Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(3873)

Side by Side Diff: ssh/keys_test.go

Issue 14540051: code review 14540051: go.crypto/ssh: Add certificate verification, step up su... (Closed)
Patch Set: diff -r 04f39b6a609b https://code.google.com/p/go.crypto Created 10 years, 5 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« ssh/certs.go ('K') | « ssh/keys.go ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 package ssh 1 package ssh
2 2
3 import ( 3 import (
4 "bytes"
5 "crypto/dsa" 4 "crypto/dsa"
6 "crypto/ecdsa" 5 "crypto/ecdsa"
7 "crypto/elliptic" 6 "crypto/elliptic"
8 "crypto/rand" 7 "crypto/rand"
9 "crypto/rsa" 8 "crypto/rsa"
10 » "encoding/base64" 9 » "io"
11 "reflect" 10 "reflect"
12 "strings" 11 "strings"
13 "testing" 12 "testing"
13 "time"
14 ) 14 )
15 15
16 var ecdsaKey Signer 16 var (
17 » ecdsaKey Signer
18 » ecdsa384Key Signer
19 » ecdsa521Key Signer
20 » testCertKey Signer
21 )
22
23 type testSigner struct {
24 » priv Signer
dfc 2013/10/19 11:24:24 Signer
jmpittman 2013/10/20 05:17:21 Done.
25 » pub PublicKey
26 }
27
28 func (ts *testSigner) PublicKey() PublicKey {
29 » if ts.pub != nil {
30 » » return ts.pub
31 » }
32 » return ts.priv.PublicKey()
dfc 2013/10/19 11:24:24 return ts.Signer.PublicKey()
jmpittman 2013/10/20 05:17:21 Done.
33 }
34
35 func (ts *testSigner) Sign(rand io.Reader, data []byte) ([]byte, error) {
36 » return ts.priv.Sign(rand, data)
dfc 2013/10/19 11:24:24 then you can delete this forwarding method
jmpittman 2013/10/20 05:17:21 Done.
37 }
17 38
18 func rawKey(pub PublicKey) interface{} { 39 func rawKey(pub PublicKey) interface{} {
19 switch k := pub.(type) { 40 switch k := pub.(type) {
20 case *rsaPublicKey: 41 case *rsaPublicKey:
21 return (*rsa.PublicKey)(k) 42 return (*rsa.PublicKey)(k)
22 case *dsaPublicKey: 43 case *dsaPublicKey:
23 return (*dsa.PublicKey)(k) 44 return (*dsa.PublicKey)(k)
24 case *ecdsaPublicKey: 45 case *ecdsaPublicKey:
25 return (*ecdsa.PublicKey)(k) 46 return (*ecdsa.PublicKey)(k)
47 case *OpenSSHCertV01:
48 return k
26 } 49 }
27 panic("unknown key type") 50 panic("unknown key type")
28 } 51 }
29 52
30 func TestKeyMarshalParse(t *testing.T) { 53 func TestKeyMarshalParse(t *testing.T) {
31 » keys := []Signer{rsaKey, dsaKey, ecdsaKey} 54 » keys := []Signer{rsaKey, dsaKey, ecdsaKey, ecdsa384Key, ecdsa521Key, tes tCertKey}
32 for _, priv := range keys { 55 for _, priv := range keys {
33 pub := priv.PublicKey() 56 pub := priv.PublicKey()
34 roundtrip, rest, ok := ParsePublicKey(MarshalPublicKey(pub)) 57 roundtrip, rest, ok := ParsePublicKey(MarshalPublicKey(pub))
35 if !ok { 58 if !ok {
36 t.Errorf("ParsePublicKey(%T) failed", pub) 59 t.Errorf("ParsePublicKey(%T) failed", pub)
37 } 60 }
38 61
39 if len(rest) > 0 { 62 if len(rest) > 0 {
40 t.Errorf("ParsePublicKey(%T): trailing junk", pub) 63 t.Errorf("ParsePublicKey(%T): trailing junk", pub)
41 } 64 }
(...skipping 30 matching lines...) Expand all
72 if err != nil { 95 if err != nil {
73 t.Errorf("NewPublicKey(%#v): %v", raw, err) 96 t.Errorf("NewPublicKey(%#v): %v", raw, err)
74 } 97 }
75 if !reflect.DeepEqual(k.PublicKey(), pub) { 98 if !reflect.DeepEqual(k.PublicKey(), pub) {
76 t.Errorf("NewPublicKey(%#v) = %#v, want %#v", raw, pub, k.PublicKey()) 99 t.Errorf("NewPublicKey(%#v) = %#v, want %#v", raw, pub, k.PublicKey())
77 } 100 }
78 } 101 }
79 } 102 }
80 103
81 func TestKeySignVerify(t *testing.T) { 104 func TestKeySignVerify(t *testing.T) {
82 » keys := []Signer{rsaKey, dsaKey, ecdsaKey} 105 » keys := []Signer{rsaKey, dsaKey, ecdsaKey, testCertKey}
83 for _, priv := range keys { 106 for _, priv := range keys {
84 pub := priv.PublicKey() 107 pub := priv.PublicKey()
85 108
86 data := []byte("sign me") 109 data := []byte("sign me")
87 sig, err := priv.Sign(rand.Reader, data) 110 sig, err := priv.Sign(rand.Reader, data)
88 if err != nil { 111 if err != nil {
89 t.Fatalf("Sign(%T): %v", priv, err) 112 t.Fatalf("Sign(%T): %v", priv, err)
90 } 113 }
91 114
92 if !pub.Verify(data, sig) { 115 if !pub.Verify(data, sig) {
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after
158 sig, err := s.Sign(rand.Reader, data) 181 sig, err := s.Sign(rand.Reader, data)
159 if err != nil { 182 if err != nil {
160 t.Fatalf("dsa.Sign: %v", err) 183 t.Fatalf("dsa.Sign: %v", err)
161 } 184 }
162 185
163 if !s.PublicKey().Verify(data, sig) { 186 if !s.PublicKey().Verify(data, sig) {
164 t.Error("Verify failed.") 187 t.Error("Verify failed.")
