upstream: test revocation by explicit hash and by fingerprint

OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8

1 files changed, 34 insertions, 15 deletions

diff --git a/regress/krl.sh b/regress/krl.sh
index 1077358f..a70c79c6 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
+#	$OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $
 #	Placed in the Public Domain.
 
 tid="key revocation lists"
@@ -85,6 +85,15 @@ for n in $UNREVOKED_SERIALS ; do
 	UCERTS="$UCERTS ${f}-cert.pub"
 done
 
+# Specifications that revoke keys by hash.
+touch $OBJ/revoked-sha1 $OBJ/revoked-sha256 $OBJ/revoked-hash
+for rkey in $RKEYS; do
+	(printf "sha1: "; cat $rkey) >> $OBJ/revoked-sha1
+	(printf "sha256: "; cat $rkey) >> $OBJ/revoked-sha256
+	(printf "hash: "; $SSHKEYGEN -lf $rkey | \
+		awk '{ print $2 }') >> $OBJ/revoked-hash
+done
+
 genkrls() {
 	OPTS=$1
 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
@@ -97,6 +106,12 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
 $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha1 $OBJ/revoked-sha1 \
+	>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-sha256 $OBJ/revoked-sha256 \
+	>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-hash $OBJ/revoked-hash \
+	>/dev/null 2>&1 || fatal "$SSHKEYGEN KRL failed"
 # This should fail as KRLs from serial/key-id spec need the CA specified.
 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
 	>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
@@ -131,9 +146,9 @@ check_krl() {
 	TAG=$4
 	$SSHKEYGEN -Qf $KRL $KEY >/dev/null
 	result=$?
-	if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+	if test "x$EXPECT_REVOKED" = "xy" -a $result -eq 0 ; then
 		fatal "key $KEY not revoked by KRL $KRL: $TAG"
-	elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+	elif test "x$EXPECT_REVOKED" = "xn" -a $result -ne 0 ; then
 		fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
 	fi
 }
@@ -142,17 +157,21 @@ test_rev() {
 	TAG=$2
 	KEYS_RESULT=$3
 	ALL_RESULT=$4
-	SERIAL_RESULT=$5
-	KEYID_RESULT=$6
-	CERTS_RESULT=$7
-	CA_RESULT=$8
-	SERIAL_WRESULT=$9
-	KEYID_WRESULT=$10
+	HASH_RESULT=$5
+	SERIAL_RESULT=$6
+	KEYID_RESULT=$7
+	CERTS_RESULT=$8
+	CA_RESULT=$9
+	SERIAL_WRESULT=$10
+	KEYID_WRESULT=$11
 	verbose "$tid: checking revocations for $TAG"
 	for f in $FILES ; do
 		check_krl $f $OBJ/krl-empty		no		"$TAG"
 		check_krl $f $OBJ/krl-keys		$KEYS_RESULT	"$TAG"
 		check_krl $f $OBJ/krl-all		$ALL_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-sha1		$HASH_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-sha256		$HASH_RESULT	"$TAG"
+		check_krl $f $OBJ/krl-hash		$HASH_RESULT	"$TAG"
 		check_krl $f $OBJ/krl-serial		$SERIAL_RESULT	"$TAG"
 		check_krl $f $OBJ/krl-keyid		$KEYID_RESULT	"$TAG"
 		check_krl $f $OBJ/krl-cert		$CERTS_RESULT	"$TAG"
@@ -163,12 +182,12 @@ test_rev() {
 }
 
 test_all() {
-	#                                                               wildcard
-	#                                   keys all sr# k.ID cert  CA sr.# k.ID
-	test_rev "$RKEYS"     "revoked keys" yes yes  no   no   no  no   no   no
-	test_rev "$UKEYS"   "unrevoked keys"  no  no  no   no   no  no   no   no
-	test_rev "$RCERTS"   "revoked certs" yes yes yes  yes  yes yes  yes  yes
-	test_rev "$UCERTS" "unrevoked certs"  no  no  no   no   no yes   no   no
+	#                                                           wildcard
+	#                                 keys all hash sr# ID cert  CA srl ID
+	test_rev "$RKEYS"     "revoked keys" y   y    y   n  n    n   n   n  n
+	test_rev "$UKEYS"   "unrevoked keys" n   n    n   n  n    n   n   n  n
+	test_rev "$RCERTS"   "revoked certs" y   y    y   y  y    y   y   y  y
+	test_rev "$UCERTS" "unrevoked certs" n   n    n   n  n    n   y   n  n
 }
 
 test_all