1 files changed, 59 insertions, 34 deletions

diff --git a/crypto/openssh/regress/krl.sh b/crypto/openssh/regress/krl.sh
index 0924637..1077358 100755
--- a/crypto/openssh/regress/krl.sh
+++ b/crypto/openssh/regress/krl.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $
+#	$OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
 #	Placed in the Public Domain.
 
 tid="key revocation lists"
@@ -17,6 +17,8 @@ rm -f $OBJ/revoked-* $OBJ/krl-*
 # Generate a CA key
 $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca  -C "" -N "" > /dev/null ||
 	fatal "$SSHKEYGEN CA failed"
+$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2  -C "" -N "" > /dev/null ||
+	fatal "$SSHKEYGEN CA2 failed"
 
 # A specification that revokes some certificates by serial numbers
 # The serial pattern is chosen to ensure the KRL includes list, range and
@@ -37,11 +39,15 @@ serial: 700-797
 serial: 798
 serial: 799
 serial: 599-701
+# Some multiple consecutive serial number ranges
+serial: 10000-20000
+serial: 30000-40000
 EOF
 
 # A specification that revokes some certificated by key ID.
 touch $OBJ/revoked-keyid
 for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+	test "x$n" = "x499" && continue
 	# Fill in by-ID revocation spec.
 	echo "id: revoked $n" >> $OBJ/revoked-keyid
 done
@@ -53,7 +59,7 @@ keygen() {
 	keytype=$ECDSA
 	case $N in
 	2 | 10 | 510 | 1001)	keytype=rsa;;
-	4 | 30 | 520 | 1002)	keytype=dsa;;
+	4 | 30 | 520 | 1002)	keytype=ed25519;;
 	esac
 	$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
 		|| fatal "$SSHKEYGEN failed"
@@ -68,37 +74,48 @@ verbose "$tid: generating test keys"
 REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
 for n in $REVOKED_SERIALS ; do
 	f=`keygen $n`
-	REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
-	REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
+	RKEYS="$RKEYS ${f}.pub"
+	RCERTS="$RCERTS ${f}-cert.pub"
 done
-NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
-NOTREVOKED=""
-for n in $NOTREVOKED_SERIALS ; do
-	NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
-	NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
+UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
+UNREVOKED=""
+for n in $UNREVOKED_SERIALS ; do
+	f=`keygen $n`
+	UKEYS="$UKEYS ${f}.pub"
+	UCERTS="$UCERTS ${f}-cert.pub"
 done
 
 genkrls() {
 	OPTS=$1
 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
 $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
-# KRLs from serial/key-id spec need the CA specified.
+# This should fail as KRLs from serial/key-id spec need the CA specified.
 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
 	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
 	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
+# These should succeed; they specify an explicit CA key.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
+	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
+	$OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
+# These should succeed; they specify an wildcard CA key.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
-$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
+# Revoke the same serials with the second CA key to ensure a multi-CA
+# KRL is generated.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
+	$OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
 }
 
 ## XXX dump with trace and grep for set cert serials
@@ -120,7 +137,7 @@ check_krl() {
 		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
 	fi
 }
-test_all() {
+test_rev() {
 	FILES=$1
 	TAG=$2
 	KEYS_RESULT=$3
@@ -129,32 +146,40 @@ test_all() {
 	KEYID_RESULT=$6
 	CERTS_RESULT=$7
 	CA_RESULT=$8
+	SERIAL_WRESULT=$9
+	KEYID_WRESULT=$10
 	verbose "$tid: checking revocations for $TAG"
 	for f in $FILES ; do
-		check_krl $f $OBJ/krl-empty  no             "$TAG"
-		check_krl $f $OBJ/krl-keys   $KEYS_RESULT   "$TAG"
-		check_krl $f $OBJ/krl-all    $ALL_RESULT    "$TAG"
-		check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
-		check_krl $f $OBJ/krl-keyid  $KEYID_RESULT  "$TAG"
-		check_krl $f $OBJ/krl-cert  $CERTS_RESULT   "$TAG"
-		check_krl $f $OBJ/krl-ca     $CA_RESULT     "$TAG"
+		check_krl $f $OBJ/krl-empty		no		"$TAG"
+		check_krl $f $OBJ/krl-keys		$KEYS_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-all		$ALL_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-serial		$SERIAL_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-keyid		$KEYID_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-cert		$CERTS_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-ca		$CA_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-serial-wild	$SERIAL_WRESULT	"$TAG"
+		check_krl $f $OBJ/krl-keyid-wild	$KEYID_WRESULT	"$TAG"
 	done
 }
-#                                            keys  all serial  keyid  certs   CA
-test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
-test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
-test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
-test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
+
+test_all() {
+	#                                                               wildcard
+	#                                   keys all sr# k.ID cert  CA sr.# k.ID
+	test_rev "$RKEYS"     "revoked keys" yes yes  no   no   no  no   no   no
+	test_rev "$UKEYS"   "unrevoked keys"  no  no  no   no   no  no   no   no
+	test_rev "$RCERTS"   "revoked certs" yes yes yes  yes  yes yes  yes  yes
+	test_rev "$UCERTS" "unrevoked certs"  no  no  no   no   no yes   no   no
+}
+
+test_all
 
 # Check update. Results should be identical.
 verbose "$tid: testing KRL update"
 for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
-    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
+    $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
+    $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
 	cp -f $OBJ/krl-empty $f
 	genkrls -u
 done
-#                                            keys  all serial  keyid  certs   CA
-test_all    "$REVOKED_KEYS"    "revoked keys" yes  yes     no     no     no   no
-test_all  "$UNREVOKED_KEYS"  "unrevoked keys"  no   no     no     no     no   no
-test_all   "$REVOKED_CERTS"   "revoked certs" yes  yes    yes    yes    yes  yes
-test_all "$UNREVOKED_CERTS" "unrevoked certs"  no   no     no     no     no  yes
+
+test_all