-# $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
+# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
UCERTS="$UCERTS ${f}-cert.pub"
done
+# Specifications that revoke keys by hash.
+touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
+for rkey in $RKEYS; do
+ (printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
+ (printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
+ (printf "hash: "; $SSHKEYGEN -lf $rkey | \
+ awk '{ print $2 }') >> $OBJ/revoked-hash
+done
+
genkrls() {
OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
+ >/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
# This should fail as KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
TAG=$4
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
result=$?
- if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+ if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
fatal "key $KEY not revoked by KRL $KRL: $TAG"
- elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+ elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
fi
}
TAG=$2
KEYS_RESULT=$3
ALL_RESULT=$4
- SERIAL_RESULT=$5
- KEYID_RESULT=$6
- CERTS_RESULT=$7
- CA_RESULT=$8
- SERIAL_WRESULT=$9
- KEYID_WRESULT=$10
+ HASH_RESULT=$5
+ SERIAL_RESULT=$6
+ KEYID_RESULT=$7
+ CERTS_RESULT=$8
+ CA_RESULT=$9
+ SERIAL_WRESULT=$10
+ KEYID_WRESULT=$11
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
check_krl $f $OBJ/krl-empty no "$TAG"
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-sha1 $HASH_RESULT "$TAG"
+ check_krl $f $OBJ/krl-sha256 $HASH_RESULT "$TAG"
+ check_krl $f $OBJ/krl-hash $HASH_RESULT "$TAG"
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
}
test_all() {
- # wildcard
- # keys all sr# k.ID cert CA sr.# k.ID
- test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
- test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
- test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
- test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
+ # wildcard
+ # keys all hash sr# ID cert CA srl ID
+ test_rev "$RKEYS" "revoked keys" y y y n n n n n n
+ test_rev "$UKEYS" "unrevoked keys" n n n n n n n n n
+ test_rev "$RCERTS" "revoked certs" y y y y y y y y y
+ test_rev "$UCERTS" "unrevoked certs" n n n n n n y n n
}
test_all
projects / openbsd / commitdiff