#! /bin/csh -f # # Run one iteration of OpenSSH portion of import/export tests. # Only used as a subroutine call from importExportOpenssh. # # Arguments (all required): # # privKey # privKeyFormat -- ssh1|ssh1Wrap|ssh2|ssh2Wrap # pubKey # pubKeyFormat -- ssh1|ssh2 # algorithm -- rsa|dsa # quiet -- YES|NO # noACL -- YES|NO # securePassphrase -- YES|NO # noClean -- YES|NO # # If incoming private key is wrapped, we assume it has password "password" # without the quotes. # # We assume the presence of keychain $KEYCHAIN_PATH, which we clean out before # using. # if ( $#argv != 9 ) then echo See importExportOpensshTool script for usage. exit(1) endif source setupCommon set PRIV_KEY_IN=$argv[1] set PRIV_KEY_FORM=$argv[2] set PUB_KEY_IN=$argv[3] set PUB_KEY_FORM=$argv[4] set ALG_ARG= set KEY_ALG=$argv[5] if($KEY_ALG == dsa) then set ALG_ARG="a=d" endif set QUIET=$argv[6] set QUIET_ARG= if ($QUIET == YES) then set QUIET_ARG=-q endif set NOACL_ARG= if ($argv[7] == YES) then set NOACL_ARG=-n endif set SECURE_PHRASE_ARG= if ($argv[8] == YES) then set SECURE_PHRASE_ARG=-Z endif set NOCLEAN=$argv[9] set SSHKEY=$BUILD_DIR/sshKey if ($QUIET == NO) then echo -- Testing SSH privFormat $PRIV_KEY_FORM pubFormat $PUB_KEY_FORM -- endif # # rsatool filename - it has particular requirements here... # All of are produced by exporting from a keychain. # set RSA_TOOL_FILENAME=$BUILD_DIR/rawSshKey set RAW_PRIV_KEY=${RSA_TOOL_FILENAME}_priv.der set RAW_PUB_KEY=${RSA_TOOL_FILENAME}_pub.der # # The file we sign with rsatool, in cwd, and a signature file. # set PLAINTEXT=somePlainText set SIGFILE=$BUILD_DIR/sig set PASSWORD=password # empty the keychain if ($QUIET == NO) then echo $CLEANKC endif $CLEANKC || exit(1) # # Import incoming private key, export to unencrypted format. # Wrapped SSH1 --> SSH1 # Wrapped SSH2 = Wrapped Openssl --> OpenSSL = PKCS1. # SSH2 = OpenSSL/PEM = PKCS1/PEM --> OpenSSL = PKCS1. # # Note # set RAW_PRIV_KEY_FORM=$PRIV_KEY_FORM set DO_CONVERT=no # these are for kcImport/kcExport set IN_FORM=foo set OUT_FORM=foo # these are for rsatool set RSA_PUB_FORM=foo set RSA_PRIV_FORM=foo switch( $PRIV_KEY_FORM ) case ssh1Wrap: set DO_CONVERT=yes set IN_FORM=openssh1 set OUT_FORM=openssh1 set RSA_PRIV_FORM=s breaksw case ssh2Wrap: set DO_CONVERT=yes set IN_FORM=openssl set OUT_FORM=openssl if($KEY_ALG == rsa) then set RSA_PRIV_FORM=1 else set RSA_PRIV_FORM=o endif breaksw case ssh1: set DO_CONVERT=no set IN_FORM=openssh1 set OUT_FORM=openssh1 set RSA_PRIV_FORM=s breaksw case ssh2: set DO_CONVERT=no set IN_FORM=openssl set OUT_FORM=openssl if($KEY_ALG == rsa) then set RSA_PRIV_FORM=1 else set RSA_PRIV_FORM=o endif breaksw default: echo See importExportOpensshTool script for usage. exit(1) endsw # # Note we always import private keys with the -e option so we can export in the clear. # if($DO_CONVERT == yes) then if ($QUIET == NO) then echo Importing wrapped private key... endif set cmd="$KCIMPORT $PRIV_KEY_IN -k $KEYCHAIN -z $PASSWORD -t priv -f $IN_FORM -w -e -K 1 $QUIET_ARG $NOACL_ARG $SECURE_PHRASE_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) else if ($QUIET == NO) then echo Importing cleartext private key... endif set cmd="$KCIMPORT $PRIV_KEY_IN -k $KEYCHAIN -t priv -f $IN_FORM -e -K 1 $QUIET_ARG $NOACL_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) endif # # Export to cleartext private key format # if ($QUIET == NO) then echo Exporting to cleartext private key... endif set cmd="$KCEXPORT $KEYCHAIN -t privKeys -f $OUT_FORM -o $RAW_PRIV_KEY $QUIET_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) # # Import public key, and re-export it. When we're thru with this for all combinations # of keys sent to us by importExportOpenssh, we know we can read every format