github.com/deis/deis@v1.13.5-0.20170519182049-1d9e59fbdbfc/Godeps/_workspace/src/golang.org/x/crypto/ssh/certs_test.go (about) 1 // Copyright 2013 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package ssh 6 7 import ( 8 "bytes" 9 "crypto/rand" 10 "testing" 11 "time" 12 ) 13 14 // Cert generated by ssh-keygen 6.0p1 Debian-4. 15 // % ssh-keygen -s ca-key -I test user-key 16 var exampleSSHCert = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgb1srW/W3ZDjYAO45xLYAwzHBDLsJ4Ux6ICFIkTjb1LEAAAADAQABAAAAYQCkoR51poH0wE8w72cqSB8Sszx+vAhzcMdCO0wqHTj7UNENHWEXGrU0E0UQekD7U+yhkhtoyjbPOVIP7hNa6aRk/ezdh/iUnCIt4Jt1v3Z1h1P+hA4QuYFMHNB+rmjPwAcAAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAHcAAAAHc3NoLXJzYQAAAAMBAAEAAABhANFS2kaktpSGc+CcmEKPyw9mJC4nZKxHKTgLVZeaGbFZOvJTNzBspQHdy7Q1uKSfktxpgjZnksiu/tFF9ngyY2KFoc+U88ya95IZUycBGCUbBQ8+bhDtw/icdDGQD5WnUwAAAG8AAAAHc3NoLXJzYQAAAGC8Y9Z2LQKhIhxf52773XaWrXdxP0t3GBVo4A10vUWiYoAGepr6rQIoGGXFxT4B9Gp+nEBJjOwKDXPrAevow0T9ca8gZN+0ykbhSrXLE5Ao48rqr3zP4O1/9P7e6gp0gw8=` 17 18 func TestParseCert(t *testing.T) { 19 authKeyBytes := []byte(exampleSSHCert) 20 21 key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes) 22 if err != nil { 23 t.Fatalf("ParseAuthorizedKey: %v", err) 24 } 25 if len(rest) > 0 { 26 t.Errorf("rest: got %q, want empty", rest) 27 } 28 29 if _, ok := key.(*Certificate); !ok { 30 t.Fatalf("got %#v, want *Certificate", key) 31 } 32 33 marshaled := MarshalAuthorizedKey(key) 34 // Before comparison, remove the trailing newline that 35 // MarshalAuthorizedKey adds. 36 marshaled = marshaled[:len(marshaled)-1] 37 if !bytes.Equal(authKeyBytes, marshaled) { 38 t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes) 39 } 40 } 41 42 func TestValidateCert(t *testing.T) { 43 key, _, _, _, err := ParseAuthorizedKey([]byte(exampleSSHCert)) 44 if err != nil { 45 t.Fatalf("ParseAuthorizedKey: %v", err) 46 } 47 validCert, ok := key.(*Certificate) 48 if !ok { 49 t.Fatalf("got %v (%T), want *Certificate", key, key) 50 } 51 checker := CertChecker{} 52 checker.IsAuthority = func(k PublicKey) bool { 53 return bytes.Equal(k.Marshal(), validCert.SignatureKey.Marshal()) 54 } 55 56 if err := checker.CheckCert("user", validCert); err != nil { 57 t.Errorf("Unable to validate certificate: %v", err) 58 } 59 invalidCert := &Certificate{ 60 Key: testPublicKeys["rsa"], 61 SignatureKey: testPublicKeys["ecdsa"], 62 ValidBefore: CertTimeInfinity, 63 Signature: &Signature{}, 64 } 65 if err := checker.CheckCert("user", invalidCert); err == nil { 66 t.Error("Invalid cert signature passed validation") 67 } 68 } 69 70 func TestValidateCertTime(t *testing.T) { 71 cert := Certificate{ 72 ValidPrincipals: []string{"user"}, 73 Key: testPublicKeys["rsa"], 74 ValidAfter: 50, 75 ValidBefore: 100, 76 } 77 78 cert.SignCert(rand.Reader, testSigners["ecdsa"]) 79 80 for ts, ok := range map[int64]bool{ 81 25: false, 82 50: true, 83 99: true, 84 100: false, 85 125: false, 86 } { 87 checker := CertChecker{ 88 Clock: func() time.Time { return time.Unix(ts, 0) }, 89 } 90 checker.IsAuthority = func(k PublicKey) bool { 91 return bytes.Equal(k.Marshal(), 92 testPublicKeys["ecdsa"].Marshal()) 93 } 94 95 if v := checker.CheckCert("user", &cert); (v == nil) != ok { 96 t.Errorf("Authenticate(%d): %v", ts, v) 97 } 98 } 99 } 100 101 // TODO(hanwen): tests for 102 // 103 // host keys: 104 // * fallbacks 105 106 func TestHostKeyCert(t *testing.T) { 107 cert := &Certificate{ 108 ValidPrincipals: []string{"hostname", "hostname.domain"}, 109 Key: testPublicKeys["rsa"], 110 ValidBefore: CertTimeInfinity, 111 CertType: HostCert, 112 } 113 cert.SignCert(rand.Reader, testSigners["ecdsa"]) 114 115 checker := &CertChecker{ 116 IsAuthority: func(p PublicKey) bool { 117 return bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal()) 118 }, 119 } 120 121 certSigner, err := NewCertSigner(cert, testSigners["rsa"]) 122 if err != nil { 123 t.Errorf("NewCertSigner: %v", err) 124 } 125 126 for _, name := range []string{"hostname", "otherhost"} { 127 c1, c2, err := netPipe() 128 if err != nil { 129 t.Fatalf("netPipe: %v", err) 130 } 131 defer c1.Close() 132 defer c2.Close() 133 134 go func() { 135 conf := ServerConfig{ 136 NoClientAuth: true, 137 } 138 conf.AddHostKey(certSigner) 139 _, _, _, err := NewServerConn(c1, &conf) 140 if err != nil { 141 t.Fatalf("NewServerConn: %v", err) 142 } 143 }() 144 145 config := &ClientConfig{ 146 User: "user", 147 HostKeyCallback: checker.CheckHostKey, 148 } 149 _, _, _, err = NewClientConn(c2, name, config) 150 151 succeed := name == "hostname" 152 if (err == nil) != succeed { 153 t.Fatalf("NewClientConn(%q): %v", name, err) 154 } 155 } 156 }