studio/cli
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 4 Wiki Activity
Files
e568ddf82a21e9d069f067c06ff6055446042155
cli/vendor/ssh-key/tests/certificate.rs

355 lines
12 KiB
Rust
Raw Blame History

//! OpenSSH certificate tests.
#![cfg(feature = "alloc")]
use hex_literal::hex;
use ssh_key::{Algorithm, Certificate};
use std::str::FromStr;
#[cfg(feature = "ecdsa")]
use ssh_key::EcdsaCurve;
#[cfg(feature = "rsa")]
use ssh_key::HashAlg;
/// DSA OpenSSH Certificate
const DSA_CERT_EXAMPLE: &str = include_str!("examples/id_dsa_1024-cert.pub");
/// ECDSA/P-256 OpenSSH Certificate
#[cfg(feature = "ecdsa")]
const ECDSA_P256_CERT_EXAMPLE: &str = include_str!("examples/id_ecdsa_p256-cert.pub");
/// Ed25519 OpenSSH Certificate
const ED25519_CERT_EXAMPLE: &str = include_str!("examples/id_ed25519-cert.pub");
/// Ed25519 OpenSSH Certificate with deliberately invalid signature
#[cfg(feature = "ed25519")]
const ED25519_CERT_BADSIG_EXAMPLE: &str = include_str!("examples/id_ed25519-cert-badsig.pub");
/// Ed25519 OpenSSH Certificate with P-256 certificate authority
#[cfg(feature = "p256")]
const ED25519_CERT_WITH_P256_CA_EXAMPLE: &str =
include_str!("examples/id_ed25519-cert-with-p256-ca.pub");
/// Ed25519 OpenSSH Certificate with RSA certificate authority
#[cfg(feature = "rsa")]
const ED25519_CERT_WITH_RSA_CA_EXAMPLE: &str =
include_str!("examples/id_ed25519-cert-with-rsa-ca.pub");
/// RSA (4096-bit) OpenSSH Certificate
const RSA_4096_CERT_EXAMPLE: &str = include_str!("examples/id_rsa_4096-cert.pub");
/// Security Key (FIDO/U2F) ECDSA/NIST P-256 OpenSSH Certificate
#[cfg(feature = "ecdsa")]
const SK_ECDSA_P256_CERT_EXAMPLE: &str = include_str!("examples/id_sk_ecdsa_p256-cert.pub");
/// Security Key (FIDO/U2F) Ed25519 OpenSSH Certificate
const SK_ED25519_CERT_EXAMPLE: &str = include_str!("examples/id_sk_ed25519-cert.pub");
/// Example certificate authority fingerprint (matches `id_ed25519.pub` example)
#[cfg(feature = "ed25519")]
const CA_FINGERPRINT: &str = "SHA256:UCUiLr7Pjs9wFFJMDByLgc3NrtdU344OgUM45wZPcIQ";
/// Valid certificate timestamp.
#[cfg(feature = "ed25519")]
const VALID_TIMESTAMP: u64 = 1750000000;
/// Timestamp which is before the validity window.
#[cfg(feature = "ed25519")]
const PAST_TIMESTAMP: u64 = 1500000000;
/// Expired certificate timestamp.
