github.com/psiphon-labs/psiphon-tunnel-core@v2.0.28+incompatible/psiphon/common/crypto/ssh/certs_test.go (about) 1 // Copyright 2013 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package ssh 6 7 import ( 8 "bytes" 9 "crypto/ecdsa" 10 "crypto/elliptic" 11 "crypto/rand" 12 "fmt" 13 "io" 14 "net" 15 "reflect" 16 "testing" 17 "time" 18 ) 19 20 // Cert generated by ssh-keygen 6.0p1 Debian-4. 21 // % ssh-keygen -s ca-key -I test user-key 22 const exampleSSHCert = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgb1srW/W3ZDjYAO45xLYAwzHBDLsJ4Ux6ICFIkTjb1LEAAAADAQABAAAAYQCkoR51poH0wE8w72cqSB8Sszx+vAhzcMdCO0wqHTj7UNENHWEXGrU0E0UQekD7U+yhkhtoyjbPOVIP7hNa6aRk/ezdh/iUnCIt4Jt1v3Z1h1P+hA4QuYFMHNB+rmjPwAcAAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAHcAAAAHc3NoLXJzYQAAAAMBAAEAAABhANFS2kaktpSGc+CcmEKPyw9mJC4nZKxHKTgLVZeaGbFZOvJTNzBspQHdy7Q1uKSfktxpgjZnksiu/tFF9ngyY2KFoc+U88ya95IZUycBGCUbBQ8+bhDtw/icdDGQD5WnUwAAAG8AAAAHc3NoLXJzYQAAAGC8Y9Z2LQKhIhxf52773XaWrXdxP0t3GBVo4A10vUWiYoAGepr6rQIoGGXFxT4B9Gp+nEBJjOwKDXPrAevow0T9ca8gZN+0ykbhSrXLE5Ao48rqr3zP4O1/9P7e6gp0gw8=` 23 24 func TestParseCert(t *testing.T) { 25 authKeyBytes := []byte(exampleSSHCert) 26 27 key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes) 28 if err != nil { 29 t.Fatalf("ParseAuthorizedKey: %v", err) 30 } 31 if len(rest) > 0 { 32 t.Errorf("rest: got %q, want empty", rest) 33 } 34 35 if _, ok := key.(*Certificate); !ok { 36 t.Fatalf("got %v (%T), want *Certificate", key, key) 37 } 38 39 marshaled := MarshalAuthorizedKey(key) 40 // Before comparison, remove the trailing newline that 41 // MarshalAuthorizedKey adds. 42 marshaled = marshaled[:len(marshaled)-1] 43 if !bytes.Equal(authKeyBytes, marshaled) { 44 t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes) 45 } 46 } 47 48 // Cert generated by ssh-keygen OpenSSH_6.8p1 OS X 10.10.3 49 // % ssh-keygen -s ca -I testcert -O source-address=192.168.1.0/24 -O force-command=/bin/sleep user.pub 50 // user.pub key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMN 51 // Critical Options: 52 // force-command /bin/sleep 53 // source-address 192.168.1.0/24 54 // Extensions: 55 // permit-X11-forwarding 56 // permit-agent-forwarding 57 // permit-port-forwarding 58 // permit-pty 59 // permit-user-rc 60 const exampleSSHCertWithOptions = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgDyysCJY0XrO1n03EeRRoITnTPdjENFmWDs9X58PP3VUAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMNAAAAAAAAAAAAAAABAAAACHRlc3RjZXJ0AAAAAAAAAAAAAAAA//////////8AAABLAAAADWZvcmNlLWNvbW1hbmQAAAAOAAAACi9iaW4vc2xlZXAAAAAOc291cmNlLWFkZHJlc3MAAAASAAAADjE5Mi4xNjguMS4wLzI0AAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAwU+c5ui5A8+J/CFpjW8wCa52bEODA808WWQDCSuTG/eMXNf59v9Y8Pk0F1E9dGCosSNyVcB/hacUrc6He+i97+HJCyKavBsE6GDxrjRyxYqAlfcOXi/IVmaUGiO8OQ39d4GHrjToInKvExSUeleQyH4Y4/e27T/pILAqPFL3fyrvMLT5qU9QyIt6zIpa7GBP5+urouNavMprV3zsfIqNBbWypinOQAw823a5wN+zwXnhZrgQiHZ/USG09Y6k98y1dTVz8YHlQVR4D3lpTAsKDKJ5hCH9WU4fdf+lU8OyNGaJ/vz0XNqxcToe1l4numLTnaoSuH89pHryjqurB7lJKwAAAQ8AAAAHc3NoLXJzYQAAAQCaHvUIoPL1zWUHIXLvu96/HU1s/i4CAW2IIEuGgxCUCiFj6vyTyYtgxQxcmbfZf6eaITlS6XJZa7Qq4iaFZh75C1DXTX8labXhRSD4E2t//AIP9MC1rtQC5xo6FmbQ+BoKcDskr+mNACcbRSxs3IL3bwCfWDnIw2WbVox9ZdcthJKk4UoCW4ix4QwdHw7zlddlz++fGEEVhmTbll1SUkycGApPFBsAYRTMupUJcYPIeReBI/m8XfkoMk99bV8ZJQTAd7OekHY2/48Ff53jLmyDjP7kNw1F8OaPtkFs6dGJXta4krmaekPy87j+35In5hFj7yoOqvSbmYUkeX70/GGQ` 61 62 func TestParseCertWithOptions(t *testing.T) { 63 opts := map[string]string{ 64 "source-address": "192.168.1.0/24", 65 "force-command": "/bin/sleep", 66 } 67 exts := map[string]string{ 68 "permit-X11-forwarding": "", 69 "permit-agent-forwarding": "", 70 "permit-port-forwarding": "", 71 "permit-pty": "", 72 "permit-user-rc": "", 73 } 74 authKeyBytes := []byte(exampleSSHCertWithOptions) 75 76 key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes) 77 if err != nil { 78 t.Fatalf("ParseAuthorizedKey: %v", err) 79 } 80 if len(rest) > 0 { 81 t.Errorf("rest: got %q, want empty", rest) 82 } 83 cert, ok := key.