From patchwork Wed Nov 17 09:35:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabian Stelzer X-Patchwork-Id: 12624123 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45A97C433F5 for ; Wed, 17 Nov 2021 09:35:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2F563619EC for ; Wed, 17 Nov 2021 09:35:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235168AbhKQJix (ORCPT ); Wed, 17 Nov 2021 04:38:53 -0500 Received: from mail-db5eur01hn2234.outbound.protection.outlook.com ([52.100.6.234]:20915 "EHLO EUR01-DB5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S235103AbhKQJit (ORCPT ); Wed, 17 Nov 2021 04:38:49 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YfS6QSOy7nktcUzGFL0zd3AfWXVzvntOOcYOKX4QhwmfrTOEgQEAkZGYCtq9COwqKnyGWwDlhkfW/sh8R5DhG/SKILBY+C8soroZirqhakbeZClDotlUbbFypD+wa2IDHntPUHY/pyv3J5f23se6sIrIpB5fdzBdQ2aPKK5XIs5N+pFPiY4dquSaMrh7k/KL6Jy/oEcZHmttnQ0Uh+UDTCXWtjzuvoE1ChzEV+3tiza93qP8I0l9fTEFvHC8xTwLDw4Ig9radyFoMLuoIQ0kDLGLruSme5F75b0E0lt82IKGoRboVNtlGBzLoJWqo9v8Xe8UlENoEE7+48xnlEtWqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=K3sccrQyi7gwNykk7BAg8YyNI3Nho2xKTBAsNPAwDAE=; b=NeKrE7LbdcFHoKHjC6Z0q5lMdw0byMDHnSnK58SBIUzQqGAAn1BggxZCnhzV4h/wT/8ZT7brsG3dC/Kfhy6vGF67JUXJgrbnSggbw7KfZyhMcm9BTVBo5FYLJDtSJH/vhI3o9Ww/ZpMlwuG9VbOpsVTvln/5DjR6SPPnhf5qVXJsJ9sIuGGv1CKXV+WD0Jtj/lOCdQPtMYeEkjyQOndlP6/7xIpZfMioQPtFxMRcQnjHw0TMaHgc63KDOuqZD13JGa1r8n9R63Qt+wEHwRmlzZOiFODcW6sEzXKQr7RkaO1NDWl7pcseJpF012WwfFuRo8f2PUUD1rVu6mmn2uksLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=gigacodes.de; dmarc=pass action=none header.from=gigacodes.de; dkim=pass header.d=gigacodes.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gigacodes.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K3sccrQyi7gwNykk7BAg8YyNI3Nho2xKTBAsNPAwDAE=; b=v8kIbqmM49RAzuhge00bmIrNwix+tFx8cb7W+AV6ibkwhrE+3gybii5CHc2MMWKBfomrNMqbC3Ysh7AFauOfdteKQqzmAhI14nfXaQTJCdS+6ZUyoJpSt8784h3aZCKnxUxQj35sfLwD9PGPkbUhVOaw2MR8OJBkrraQvtl2DfM= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=gigacodes.de; Received: from PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:12e::15) by PR3PR10MB3820.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:49::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.15; Wed, 17 Nov 2021 09:35:47 +0000 Received: from PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM ([fe80::f9d5:61ab:5756:b391]) by PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM ([fe80::f9d5:61ab:5756:b391%5]) with mapi id 15.20.4713.020; Wed, 17 Nov 2021 09:35:47 +0000 From: Fabian Stelzer To: git@vger.kernel.org Cc: Junio C Hamano , =?utf-8?b?w4Z2YXIgQXJuZmrDtnLDsCBC?