1 files changed, 58 insertions, 90 deletions

diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc2..c99c2b1c 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
 
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
 
-type_has_legacy() {
-	case $1 in
-		ed25519*|ecdsa*) return 1 ;;
-	esac
-	return 0
-}
-
 # Prepare certificate, plain key and CA KRLs
 ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
 ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
 		fatal "KRL update failed"
 	cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
 	serial=`expr $serial + 1`
-	type_has_legacy $ktype || continue
-	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
-	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
-	verbose "$tid: sign host ${ktype}_v00 cert"
-	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-	    -I "regress host key for $USER" \
-	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
-		fatal "couldn't sign cert_host_key_${ktype}_v00"
-	${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
-	    $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
-		fatal "KRL update failed"
-	cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
 done
 
 attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
 
 # Basic connect and revocation tests.
 for privsep in yes no ; do
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+	for ktype in $PLAIN_TYPES ; do 
 		verbose "$tid: host ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
 	printf '@cert-authority '
 	printf "$HOSTS "
 	cat $OBJ/host_ca_key.pub
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+	for ktype in $PLAIN_TYPES ; do
 		test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
 		printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
 	done
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
 for privsep in yes no ; do
-	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+	for ktype in $PLAIN_TYPES ; do 
 		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
 	verbose "$tid: host ${ktype} revoked cert"
 	(
 		cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
 	result=$2
 	sign_opts=$3
 
-	for kt in rsa rsa_v00 ; do
-		case $kt in
-		*_v00) args="-t v00" ;;
-		*) args="" ;;
-		esac
-
-		verbose "$tid: host cert connect $ident $kt expect $result"
+	for kt in rsa ed25519 ; do
 		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
 		    -I "regress host key for $USER" \
-		    $sign_opts $args \
-		    $OBJ/cert_host_key_${kt} ||
+		    $sign_opts $OBJ/cert_host_key_${kt} ||
 			fail "couldn't sign cert_host_key_${kt}"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval"	success "-h -V-1w:+2w"
 test_one "cert has constraints"	failure "-h -Oforce-command=false"
 
 # Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ;  do 
-	for ktype in $PLAIN_TYPES ; do 
-		type_has_legacy $ktype || continue
-		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-		# Generate and sign a host key
-		${SSHKEYGEN} -q -N '' -t ${ktype} \
-		    -f $OBJ/cert_host_key_${ktype} || \
-			fail "ssh-keygen of cert_host_key_${ktype} failed"
-		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-		    -I "regress host key for $USER" \
-		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-			fail "couldn't sign cert_host_key_${ktype}"
-		(
-			printf "$HOSTS "
-			cat $OBJ/cert_host_key_${ktype}.pub
-		) > $OBJ/known_hosts-cert
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${ktype}
-			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-		) > $OBJ/sshd_proxy
-		
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy somehost true
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
-	done
+for ktype in $PLAIN_TYPES ; do 
+	rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+	verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+	# Generate and sign a host key
+	${SSHKEYGEN} -q -N '' -t ${ktype} \
+	    -f $OBJ/cert_host_key_${ktype} || \
+		fail "ssh-keygen of cert_host_key_${ktype} failed"
+	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		fail "couldn't sign cert_host_key_${ktype}"
+	(
+		printf "$HOSTS "
+		cat $OBJ/cert_host_key_${ktype}.pub
+	) > $OBJ/known_hosts-cert
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+	
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
 done
 
 # Wrong certificate
@@ -281,33 +252,30 @@ done
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert.orig
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ;  do 
-	for kt in $PLAIN_TYPES ; do 
-		type_has_legacy $kt || continue
-		rm -f $OBJ/cert_host_key*
-		# Self-sign key
-		${SSHKEYGEN} -q -N '' -t ${kt} \
-		    -f $OBJ/cert_host_key_${kt} || \
-			fail "ssh-keygen of cert_host_key_${kt} failed"
-		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-		    -I "regress host key for $USER" \
-		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
-			fail "couldn't sign cert_host_key_${kt}"
-		verbose "$tid: host ${kt} connect wrong cert"
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo HostKey $OBJ/cert_host_key_${kt}
-			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-		) > $OBJ/sshd_proxy
-	
-		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect $ident succeeded unexpectedly"
-		fi
-	done
+for kt in $PLAIN_TYPES ; do 
+	rm -f $OBJ/cert_host_key*
+	# Self-sign key
+	${SSHKEYGEN} -q -N '' -t ${kt} \
+	    -f $OBJ/cert_host_key_${kt} || \
+		fail "ssh-keygen of cert_host_key_${kt} failed"
+	${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+		fail "couldn't sign cert_host_key_${kt}"
+	verbose "$tid: host ${kt} connect wrong cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${kt}
+		echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+	) > $OBJ/sshd_proxy
+
+	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
 done
 
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*