#[cfg(feature = "ed25519")]
const EXPIRED_TIMESTAMP: u64 = 2500000000;
#[test]
fn decode_dsa_openssh() {
let cert = Certificate::from_str(DSA_CERT_EXAMPLE).unwrap();
assert_eq!(Algorithm::Dsa, cert.public_key().algorithm());
let dsa_key = cert.public_key().dsa().unwrap();
assert_eq!(
&hex!(
"00dc3d89250ed9462114cb2c8d4816e3a511aaff1b06b0e01de17c1cb04e581bcab97176471d89fd7ca1817
e3c48e2ccbafd2170f69e8e5c8b6ab69b9c5f45d95e1d9293e965227eee5b879b1123371c21b1db60f14b5e
5c05a4782ceb43a32f449647703063621e7a286bec95b16726c18b5e52383d00b297a6b03489b06068a5"
),
dsa_key.p.as_bytes(),
);
assert_eq!(
&hex!("00891815378597fe42d3fd261fe76df365845bbb87"),
dsa_key.q.as_bytes(),
);
assert_eq!(
&hex!(
"4739b3908a8415466dc7b156fb98ecb71552a170ba0b3b7aa81bd81391de0a7ae7a1b45002dfeadc9225fbc
520a713fe4104a74bed53fd5915da736365afd3f09777bbccfbadf7ac2b087b7f4d95fabe47d72a46e95088
f9cd2a9fbf236b58a6982647f3c00430ad7352d47a25ebbe9477f0c3127da86ad7448644b76de5875c"
),
dsa_key.g.as_bytes(),
);
assert_eq!(
&hex!(
"6042a6b3fd861344cb21ccccd8719e25aa0be0980e79cbabf4877f5ef071f6039770352eac3d4c368f29daf
a57b475c78d44989f16577527e598334be6aae4abd750c36af80489d392697c1f32f3cf3c9a8b99bcddb53d
7a37e1a28fd53d4934131cf41c437c6734d1e04004adcd925b84b3956c30c3a3904eecb31400b0df48"
),
dsa_key.y.as_bytes(),
);
assert_eq!("user@example.com", cert.comment());
}
#[cfg(feature = "ecdsa")]
#[test]
fn decode_ecdsa_p256_openssh() {
let cert = Certificate::from_str(ECDSA_P256_CERT_EXAMPLE).unwrap();
assert_eq!(
Algorithm::Ecdsa {
curve: EcdsaCurve::NistP256
},
cert.public_key().algorithm(),
);
let ecdsa_key = cert.public_key().ecdsa().unwrap();
assert_eq!(EcdsaCurve::NistP256, ecdsa_key.curve());
assert_eq!(
&hex!(
"047c1fd8730ce53457be8d924098ec3648830f92aa8a2363ac656fdd4521fa6313e511f1891b4e9e5aaf8e1
42d06ad15a66a4257f3f051d84e8a0e2f91ba807047"
),
ecdsa_key.as_ref(),
);
assert_eq!("user@example.com", cert.comment());
}
#[test]
fn decode_ed25519_openssh() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
assert_eq!(Algorithm::Ed25519, cert.public_key().algorithm());
assert_eq!(
&hex!("b33eaef37ea2df7caa010defdea34e241f65f1b529a4f43ed14327f5c54aab62"),
cert.public_key().ed25519().unwrap().as_ref(),
);
assert_eq!("user@example.com", cert.comment());
assert_eq!(cert.valid_principals().len(), 1);
assert_eq!(cert.valid_principals()[0], "host.example.com");
}
#[test]
fn decode_ed25519_openssh_with_crit_options() {
let src = "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBW/4zLqXWROWmN1sPgdySnH1GUsEFBjFrRwKKw71BoBAAAAIH1MFwI1oRdEifXgBQvWQfCBBtA/Pi8YCUE/I3wXFJo2AAAAAAAAAAAAAAABAAAAA2ZvbwAAAAAAAAAAAAAAAH//////////AAAAIwAAABFoZWxsb0BleGFtcGxlLmNvbQAAAAoAAAAGZm9vYmFyAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIH1MFwI1oRdEifXgBQvWQfCBBtA/Pi8YCUE/I3wXFJo2AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDRoPdI48KyoaLgaDZsSGs80qBeYQOXBd84CX8GYzFt/L21rxF1EeuPOkgsx7Q39WllXp+FgMMojsHftK/DJHEN";
let cert = Certificate::from_str(src).unwrap();
assert_eq!(Algorithm::Ed25519, cert.public_key().algorithm());