= =?utf-8?b?amFybWFzb24=?= , Fabian Stelzer Subject: [PATCH v3 2/7] ssh signing: add key lifetime test prereqs Date: Wed, 17 Nov 2021 10:35:24 +0100 Message-Id: <20211117093529.13953-3-fs@gigacodes.de> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211117093529.13953-1-fs@gigacodes.de> References: <20211117093529.13953-1-fs@gigacodes.de> X-ClientProxiedBy: AS9PR0301CA0045.eurprd03.prod.outlook.com (2603:10a6:20b:469::13) To PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:12e::15) MIME-Version: 1.0 Received: from localhost (2003:ea:5820:600:c042:75a0:fd5e:1472) by AS9PR0301CA0045.eurprd03.prod.outlook.com (2603:10a6:20b:469::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.26 via Frontend Transport; Wed, 17 Nov 2021 09:35:46 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4bec2daa-dc42-4d9a-4776-08d9a9ada270 X-MS-TrafficTypeDiagnostic: PR3PR10MB3820: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1850; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ty/LT5Cb1o8SP8Lh8oYmDByIwDG3xLIud94EI6Yh+6g7GVzThCVixVuZBZPZg/SakBjd8m1RWqbk0kmvVrqwnvNMzoyQy7EtZLK4UzCmXVIuCUcOs5jdH8n3LArR3ETe84JD9s1zzpOhAgo3cvJt+tfO+2QDrKrq2uZiizXegzYl/JSkrbHIwjezHsHaYKNlpTOyYsZdhKFHgBi9SczKTlOVrYMZWYowBoPT5My3z8RMH19jaHq4rgPr9Wz0FXouhnWi5nbrJ+QD0G/sVZMXgTTFvfAjPz1kKpKx4iACLj1J47p9aEHY0FwwzqKhIRTra5oDvtIsYlO1vvizczbO17MNVw8/iRvGxwy+PobSMLoFTZe7oT1Wn8CWL5P95O6OtBQWHKi8RmQt3cqniqH7Zl5NwmKCAkTauPFT2sQvLsd7CDaCIlIIFPj8yRv7kAON9Vv3IRZEaeAr6SAGqM6plfOx3GyQnSM3gUkCC2Fnl9iFokfxIjVhBhaDvh8/eh/BtrlFFZYsJxPFXQzqvpCyLbomx/o/rviKcvuxFaZjBhtavajWG1kk/LaMAmyBqzt31jmBThu6RB3SvqpsR+IvPgpD2paRAOrmEBKf1VFd3ivgSxGzWCTSukRA7+DtQEfYHwnV6uvLFe9oaSVuAiKmkxNiz076ASAz6Plbu+pNKkOR3wksmUwQeMyrQuLa+FVbQ/xP9BgUJSViEwdaT56xueupz2jMYXRZPK4jZi+viCrz/AZ0okgTSP3BhqIRb++JUHoujsxXwiQh+Zs+iXY7+r9NlexSyvzVdPmImivfWUtIqxpxuI702V0eqD9ENBe9oLvoxHoI754GVm3vxuB38v0dxpvrR2E7QGDUsyNlj81/JflWk+3e7+lfp9iEmTRax3mcENioC8cP23BAEWCV7BSQKrhqMjeKURnWjKNbcbVg16ewVhKwoN6H85Q12uU5LV4jirPS0dUUeYcSQx3xBhnsRoMbdbExoBjfeYo8e7no+B7sfR9XOyzKLJtfGdgk77qvDn7NEhzNcRZQP0Y28A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:OSPM;SFS:(4636009)(136003)(376002)(346002)(39840400004)(396003)(366004)(66556008)(316002)(8676002)(1076003)(66476007)(66946007)(38100700002)(8936002)(83380400001)(86362001)(5660300002)(36756003)(54906003)(186003)(2906002)(6486002)(2616005)(6666004)(107886003)(6496006)(6916009)(52116002)(4326008)(508600001)(23200700001);DIR:OUT;SFP:1501; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: xCXR6V2FlE+XtPxZUl5QGRNXByuXyTdg7IQ+9JiolHZF39YopWay/yYEJjz6gFyFk2qMoYh2sSS5tAB4/bpC71PG15pDdeEqTcKTG19lzz89XIkg+Q6/+IU2uo6SK8wF2Wy8N1ginB6pqeoRj+iFWbANlEFCqoXKe0jK1PERUmfKCirQrqeogK2mdlgoC5FvI0PwCFCTLu7TYdWsX7tw05e4mKTDVw/j7AhdBvn3jro3o/WpwjoLBEXHMGbx36F84ACLkGjFCh/PjXKcj/bo9DN3AF7SHc1Dd6zxZ/Wb3xVZi+iajXymDPkmhHdFJt9XIb5H7phI5obflp4CWbddGp43mGnpQSQv70x29MbIztiYFRL3SxrdaGBqn4hkn61T7p7ZZpr/CKQPXTQnZba4GIp6rCnXOFzzTwaCbbzos8VniapD2N9xYZJOWbj5RtUQpbAj2s4uHoKLOeE1eWTlcddryVftDL+LELyHEJpru1rtRO8NAfH5PwMoAK2CvKEVJZIeMDT99ikgem5yOw72vUZzmWko+a/AOcRfBIpYO4Le1bskVqi+3NwCybuuypUT7aMOV2fRNzgix3/CrSvyk08SLvxuseX+rc9vDM8/oKh25Bjd76r7rXMcus62DnkA9TnfN/RYXzltVsKoWr2ztnMx0K/ZVjXSFnpQU0QE19jR+2rVpIx2CHx17d5l7AS/cgGs7Q+s8b9vKIiAgrrz1D/JlwhWrEtH/hTONX1MuDI1xqY0QP+kChN/V9Ykf7L1+4+x22X/kAaKiLmBKZINPlGhMqIzRN/vNdKMcpr56zpvuaN0yiX4oeG1qxYBURIFP3How6t+aaaPtdAiB71DCWoU9aSnYfZfHcdQ/R3gHNfxF902giYkAnqfsF0+pCdCjl+m5t5Re6ctZLG9TizBh87lQbGnpfJv6rWy+rw2pWfdIAKyFd5pWKFIm3otrnTBnOLGgnYT0e12zn7tYMtHLR9fPSrzxL6Rpu2/lQWW+7wOQf1DW2vrG3aedrFbGeunWDeiYdE2q0007g8freg3PIqSekZsIK/IEsIWWPZNOMrAb7I+VVmUgb+5dYeY3JHS8k5ucSsATBmF2PlpYFrn8N8gt2Ou/wEmkUKtvzFTYKi4bGg/Ty9Xa9TabKzeJN0P/1F1GFczvW568lXWBoCA4nVqj8JOfyaLvrgruP6UqGSGX4Om3WW2JqpE8MRkRv4m2r1S+AVPUctJo3VcDG+lbs4VFM+SDXU6aHcuVSxp3oAo0jpXy7L2joDEFg1b28OgArr25CbCEcNlRjbwdTI+iYpkegHVLYG6PeNU/diEC8ZauTym/QCps2sklWomUgR81ftI/uaA7WCPCj5B6grBIgS2weoO5U/UTzCbT9PTvzyOB/ZAN7wN7FN8aX6C1SFkVwRHx2rWb4iKkPmuIdvmXQWbHZf7AZMJGXKR4GziLix1/VGxF9pOeVtuUb2Vcs/rBI4b+x4m8V6W6bKRVdwqAMe8tcnBz9OzXsiLeU4Hm2zlZih8jziBwrzgXNLRjLvoq1AqW3DAgOWUHp3M+6CoOHlExPedsC3N7UJqzABP5qy03L+2WWB3C2m5Xsr8Ir3eUqOdL/RGQLySg3kUzHTYsZVIVrstCJneSlwyppnq44IGv3g40UfKby2omCCl92X9R9u78zoExFAKNtGdoWLFy6pw4Xfzhz44HqVvrZLZgjSr+f3X4wpXVWCsMbdGUXWnzKwPH606um8CTznkW2EY4dQjEowMBozvryhH0FuRGig= X-OriginatorOrg: gigacodes.de X-MS-Exchange-CrossTenant-Network-Message-Id: 4bec2daa-dc42-4d9a-4776-08d9a9ada270 X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Nov 2021 09:35:47.0086 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 80e41b3b-ea1f-4dbc-91eb-225a572951fb X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4jR0BDOMQ4x6rxrHZbLVkuE6YW3vWONwU+wlm4KitgRmQ5fDUxlx0Ay3PvVGniLblDqHlvJrv2yejstq/ycbAaRLpP0VnYC38Mp3fX6y5IE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR10MB3820 Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org if ssh-keygen supports -Overify-time, add test keys marked as expired, not yet valid and valid both within the test_tick timeframe and outside of it. Signed-off-by: Fabian Stelzer --- t/lib-gpg.