From 1ea674cdd88376bed2eb1b2095c80aa716c2c7aa Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 23 Jul 2021 03:54:55 +0000 Subject: [PATCH] regression test for time-limited signature keys --- regress/usr.bin/ssh/sshsig.sh | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/regress/usr.bin/ssh/sshsig.sh b/regress/usr.bin/ssh/sshsig.sh index 8401b6c0875..296013617e3 100644 --- a/regress/usr.bin/ssh/sshsig.sh +++ b/regress/usr.bin/ssh/sshsig.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshsig.sh,v 1.5 2021/07/12 02:12:22 djm Exp $ +# $OpenBSD: sshsig.sh,v 1.6 2021/07/23 03:54:55 djm Exp $ # Placed in the Public Domain. tid="sshsig" @@ -107,6 +107,34 @@ for t in $SIGNKEYS; do < $DATA >/dev/null 2>&1 && \ fail "accepted signature for $t key with excluded namespace" + ( printf "$sig_principal " ; + printf "valid-after=\"19800101\",valid-before=\"19900101\" " ; + cat $pubkey) > $OBJ/allowed_signers + + # key lifespan valid + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + -Overify-time=19850101 \ + < $DATA >/dev/null 2>&1 || \ + fail "failed signature for $t key with valid expiry interval" + # key not yet valid + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + -Overify-time=19790101 \ + < $DATA >/dev/null 2>&1 && \ + fail "failed signature for $t not-yet-valid key" + # key expired + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + -Overify-time=19910101 \ + < $DATA >/dev/null 2>&1 && \ + fail "failed signature for $t with expired key" + # NB. assumes we're not running this test in the 1980s + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 && \ + fail "failed signature for $t with expired key" + # public key in revoked keys file cat $pubkey > $OBJ/revoked_keys (printf "$sig_principal namespaces=\"whatever\" " ; -- 2.20.1