the KRL includes list, range and
|
|
# bitmap sections.
|
|
cat << EOF >> $OBJ/revoked-serials
|
|
serial: 1-4
|
|
serial: 10
|
|
serial: 15
|
|
serial: 30
|
|
serial: 50
|
|
serial: 90
|
|
serial: 999
|
|
# The following sum to 500-799
|
|
serial: 500
|
|
serial: 501
|
|
serial: 502
|
|
serial: 503-600
|
|
serial: 700-797
|
|
serial: 798
|
|
serial: 799
|
|
serial: 599-701
|
|
# Some multiple consecutive serial number ranges
|
|
serial: 10000-20000
|
|
serial: 30000-40000
|
|
EOF
|
|
|
|
# A specification that revokes some certificated by key ID.
|
|
touch $OBJ/revoked-keyid
|
|
for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do
|
|
test "x$n" = "x499" && continue
|
|
# Fill in by-ID revocation spec.
|
|
echo "id: revoked $n" >> $OBJ/revoked-keyid
|
|
done
|
|
|
|
keygen() {
|
|
N=$1
|
|
f=$OBJ/revoked-`printf "%04d" $N`
|
|
# Vary the keytype. We use mostly ed25519 since this is fast and well
|
|
# supported.
|
|
keytype=$ktype1
|
|
case $N in
|
|
2 | 10 | 510 | 1001) keytype=$ktype2 ;;
|
|
4 | 30 | 520 | 1002) keytype=$ktype3 ;;
|
|
8 | 50 | 530 | 1003) keytype=$ktype4 ;;
|
|
16 | 70 | 540 | 1004) keytype=$ktype5 ;;
|
|
32 | 90 | 550 | 1005) keytype=$ktype6 ;;
|
|
esac
|
|
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|
|
|| fatal "$SSHKEYGEN failed"
|
|
# Sign cert
|
|
$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
|
|
|| fatal "$SSHKEYGEN sign failed"
|
|
echo $f
|
|
}
|
|
|
|
# Generate some keys.
|
|
verbose "$tid: generating test keys"
|
|
REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999"
|
|
for n in $REVOKED_SERIALS ; do
|
|
f=`keygen $n`
|
|
RKEYS="$RKEYS ${f}.pub"
|
|
RCERTS="$RCERTS ${f}-cert.pub"
|
|
done
|
|
UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
|
|
UNREVOKED=""
|
|
for n in $UNREVOKED_SERIALS ; do
|
|
f=`keygen $n`
|
|
UKEYS="$UKEYS ${f}.pub"
|
|
UCERTS="$UCERTS ${f}-cert.pub"
|
|
done
|
|
|
|
# Specifications that revoke keys by hash.
|
|
touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
|
|
for rkey in $RKEYS; do
|
|
(printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
|
|
(printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
|
|
(printf "hash: "; $SSHKEYGEN -lf $rkey | \
|
|
awk '{ print $2 }') >> $OBJ/revoked-hash
|
|
done
|
|
|
|
genkrls() {
|
|
OPTS=$1
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
|
|
>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
|
|
>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
|
|
>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
|
|
# This should fail as KRLs from serial/key-id spec need the CA specified.
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
|
|
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
|
|
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
|
# These should succeed; they specify an explicit CA key.
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
|
|
$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
|
|
$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
# These should succeed; they specify an wildcard CA key.
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
|
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
# Revoke the same serials with the second CA key to ensure a multi-CA
|
|
# KRL is generated.
|
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
|
|
$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
|
|
}
|
|
|
|
## XXX dump with trace and grep for set cert serials
|
|
## XXX test ranges near (u64)-1, etc.
|
|
|
|
verbose "$tid: generating KRLs"
|
|
genkrls
|
|
|
|
check_krl() {
|
|
KEY=$1
|
|
KRL=$2
|
|
EXPECT_REVOKED=$3
|
|
TAG=$4
|
|
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
|
|
result=$?
|
|
if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
|
|
fatal "key $KEY not revoked by KRL $KRL: $TAG"
|
|
elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
|
|
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
|
|
fi
|
|
}
|
|
test_rev() {
|
|
FILES=$1
|
|
TAG=$2
|
|
KEYS_RESULT=$3
|
|
ALL_RESULT=$4
|
|
HASH_RESULT=$5
|
|
SERIAL_RESULT=$6
|
|
KEYID_RESULT=$7
|
|
CERTS_RESULT=$8
|
|
CA_RESULT=$9
|
|
SERIAL_WRESULT=${10}
|
|
KEYID_WRESULT=${11}
|
|
verbose "$tid: checking revocations for $TAG"
|
|
for f in $FILES ; do
|
|
check_krl $f $OBJ/krl-empty no "$TAG"
|
|
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
|
|
check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
|
|
check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
|
|
done
|
|
}
|
|
|
|
test_all() {
|
|
# wildcard
|
|
# keys all hash sr# ID cert CA srl ID
|
|
test_rev "$RKEYS" "revoked keys" y y y n n n n n n
|
|
test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
|
|
test_rev "$RCERTS" "revoked certs" y y y y y y y y y
|
|
test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
|
|
}
|
|
|
|
test_all
|
|
|
|
# Check update. Results should be identical.
|
|
verbose "$tid: testing KRL update"
|
|
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
|
|
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
|
|
$OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
|
|
cp -f $OBJ/krl-empty $f
|
|
genkrls -u
|
|
done
|
|
|
|
test_all
|