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index a3f285f515..fc03c8f89b 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -90,6 +90,10 @@ test_lazy_prereq RFC1991 ' GPGSSH_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key" GPGSSH_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key" GPGSSH_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key" +GPGSSH_KEY_EXPIRED="${GNUPGHOME}/expired_ssh_signing_key" +GPGSSH_KEY_NOTYETVALID="${GNUPGHOME}/notyetvalid_ssh_signing_key" +GPGSSH_KEY_TIMEBOXEDVALID="${GNUPGHOME}/timeboxed_valid_ssh_signing_key" +GPGSSH_KEY_TIMEBOXEDINVALID="${GNUPGHOME}/timeboxed_invalid_ssh_signing_key" GPGSSH_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key" GPGSSH_KEY_PASSPHRASE="super_secret" GPGSSH_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile" @@ -119,7 +123,20 @@ test_lazy_prereq GPGSSH ' echo "\"principal with number 2\" $(cat "${GPGSSH_KEY_SECONDARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && ssh-keygen -t ed25519 -N "${GPGSSH_KEY_PASSPHRASE}" -C "git ed25519 encrypted key" -f "${GPGSSH_KEY_WITH_PASSPHRASE}" >/dev/null && echo "\"principal with number 3\" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && - ssh-keygen -t ed25519 -N "" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null + ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null +' + +test_lazy_prereq GPGSSH_VERIFYTIME ' + # Check if ssh-keygen has a verify-time option by passing an invalid date to it + ssh-keygen -Overify-time=INVALID -Y check-novalidate -s doesnotmatter 2>&1 | grep -q -F "Invalid \"verify-time\"" && + ssh-keygen -t ed25519 -N "" -C "timeboxed valid key" -f "${GPGSSH_KEY_TIMEBOXEDVALID}" >/dev/null && + echo "\"timeboxed valid key\" valid-after=\"20050407000000\",valid-before=\"200504100000\" $(cat "${GPGSSH_KEY_TIMEBOXEDVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + ssh-keygen -t ed25519 -N "" -C "timeboxed invalid key" -f "${GPGSSH_KEY_TIMEBOXEDINVALID}" >/dev/null && + echo "\"timeboxed invalid key\" valid-after=\"20050401000000\",valid-before=\"20050402000000\" $(cat "${GPGSSH_KEY_TIMEBOXEDINVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + ssh-keygen -t ed25519 -N "" -C "expired key" -f "${GPGSSH_KEY_EXPIRED}" >/dev/null && + echo "\"principal with expired key\" valid-before=\"20000101000000\" $(cat "${GPGSSH_KEY_EXPIRED}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" && + ssh-keygen -t ed25519 -N "" -C "not yet valid key" -f "${GPGSSH_KEY_NOTYETVALID}" >/dev/null && + echo "\"principal with not yet valid key\" valid-after=\"29990101000000\" $(cat "${GPGSSH_KEY_NOTYETVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" ' sanitize_pgp() {