From d0c6c05fa3c4966b4e532f494c06ac2e64fb45bc Mon Sep 17 00:00:00 2001
From: dtucker <dtucker@openbsd.org>
Date: Fri, 23 Jul 2021 04:56:21 +0000
Subject: [PATCH] Add test for exporting pubkey from a passphrase-protected
 private key.

---
 regress/usr.bin/ssh/Makefile          |  4 ++--
 regress/usr.bin/ssh/keygen-convert.sh | 18 +++++++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index aad6a9a2252..a896e097510 100644
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.113 2021/07/19 02:46:34 dtucker Exp $
+#	$OpenBSD: Makefile,v 1.114 2021/07/23 04:56:21 dtucker Exp $
 
 .ifndef SKIP_UNIT
 SUBDIR=		unittests
@@ -106,7 +106,7 @@ CLEANFILES+=	*.core actual agent-key.* authorized_keys_${USERNAME} \
 		host.ssh-dss host.ssh-ed25519 host.ssh-rsa \
 		host_* host_ca_key* host_krl_* host_revoked_* key.* \
 		key.dsa-* key.ecdsa-* key.ed25519-512 key.ed25519-512.pub \
-		key.rsa-* keys-command-args kh.* known_hosts \
+		key.rsa-* keys-command-args kh.* known_hosts askpass \
 		known_hosts-cert known_hosts.* krl-* ls.copy modpipe \
 		netcat pidfile putty.rsa2 ready regress.log remote_pid \
 		revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa_ssh2_cr.prv \
diff --git a/regress/usr.bin/ssh/keygen-convert.sh b/regress/usr.bin/ssh/keygen-convert.sh
index fce110ea153..7764955800c 100644
--- a/regress/usr.bin/ssh/keygen-convert.sh
+++ b/regress/usr.bin/ssh/keygen-convert.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keygen-convert.sh,v 1.2 2019/07/23 07:55:29 dtucker Exp $
+#	$OpenBSD: keygen-convert.sh,v 1.3 2021/07/23 04:56:21 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="convert keys"
@@ -11,6 +11,12 @@ for i in ${SSH_KEYTYPES}; do
 	esac
 done
 
+cat > $OBJ/askpass <<EOD
+#!/bin/sh
+echo hunter2
+EOD
+chmod u+x $OBJ/askpass
+
 for t in $types; do
 	# generate user key for agent
 	trace "generating $t key"
@@ -36,6 +42,16 @@ for t in $types; do
 	cmp $OBJ/$t-key-nocomment.pub $OBJ/$t-rfc-imported || \
 	    fail "$t imported differs from original"
 
+	trace "set passphrase $t"
+	${SSHKEYGEN} -q -p -P '' -N 'hunter2' -f $OBJ/$t-key >/dev/null || \
+	    fail "$t set passphrase failed"
+
+	trace "export $t to public with passphrase"
+	SSH_ASKPASS=$OBJ/askpass SSH_ASKPASS_REQUIRE=force \
+	    ${SSHKEYGEN} -y -f $OBJ/$t-key >$OBJ/$t-key-nocomment.pub
+	cmp $OBJ/$t-key.pub $OBJ/$t-key-nocomment.pub || \
+	    fail "$t exported pubkey differs from generated"
+
 	rm -f $OBJ/$t-key $OBJ/$t-key.pub $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub \
 	    $OBJ/$t-rfc-imported $OBJ/$t-key-nocomment.pub
 done
-- 
2.20.1