1 // Copyright 2013 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
17 "golang.org/x/crypto/ssh/testdata"
20 // Cert generated by ssh-keygen 6.0p1 Debian-4.
21 // % ssh-keygen -s ca-key -I test user-key
22 const exampleSSHCert = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgb1srW/W3ZDjYAO45xLYAwzHBDLsJ4Ux6ICFIkTjb1LEAAAADAQABAAAAYQCkoR51poH0wE8w72cqSB8Sszx+vAhzcMdCO0wqHTj7UNENHWEXGrU0E0UQekD7U+yhkhtoyjbPOVIP7hNa6aRk/ezdh/iUnCIt4Jt1v3Z1h1P+hA4QuYFMHNB+rmjPwAcAAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAHcAAAAHc3NoLXJzYQAAAAMBAAEAAABhANFS2kaktpSGc+CcmEKPyw9mJC4nZKxHKTgLVZeaGbFZOvJTNzBspQHdy7Q1uKSfktxpgjZnksiu/tFF9ngyY2KFoc+U88ya95IZUycBGCUbBQ8+bhDtw/icdDGQD5WnUwAAAG8AAAAHc3NoLXJzYQAAAGC8Y9Z2LQKhIhxf52773XaWrXdxP0t3GBVo4A10vUWiYoAGepr6rQIoGGXFxT4B9Gp+nEBJjOwKDXPrAevow0T9ca8gZN+0ykbhSrXLE5Ao48rqr3zP4O1/9P7e6gp0gw8=`
24 func TestParseCert(t *testing.T) {
25 authKeyBytes := []byte(exampleSSHCert)
27 key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes)
29 t.Fatalf("ParseAuthorizedKey: %v", err)
32 t.Errorf("rest: got %q, want empty", rest)
35 if _, ok := key.(*Certificate); !ok {
36 t.Fatalf("got %v (%T), want *Certificate", key, key)
39 marshaled := MarshalAuthorizedKey(key)
40 // Before comparison, remove the trailing newline that
41 // MarshalAuthorizedKey adds.
42 marshaled = marshaled[:len(marshaled)-1]
43 if !bytes.Equal(authKeyBytes, marshaled) {
44 t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes)
48 // Cert generated by ssh-keygen OpenSSH_6.8p1 OS X 10.10.3
49 // % ssh-keygen -s ca -I testcert -O source-address=192.168.1.0/24 -O force-command=/bin/sleep user.pub
50 // user.pub key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMN
52 // force-command /bin/sleep
53 // source-address 192.168.1.0/24
55 // permit-X11-forwarding
56 // permit-agent-forwarding
57 // permit-port-forwarding
60 const exampleSSHCertWithOptions = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgDyysCJY0XrO1n03EeRRoITnTPdjENFmWDs9X58PP3VUAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMNAAAAAAAAAAAAAAABAAAACHRlc3RjZXJ0AAAAAAAAAAAAAAAA//////////8AAABLAAAADWZvcmNlLWNvbW1hbmQAAAAOAAAACi9iaW4vc2xlZXAAAAAOc291cmNlLWFkZHJlc3MAAAASAAAADjE5Mi4xNjguMS4wLzI0AAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAwU+c5ui5A8+J/CFpjW8wCa52bEODA808WWQDCSuTG/eMXNf59v9Y8Pk0F1E9dGCosSNyVcB/hacUrc6He+i97+HJCyKavBsE6GDxrjRyxYqAlfcOXi/IVmaUGiO8OQ39d4GHrjToInKvExSUeleQyH4Y4/e27T/pILAqPFL3fyrvMLT5qU9QyIt6zIpa7GBP5+urouNavMprV3zsfIqNBbWypinOQAw823a5wN+zwXnhZrgQiHZ/USG09Y6k98y1dTVz8YHlQVR4D3lpTAsKDKJ5hCH9WU4fdf+lU8OyNGaJ/vz0XNqxcToe1l4numLTnaoSuH89pHryjqurB7lJKwAAAQ8AAAAHc3NoLXJzYQAAAQCaHvUIoPL1zWUHIXLvu96/HU1s/i4CAW2IIEuGgxCUCiFj6vyTyYtgxQxcmbfZf6eaITlS6XJZa7Qq4iaFZh75C1DXTX8labXhRSD4E2t//AIP9MC1rtQC5xo6FmbQ+BoKcDskr+mNACcbRSxs3IL3bwCfWDnIw2WbVox9ZdcthJKk4UoCW4ix4QwdHw7zlddlz++fGEEVhmTbll1SUkycGApPFBsAYRTMupUJcYPIeReBI/m8XfkoMk99bV8ZJQTAd7OekHY2/48Ff53jLmyDjP7kNw1F8OaPtkFs6dGJXta4krmaekPy87j+35In5hFj7yoOqvSbmYUkeX70/GGQ`