assert_eq!(cert.critical_options().len(), 1);
assert_eq!(
cert.critical_options().get("hello@example.com").unwrap(),
"foobar"
);
let openssh = cert.to_openssh().unwrap();
assert_eq!(openssh, src);
assert_eq!(cert, Certificate::from_str(&openssh).unwrap());
}
#[test]
fn decode_rsa_4096_openssh() {
let cert = Certificate::from_str(RSA_4096_CERT_EXAMPLE).unwrap();
assert_eq!(Algorithm::Rsa { hash: None }, cert.public_key().algorithm());
let rsa_key = cert.public_key().rsa().unwrap();
assert_eq!(&hex!("010001"), rsa_key.e.as_bytes());
assert_eq!(
&hex!(
"00b45911edc6ec5e7d2261a48c46ab889b1858306271123e6f02dc914cf3c0352492e8a6b7a7925added527
e547dcebff6d0c19c0bc9153975199f47f4964ed20f5aceed4e82556b228a0c1fbfaa85e6339ba2ff4094d9
4e2b09d43a3dd68225d0bbc858293cbf167b18d6374ebe79220a633d400176f1f6b46fd626acb252bf294aa
db2acd59626a023a8e5ec53ced8685164c72ca3a2ec646812c6e61ffcba740ff15c054f0691e3a8d52c79c4
4b7c1fc6c9704aed09ee0195bf09c5c5ba1173b7b1179be33fb3711d3b82e98f80521367a84303cb1236ebe
8fc095683420a4de652c071d592759d42a0c9d2e73313cdfb71a071c936659433481a406308820e173b934f
be877d873fec24d31a4d3bb9a3645055ca37bf710e214e5fc250d5964c66f18e4f05a3b93f42aa0753bd044
e45b456c0e62fdcc1fcadef72930dc8a7a96b3e27d8eecea139a00aaf2fe79063ccb78d26d537625bdf0c4c
8a68a04ed6f965eef7a6b1da5d8e26fc57f1047b97e2c594a9e420410977f22d1751b6d9498e8e457034049
3c336bf86563ef03a15bc49b0ba6fe73201f64f0413ddb4d0cc5f6cf43389907e1df29e0cc388040e3371d0
4814140f75cac08079431043222fb91f075d76be55cbe138e3b99a605c561c49dea50e253c8306c4f4f77d9
96f898db64c5d8a0a15c6efa28b0934bf0b6f2b01950d877230fe4401078420fd6dd3"
),
rsa_key.n.as_bytes(),
);
assert_eq!("user@example.com", cert.comment());
}
#[cfg(feature = "ecdsa")]
#[test]
fn decode_sk_ecdsa_p256_openssh() {
let cert = Certificate::from_str(SK_ECDSA_P256_CERT_EXAMPLE).unwrap();
assert_eq!(
Algorithm::SkEcdsaSha2NistP256,
cert.public_key().algorithm()
);
let ecdsa_key = cert.public_key().sk_ecdsa_p256().unwrap();
assert_eq!(
&hex!(
"04810b409d8382f697d72425285a247d6336b2eb9a085236aa9d1e268747ca0e8ee227f17375e944a775392
f1d35842d13f6237574ab03e00e9cc1799ecd8d931e"
),
ecdsa_key.ec_point().as_ref(),
);
assert_eq!("ssh:", ecdsa_key.application());
assert_eq!("user@example.com", cert.comment());
}
#[test]
fn decode_sk_ed25519_openssh() {
let cert = Certificate::from_str(SK_ED25519_CERT_EXAMPLE).unwrap();
assert_eq!(Algorithm::SkEd25519, cert.public_key().algorithm());
let ed25519_key = cert.public_key().sk_ed25519().unwrap();
assert_eq!(
&hex!("2168fe4e4b53cf3adeeeba602f5e50edb5ef441dba884f5119109db2dafdd733"),
ed25519_key.public_key().as_ref(),
);
assert_eq!("ssh:", ed25519_key.application());
assert_eq!("user@example.com", cert.comment());
}
#[test]
fn encode_dsa_openssh() {
let cert = Certificate::from_str(DSA_CERT_EXAMPLE).unwrap();
assert_eq!(DSA_CERT_EXAMPLE.trim_end(), &cert.to_openssh().unwrap());
}
#[cfg(feature = "ecdsa")]
#[test]
fn encode_ecdsa_p256_openssh() {
let cert = Certificate::from_str(ECDSA_P256_CERT_EXAMPLE).unwrap();
assert_eq!(
ECDSA_P256_CERT_EXAMPLE.trim_end(),