that # OpenSSH can generate. # switch( $PUB_KEY_FORM ) case ssh1: set IN_FORM=openssh1 set OUT_FORM=openssh1 set RSA_PUB_FORM=o breaksw case ssh2: set IN_FORM=openssh2 set OUT_FORM=openssh2 set RSA_PUB_FORM=O breaksw default: echo See importExportOpensshTool script for usage. exit(1) endsw if ($QUIET == NO) then echo Importing public... endif set cmd="$KCIMPORT $PUB_KEY_IN -k $KEYCHAIN -t pub -f $IN_FORM -K 1 $QUIET_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) # # Export public key # if ($QUIET == NO) then echo Exporting public key... endif set cmd="$KCEXPORT $KEYCHAIN -t pubKeys -f $OUT_FORM -o $RAW_PUB_KEY $QUIET_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) # # Sign and verify. # set cmd="$RSATOOL s p=$PLAINTEXT s=$SIGFILE k=$RSA_TOOL_FILENAME v=$RSA_PRIV_FORM $ALG_ARG q" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) set cmd="$RSATOOL v p=$PLAINTEXT s=$SIGFILE k=$RSA_TOOL_FILENAME b=$RSA_PUB_FORM $ALG_ARG q" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) # # The incoming public key and the one we exported from the keychain should be identical. # set cmd="$CMP $PUB_KEY_IN $RAW_PUB_KEY" if ($QUIET == NO) then echo $cmd endif $cmd if($status != 0) then echo MISCOMPARE on public key form $PUB_KEY_FORM exit(1) endif # # Verifying private keys is a little tricker. Only cleartext ssh2 keys can be # verified by byte-for-byte compare, and then only after exporting them again # in PEM armour. All the others have random data added. # set PEM_PRIV_KEY=$BUILD_DIR/pemPrivKey if($PRIV_KEY_FORM == ssh2) then set cmd="$KCEXPORT $KEYCHAIN -t privKeys -f openssl -p -o $PEM_PRIV_KEY $QUIET_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) set cmd="$CMP $PRIV_KEY_IN $PEM_PRIV_KEY" if ($QUIET == NO) then echo $cmd endif $cmd if($status != 0) then echo MISCOMPARE on private key form $PRIV_KEY_FORM exit(1) endif endif # # We've verified that we write the following formats identically to OpenSSH: # -- public ssh1 # -- public ssh2 # -- private unwrapped ssh2 (a.k.a. OpenSSL w/PEM) # # Since private wrapped SSH2 keys are in a format that we've verified # extensively elsewhere (OpenSSL, in the importExportOpensslWrap script), # all we really need to test here is ssh1 format. We'll test that # via parsing keys with the sshKey program and comparing the output. # This also verifies the comments in the generated keys, which should # always match the comment of the original key (ssh-keygen key, import # that, the resulting C item's PrintName has the comment; export that # KC item and the original comment gets embedded in the new key). # set DONE=no set PWDARG= switch( $PRIV_KEY_FORM ) case ssh1: set PWDARG=-P breaksw case ssh1Wrap: set PWDARG="-p $PASSWORD" breaksw case ssh2Wrap: case ssh2: set DONE=yes breaksw default: echo BRRZZZAP! Missed one here! PRIV_KEY_FORM $PRIV_KEY_FORM exit(1) endsw set PARSE_REF=$BUILD_DIR/parseRef set PARSE_GEN=$BUILD_DIR/parseGen if($DONE == no) then if ($QUIET == NO) then echo Parsing $PRIV_KEY_IN and $RAW_PRIV_KEY.... endif set cmd="$SSHKEY -i $PRIV_KEY_IN -r -f ssh1 -v $PWDARG" if ($QUIET == NO) then echo $cmd endif $cmd > $PARSE_REF if($status != 0) then echo Error parsing $PRIV_KEY_IN. exit(1) endif set cmd="$SSHKEY -i $RAW_PRIV_KEY -r -f ssh1 -v -P" if ($QUIET == NO) then echo $cmd endif $cmd > $PARSE_GEN if($status != 0) then echo Error parsing $RAW_PRIV_KEY. exit(1) endif set cmd="$CMP $PARSE_GEN $PARSE_REF" if ($QUIET == NO) then echo $cmd endif $cmd if($status != 0) then echo MISCOMPARE on parsed private keys exit(1) endif endif # # cleanup # if($NOCLEAN == NO) then set cmd="rm -f $RAW_PRIV_KEY $RAW_PUB_KEY $SIGFILE $PEM_PRIV_KEY $PARSE_REF $PARSE_GEN" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) endif