62 func TestParseCertWithOptions(t *testing.T) {
63 opts := map[string]string{
64 "source-address": "192.168.1.0/24",
65 "force-command": "/bin/sleep",
67 exts := map[string]string{
68 "permit-X11-forwarding": "",
69 "permit-agent-forwarding": "",
70 "permit-port-forwarding": "",
74 authKeyBytes := []byte(exampleSSHCertWithOptions)
76 key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes)
78 t.Fatalf("ParseAuthorizedKey: %v", err)
81 t.Errorf("rest: got %q, want empty", rest)
83 cert, ok := key.(*Certificate)
85 t.Fatalf("got %v (%T), want *Certificate", key, key)
87 if !reflect.DeepEqual(cert.CriticalOptions, opts) {
88 t.Errorf("unexpected critical options - got %v, want %v", cert.CriticalOptions, opts)
90 if !reflect.DeepEqual(cert.Extensions, exts) {
91 t.Errorf("unexpected Extensions - got %v, want %v", cert.Extensions, exts)
93 marshaled := MarshalAuthorizedKey(key)
94 // Before comparison, remove the trailing newline that
95 // MarshalAuthorizedKey adds.
96 marshaled = marshaled[:len(marshaled)-1]
97 if !bytes.Equal(authKeyBytes, marshaled) {
98 t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes)
102 func TestValidateCert(t *testing.T) {
103 key, _, _, _, err := ParseAuthorizedKey([]byte(exampleSSHCert))
105 t.Fatalf("ParseAuthorizedKey: %v", err)
107 validCert, ok := key.(*Certificate)
109 t.Fatalf("got %v (%T), want *Certificate", key, key)
111 checker := CertChecker{}
112 checker.IsUserAuthority = func(k PublicKey) bool {
113 return bytes.Equal(k.Marshal(), validCert.SignatureKey.Marshal())
116 if err := checker.CheckCert("user", validCert); err != nil {
117 t.Errorf("Unable to validate certificate: %v", err)
119 invalidCert := &Certificate{
120 Key: testPublicKeys["rsa"],
121 SignatureKey: testPublicKeys["ecdsa"],
122 ValidBefore: CertTimeInfinity,
123 Signature: &Signature{},
125 if err := checker.CheckCert("user", invalidCert); err == nil {
126 t.Error("Invalid cert signature passed validation")
130 func TestValidateCertTime(t *testing.T) {
132 ValidPrincipals: []string{"user"},
133 Key: testPublicKeys["rsa"],
138 cert.SignCert(rand.Reader, testSigners["ecdsa"])
140 for ts, ok := range map[int64]bool{
147 checker := CertChecker{
148 Clock: func() time.Time { return time.Unix(ts, 0) },
150 checker.IsUserAuthority = func(k PublicKey) bool {
151 return bytes.Equal(k.Marshal(),
152 testPublicKeys["ecdsa"].Marshal())
155 if v := checker.CheckCert("user", &cert); (v == nil) != ok {
156 t.Errorf("Authenticate(%d): %v", ts, v)
161 // TODO(hanwen): tests for
166 func TestHostKeyCert(t *testing.T) {
167 cert := &Certificate{
168 ValidPrincipals: []string{"hostname", "hostname.domain", "otherhost"},
169 Key: testPublicKeys["rsa"],
170 ValidBefore: CertTimeInfinity,
173 cert.SignCert(rand.Reader, testSigners["ecdsa"])