&cert.to_openssh().unwrap()
);
}
#[test]
fn encode_ed25519_openssh() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
assert_eq!(ED25519_CERT_EXAMPLE.trim_end(), &cert.to_openssh().unwrap());
}
#[test]
fn encode_rsa_4096_openssh() {
let cert = Certificate::from_str(RSA_4096_CERT_EXAMPLE).unwrap();
assert_eq!(
RSA_4096_CERT_EXAMPLE.trim_end(),
&cert.to_openssh().unwrap()
);
}
#[cfg(feature = "ed25519")]
#[test]
fn verify_ed25519_certificate_signature() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
assert_eq!(Algorithm::Ed25519, cert.signature_key().algorithm());
assert!(cert.verify_signature().is_ok());
}
#[cfg(feature = "ed25519")]
#[test]
fn reject_ed25519_certificate_with_invalid_signature() {
let cert = Certificate::from_str(ED25519_CERT_BADSIG_EXAMPLE).unwrap();
assert!(cert.verify_signature().is_err());
}
#[cfg(feature = "ed25519")]
#[test]
fn validate_certificate() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
let ca = CA_FINGERPRINT.parse().unwrap();
assert!(cert.validate_at(VALID_TIMESTAMP, &[ca]).is_ok());
}
#[cfg(all(feature = "ed25519", feature = "std"))]
#[test]
fn validate_certificate_against_system_clock() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
let ca = CA_FINGERPRINT.parse().unwrap();
assert!(cert.validate(&[ca]).is_ok());
}
#[cfg(feature = "ed25519")]
#[test]
fn reject_certificate_with_invalid_signature() {
let cert = Certificate::from_str(ED25519_CERT_BADSIG_EXAMPLE).unwrap();
let ca = CA_FINGERPRINT.parse().unwrap();
assert!(cert.validate_at(VALID_TIMESTAMP, &[ca]).is_err());
}
#[cfg(feature = "ed25519")]
#[test]
fn reject_certificate_with_untrusted_ca() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
let ca = Certificate::from_str(DSA_CERT_EXAMPLE)
.unwrap()
.public_key()
.fingerprint(Default::default());
assert!(cert.validate_at(VALID_TIMESTAMP, &[ca]).is_err());
}
#[cfg(feature = "ed25519")]
#[test]
fn reject_expired_certificate() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
let ca = CA_FINGERPRINT.parse().unwrap();
assert!(cert.validate_at(EXPIRED_TIMESTAMP, &[ca]).is_err());
}
#[cfg(feature = "ed25519")]
#[test]
fn reject_certificate_with_future_valid_after() {
let cert = Certificate::from_str(ED25519_CERT_EXAMPLE).unwrap();
let ca = CA_FINGERPRINT.parse().unwrap();
assert!(cert.validate_at(PAST_TIMESTAMP, &[ca]).is_err())
}
#[cfg(feature = "p256")]
#[test]
fn verify_p256_certificate_signature() {
let cert = Certificate::from_str(ED25519_CERT_WITH_P256_CA_EXAMPLE).unwrap();
assert_eq!(
Algorithm::Ecdsa {
curve: EcdsaCurve::NistP256
},
cert.signature_key().algorithm()
);
assert!(cert.verify_signature().is_ok());
}
#[cfg(feature = "rsa")]
#[test]
fn verify_rsa_certificate_signature() {
let cert = Certificate::from_str(ED25519_CERT_WITH_RSA_CA_EXAMPLE).unwrap();
assert_eq!(
Algorithm::Rsa { hash: None },
cert.signature_key().algorithm()
);
assert!(cert.verify_signature().is_ok());
assert_eq!(
Algorithm::Rsa {
hash: Some(HashAlg::Sha512)
},
cert.signature().algorithm()
);
}
Reference in New Issue View Git Blame Copy Permalink