From 4416a0dae660c66feadde8ef1fee50f119dcc636 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Fri, 7 Jun 2019 11:21:34 +0200 Subject: [PATCH] tests/pkd: Add tests using certificates with SHA2 in signatures Signed-off-by: Anderson Toshiyuki Sasaki Reviewed-by: Andreas Schneider --- tests/pkd/pkd_client.h | 3 +++ tests/pkd/pkd_hello.c | 7 ++++++- tests/pkd/pkd_keyutil.c | 8 ++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h index 3c50fe2d..474ca174 100644 --- a/tests/pkd/pkd_client.h +++ b/tests/pkd/pkd_client.h @@ -78,6 +78,9 @@ #define OPENSSH_CERT_CMD \ OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o CertificateFile=" CLIENT_ID_FILE "-cert.pub " OPENSSH_CMD_END +#define OPENSSH_SHA256_CERT_CMD \ + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o CertificateFile=" CLIENT_ID_FILE "-sha256-cert.pub " OPENSSH_CMD_END + /* Dropbear */ #define DROPBEAR_BINARY "dbclient" diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c index 12f713c3..eb19e6a5 100644 --- a/tests/pkd/pkd_hello.c +++ b/tests/pkd/pkd_hello.c @@ -629,6 +629,7 @@ PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD) #define CLIENT_ID_FILE OPENSSH_RSA_TESTKEY PKDTESTS_DEFAULT(emit_keytest, openssh_rsa, OPENSSH_CMD) PKDTESTS_DEFAULT(emit_keytest, openssh_cert_rsa, OPENSSH_CERT_CMD) +PKDTESTS_DEFAULT(emit_keytest, openssh_sha256_cert_rsa, OPENSSH_SHA256_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_CMD) PKDTESTS_KEX(emit_keytest, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_KEX_CMD) @@ -710,6 +711,7 @@ struct { PKDTESTS_DEFAULT(emit_testmap, openssh_rsa, OPENSSH_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_cert_rsa, OPENSSH_CERT_CMD) + PKDTESTS_DEFAULT(emit_testmap, openssh_sha256_cert_rsa, OPENSSH_SHA256_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_CMD) PKDTESTS_KEX(emit_testmap, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_KEX_CMD) @@ -773,6 +775,8 @@ static int pkd_run_tests(void) { PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD) PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD) + PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_sha256_cert_rsa, + OPENSSH_SHA256_CERT_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD) PKDTESTS_KEX(emit_unit_test_comma, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_CIPHER(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD) @@ -807,7 +811,8 @@ static int pkd_run_tests(void) { const struct CMUnitTest openssh_fips_tests[] = { PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD) - PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD) + PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_sha256_cert_rsa, + OPENSSH_SHA256_CERT_CMD) PKDTESTS_KEX_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_KEX_CMD) PKDTESTS_CIPHER_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_CIPHER_OPENSSHONLY_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD) diff --git a/tests/pkd/pkd_keyutil.c b/tests/pkd/pkd_keyutil.c index d042520b..3991bcbb 100644 --- a/tests/pkd/pkd_keyutil.c +++ b/tests/pkd/pkd_keyutil.c @@ -112,6 +112,13 @@ void setup_openssh_client_keys() { } assert_int_equal(rc, 0); + if (access(OPENSSH_RSA_TESTKEY "-sha256-cert.pub", F_OK) != 0) { + rc = system_checked(OPENSSH_KEYGEN " -I ident -t rsa-sha2-256 " + "-s " OPENSSH_CA_TESTKEY " " + OPENSSH_RSA_TESTKEY ".pub 2>/dev/null"); + } + assert_int_equal(rc, 0); + if (access(OPENSSH_ECDSA256_TESTKEY, F_OK) != 0) { rc = system_checked(OPENSSH_KEYGEN " -t ecdsa -b 256 -q -N \"\" -f " OPENSSH_ECDSA256_TESTKEY); @@ -180,6 +187,7 @@ void setup_openssh_client_keys() { void cleanup_openssh_client_keys() { cleanup_key(OPENSSH_CA_TESTKEY); cleanup_key(OPENSSH_RSA_TESTKEY); + cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub"); cleanup_key(OPENSSH_ECDSA256_TESTKEY); cleanup_key(OPENSSH_ECDSA384_TESTKEY); cleanup_key(OPENSSH_ECDSA521_TESTKEY);