175 checker := &CertChecker{
176 IsHostAuthority: func(p PublicKey, addr string) bool {
177 return addr == "hostname:22" && bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal())
181 certSigner, err := NewCertSigner(cert, testSigners["rsa"])
183 t.Errorf("NewCertSigner: %v", err)
186 for _, test := range []struct {
190 {addr: "hostname:22", succeed: true},
191 {addr: "otherhost:22", succeed: false}, // The certificate is valid for 'otherhost' as hostname, but we only recognize the authority of the signer for the address 'hostname:22'
192 {addr: "lasthost:22", succeed: false},
194 c1, c2, err := netPipe()
196 t.Fatalf("netPipe: %v", err)
201 errc := make(chan error)
204 conf := ServerConfig{
207 conf.AddHostKey(certSigner)
208 _, _, _, err := NewServerConn(c1, &conf)
212 config := &ClientConfig{
214 HostKeyCallback: checker.CheckHostKey,
216 _, _, _, err = NewClientConn(c2, test.addr, config)
218 if (err == nil) != test.succeed {
219 t.Fatalf("NewClientConn(%q): %v", test.addr, err)
223 if (err == nil) != test.succeed {
224 t.Fatalf("NewServerConn(%q): %v", test.addr, err)
229 func TestCertTypes(t *testing.T) {
230 var testVars = []struct {
235 name: CertAlgoECDSA256v01,
236 keys: func() Signer {
237 s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap256"])
242 name: CertAlgoECDSA384v01,
243 keys: func() Signer {
244 s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap384"])
249 name: CertAlgoECDSA521v01,
250 keys: func() Signer {
251 s, _ := ParsePrivateKey(testdata.PEMBytes["ecdsap521"])
256 name: CertAlgoED25519v01,
257 keys: func() Signer {
258 s, _ := ParsePrivateKey(testdata.PEMBytes["ed25519"])
263 name: CertAlgoRSAv01,
264 keys: func() Signer {
265 s, _ := ParsePrivateKey(testdata.PEMBytes["rsa"])
270 name: CertAlgoDSAv01,
271 keys: func() Signer {
272 s, _ := ParsePrivateKey(testdata.PEMBytes["dsa"])
278 k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
280 t.Fatalf("error generating host key: %v", err)
283 signer, err := NewSignerFromKey(k)
285 t.Fatalf("error generating signer for ssh listener: %v", err)
288 conf := &ServerConfig{
289 PublicKeyCallback: func(c ConnMetadata, k PublicKey) (*Permissions, error) {
290 return new(Permissions), nil
293 conf.AddHostKey(signer)
295 for _, m := range testVars {
296 t.Run(m.name, func(t *testing.T) {
298 c1, c2, err := netPipe()
300 t.Fatalf("netPipe: %v", err)
305 go NewServerConn(c1, conf)
309 t.Fatalf("error generating ssh pubkey: %v", err)
312 cert := &Certificate{
314 Key: priv.PublicKey(),
316 cert.SignCert(rand.Reader, priv)
318 certSigner, err := NewCertSigner(cert, priv)
320 t.Fatalf("error generating cert signer: %v", err)
323 config := &ClientConfig{
325 HostKeyCallback: func(h string, r net.Addr, k PublicKey) error { return nil },
326 Auth: []AuthMethod{PublicKeys(certSigner)},
329 _, _, _, err = NewClientConn(c2, "", config)
331 t.Fatalf("error connecting: %v", err)