165 } 188 }
166 } 189 }
167 190
168 func TestParseCert(t *testing.T) {
169 // Cert generated by ssh-keygen 6.0p1 Debian-4.
170 // % ssh-keygen -s ca-key -I test user-key
171 b64data := "AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgb1srW/W3ZDjY AO45xLYAwzHBDLsJ4Ux6ICFIkTjb1LEAAAADAQABAAAAYQCkoR51poH0wE8w72cqSB8Sszx+vAhzcMdC O0wqHTj7UNENHWEXGrU0E0UQekD7U+yhkhtoyjbPOVIP7hNa6aRk/ezdh/iUnCIt4Jt1v3Z1h1P+hA4Q uYFMHNB+rmjPwAcAAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIA AAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAA AAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVz ZXItcmMAAAAAAAAAAAAAAHcAAAAHc3NoLXJzYQAAAAMBAAEAAABhANFS2kaktpSGc+CcmEKPyw9mJC4n ZKxHKTgLVZeaGbFZOvJTNzBspQHdy7Q1uKSfktxpgjZnksiu/tFF9ngyY2KFoc+U88ya95IZUycBGCUb BQ8+bhDtw/icdDGQD5WnUwAAAG8AAAAHc3NoLXJzYQAAAGC8Y9Z2LQKhIhxf52773XaWrXdxP0t3GBVo 4A10vUWiYoAGepr6rQIoGGXFxT4B9Gp+nEBJjOwKDXPrAevow0T9ca8gZN+0ykbhSrXLE5Ao48rqr3zP 4O1/9P7e6gp0gw8="
172
173 data, err := base64.StdEncoding.DecodeString(b64data)
174 if err != nil {
175 t.Fatal("base64.StdEncoding.DecodeString: ", err)
176 }
177 key, rest, ok := ParsePublicKey(data)
178 if !ok {
179 t.Fatalf("could not parse certificate")
180 }
181 if len(rest) > 0 {
182 t.Errorf("rest: got %q, want empty", rest)
183 }
184 _, ok = key.(*OpenSSHCertV01)
185 if !ok {
186 t.Fatalf("got %#v, want *OpenSSHCertV01", key)
187 }
188
189 marshaled := MarshalPublicKey(key)
190 if !bytes.Equal(data, marshaled) {
191 t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, data)
192 }
193 }
194
195 func init() { 191 func init() {
dfc 2013/10/19 11:24:24 please move the init to the top of the file
jmpittman 2013/10/20 05:17:21 Done.
196 » raw, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 192 » raw256, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
197 » ecdsaKey, _ = NewSignerFromKey(raw) 193 » ecdsaKey, _ = NewSignerFromKey(raw256)
194
195 » raw384, _ := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
196 » ecdsa384Key, _ = NewSignerFromKey(raw384)
197
198 » raw521, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
199 » ecdsa521Key, _ = NewSignerFromKey(raw521)
200
201 » // Create a cert and sign it for use in tests.
202 » testCert := &OpenSSHCertV01{
203 » » Nonce: []byte{}, // To pass reflect.DeepEqual after ma rshal & parse, this must be non-nil
204 » » Key: ecdsaKey.PublicKey(),
205 » » ValidPrincipals: []string{"gopher1", "gopher2"}, // increases te st coverage
206 » » ValidAfter: time.Now().Truncate(time.Second),
207 » » ValidBefore: time.Now().Truncate(time.Second).Add(time.Hour) ,
208 » » Reserved: []byte{}, // To pass reflect.DeepEqual after ma rshal & parse, this must be non-nil
209 » » SignatureKey: rsaKey.PublicKey(),
210 » }
211 » sigBytes, _ := rsaKey.Sign(rand.Reader, testCert.BytesForSigning())
212 » testCert.Signature = &signature{
213 » » Format: testCert.SignatureKey.PublicKeyAlgo(),
214 » » Blob: sigBytes,
215 » }
216 » testCertKey = &testSigner{
217 » » priv: ecdsaKey,
218 » » pub: testCert,
219 » }
198 } 220 }
OLDNEW
« ssh/certs.go ('K') | « ssh/keys.go ('k') | no next file » | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b