(*Certificate) 84 if !ok { 85 t.Fatalf("got %v (%T), want *Certificate", key, key) 86 } 87 if !reflect.DeepEqual(cert.CriticalOptions, opts) { 88 t.Errorf("unexpected critical options - got %v, want %v", cert.CriticalOptions, opts) 89 } 90 if !reflect.DeepEqual(cert.Extensions, exts) { 91 t.Errorf("unexpected Extensions - got %v, want %v", cert.Extensions, exts) 92 } 93 marshaled := MarshalAuthorizedKey(key) 94 // Before comparison, remove the trailing newline that 95 // MarshalAuthorizedKey adds. 96 marshaled = marshaled[:len(marshaled)-1] 97 if !bytes.Equal(authKeyBytes, marshaled) { 98 t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes) 99 } 100 } 101 102 func TestValidateCert(t *testing.T) { 103 key, _, _, _, err := ParseAuthorizedKey([]byte(exampleSSHCert)) 104 if err != nil { 105 t.Fatalf("ParseAuthorizedKey: %v", err) 106 } 107 validCert, ok := key.(*Certificate) 108 if !ok { 109 t.Fatalf("got %v (%T), want *Certificate", key, key) 110 } 111 checker := CertChecker{} 112 checker.IsUserAuthority = func(k PublicKey) bool { 113 return bytes.Equal(k.Marshal(), validCert.SignatureKey.Marshal()) 114 } 115 116 if err := checker.CheckCert("user", validCert); err != nil { 117 t.Errorf("Unable to validate certificate: %v", err) 118 } 119 invalidCert := &Certificate{ 120 Key: testPublicKeys["rsa"], 121 SignatureKey: testPublicKeys["ecdsa"], 122 ValidBefore: CertTimeInfinity, 123 Signature: &Signature{}, 124 } 125 if err := checker.CheckCert("user", invalidCert); err == nil { 126 t.Error("Invalid cert signature passed validation") 127 } 128 } 129 130 func TestValidateCertTime(t *testing.T) { 131 cert := Certificate{ 132 ValidPrincipals: []string{"user"}, 133 Key: testPublicKeys["rsa"], 134 ValidAfter: 50, 135 ValidBefore: 100, 136 } 137 138 cert.SignCert(rand.Reader, testSigners["ecdsa"]) 139 140 for ts, ok := range map[int64]bool{ 141 25: false, 142 50: true, 143 99: true, 144 100: false, 145 125: false, 146 } { 147 checker := CertChecker{ 148 Clock: func() time.Time { return time.Unix(ts, 0) }, 149 } 150 checker.IsUserAuthority = func(k PublicKey) bool { 151 return bytes.Equal(k.Marshal(), 152 testPublicKeys["ecdsa"].Marshal()) 153 } 154 155 if v := checker.CheckCert("user", &cert); (v == nil) != ok { 156 t.Errorf("Authenticate(%d): %v", ts, v) 157 } 158 } 159 } 160 161 // TODO(hanwen): tests for 162 // 163 // host keys: 164 // * fallbacks 165 166 func TestHostKeyCert(t *testing.T) { 167 cert := &Certificate{ 168 ValidPrincipals: []string{"hostname", "hostname.domain", "otherhost"}, 169 Key: testPublicKeys["rsa"], 170 ValidBefore: CertTimeInfinity, 171 CertType: HostCert, 172 } 173 cert.SignCert(rand.Reader, testSigners["ecdsa"]) 174 175 checker := &CertChecker{ 176 IsHostAuthority: func(p PublicKey, addr string) bool { 177 return addr == "hostname:22" && bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal()) 178 }, 179 } 180 181 certSigner, err := NewCertSigner(cert, testSigners["rsa"]) 182 if err != nil { 183 t.Errorf("NewCertSigner: %v", err) 184 } 185 186 for _, test := range []struct { 187 addr string 188 succeed bool 189 }{ 190 {addr: "hostname:22", succeed: true}, 191 {addr: "otherhost:22", succeed: false}, // The certificate is valid for 'otherhost' as hostname, but we only recognize the authority of the signer for the address 'hostname:22' 192 {addr: "lasthost:22", succeed: false}, 193 } { 194 c1, c2, err := netPipe() 195 if err != nil { 196 t.Fatalf("netPipe: %v", err) 197 } 198 defer c1.Close() 199 defer c2.Close() 200 201 errc := make(chan error) 202 203 go func() { 204 conf := ServerConfig{ 205 NoClientAuth: true, 206 } 207 conf.AddHostKey(certSigner) 208 _, _, _, err := NewServerConn(c1, &conf) 209 errc <- err 210 }() 211 212 config := &ClientConfig{ 213 User: "user", 214 HostKeyCallback: checker.CheckHostKey, 215 } 216 _, _, _, err = NewClientConn(c2, test.addr, config) 217 218 if (err == nil) != test.succeed { 219 t.Fatalf("NewClientConn(%q): %v", test.addr, err) 220 } 221 222 err = <-errc 223 if (err == nil) != test.succeed { 224 t.Fatalf("NewServerConn(%q): %v", test.addr, err) 225 } 226 } 227 } 228 229 type legacyRSASigner struct { 230 Signer 231 } 232 233 func (s *legacyRSASigner) Sign(rand io.Reader, data []byte) (*Signature, error) { 234 v, ok := s.Signer.(AlgorithmSigner) 235 if !ok { 236 return nil, fmt.Errorf("invalid signer") 237 } 238 return v.SignWithAlgorithm(rand, data, SigAlgoRSA) 239 } 240 241 func TestCertTypes(t *testing.T) { 242 var testVars = []struct { 243 name string 244 signer Signer 245 algo string 246 }{ 247 {CertAlgoECDSA256v01, testSigners["ecdsap256"], ""}, 248 {CertAlgoECDSA384v01, testSigners["ecdsap384"], ""}, 249 {CertAlgoECDSA521v01, testSigners["ecdsap521"], ""}, 250 {CertAlgoED25519v01, testSigners["ed25519"], ""}, 251 {CertAlgoRSAv01, testSigners["rsa"], SigAlgoRSASHA2512}, 252 {CertAlgoRSAv01, &legacyRSASigner{testSigners["rsa"]}, SigAlgoRSA}, 253 {CertAlgoRSAv01, testSigners["rsa-sha2-256"], SigAlgoRSASHA2512}, 254 {CertAlgoRSAv01, testSigners["rsa-sha2-512"], SigAlgoRSASHA2512}, 255 {CertAlgoDSAv01, testSigners["dsa"], ""}, 256 } 257 258 k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 259 if err != nil { 260 t.Fatalf("error generating host key: %v", err) 261 } 262 263 signer, err := NewSignerFromKey(k) 264 if err != nil { 265 t.Fatalf("error generating signer for ssh listener: %v", err) 266 } 267 268 conf := &ServerConfig{ 269 PublicKeyCallback: func(c ConnMetadata, k PublicKey) (*Permissions, error) { 270 return new(Permissions), nil 271 }, 272 } 273 conf.AddHostKey(signer) 274 275 for _, m := range testVars { 276 t.Run(m.name, func(t *testing.T) { 277 278 c1, c2, err := netPipe() 279 if err != nil { 280 t.Fatalf("netPipe: %v", err) 281 } 282 defer c1.Close() 283 defer c2.Close() 284 285 go NewServerConn(c1, conf) 286 287 priv := m.signer 288 if err != nil { 289 t.Fatalf("error generating ssh pubkey: %v", err) 290 } 291 292 cert := &Certificate{ 293 CertType: UserCert, 294 Key: priv.PublicKey(), 295 } 296 cert.SignCert(rand.Reader, priv) 297 298 certSigner, err := NewCertSigner(cert, priv) 299 if err != nil { 300 t.Fatalf("error generating cert signer: %v", err) 301 } 302 303 if m.algo != "" && cert.Signature.Format != m.algo { 304 t.Errorf("expected %q signature format, got %q", m.algo, cert.Signature.Format) 305 } 306 307 config := &ClientConfig{ 308 User: "user", 309 HostKeyCallback: func(h string, r net.Addr, k PublicKey) error { return nil }, 310 Auth: []AuthMethod{PublicKeys(certSigner)}, 311 } 312 313 _, _, _, err = NewClientConn(c2, "", config) 314 if err != nil { 315 t.Fatalf("error connecting: %v", err) 316 } 317 }) 318 } 319 }