git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Fabian Stelzer <fs@gigacodes.de>
To: git@vger.kernel.org
Cc: "Fabian Stelzer" <fs@gigacodes.de>,
	"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
	"Junio C Hamano" <gitster@pobox.com>
Subject: [PATCH v2 2/6] ssh signing: add key lifetime test prereqs
Date: Wed, 27 Oct 2021 10:06:12 +0200	[thread overview]
Message-ID: <20211027080616.619956-3-fs@gigacodes.de> (raw)
In-Reply-To: <20211027080616.619956-1-fs@gigacodes.de>

if ssh-keygen supports -Overify-time, add test keys marked as expired,
not yet valid and valid both within the test_tick timeframe and outside of it.

Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
---
 t/lib-gpg.sh | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index f99ef3e859..139e7a45ea 100644
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -90,6 +90,10 @@ test_lazy_prereq RFC1991 '
 GPGSSH_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key"
 GPGSSH_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key"
 GPGSSH_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key"
+GPGSSH_KEY_EXPIRED="${GNUPGHOME}/expired_ssh_signing_key"
+GPGSSH_KEY_NOTYETVALID="${GNUPGHOME}/notyetvalid_ssh_signing_key"
+GPGSSH_KEY_TIMEBOXEDVALID="${GNUPGHOME}/timeboxed_valid_ssh_signing_key"
+GPGSSH_KEY_TIMEBOXEDINVALID="${GNUPGHOME}/timeboxed_invalid_ssh_signing_key"
 GPGSSH_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key"
 GPGSSH_KEY_PASSPHRASE="super_secret"
 GPGSSH_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile"
@@ -112,7 +116,20 @@ test_lazy_prereq GPGSSH '
 	echo "\"principal with number 2\" $(cat "${GPGSSH_KEY_SECONDARY}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
 	ssh-keygen -t ed25519 -N "${GPGSSH_KEY_PASSPHRASE}" -C "git ed25519 encrypted key" -f "${GPGSSH_KEY_WITH_PASSPHRASE}" >/dev/null &&
 	echo "\"principal with number 3\" $(cat "${GPGSSH_KEY_WITH_PASSPHRASE}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
-	ssh-keygen -t ed25519 -N "" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null
+	ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GPGSSH_KEY_UNTRUSTED}" >/dev/null
+'
+
+test_lazy_prereq GPGSSH_VERIFYTIME '
+	# Check if ssh-keygen has a verify-time option by passing an invalid date to it
+	ssh-keygen -Overify-time=INVALID -Y check-novalidate -s doesnotmatter 2>&1 | grep -q -F "Invalid \"verify-time\"" &&
+	ssh-keygen -t ed25519 -N "" -C "timeboxed valid key" -f "${GPGSSH_KEY_TIMEBOXEDVALID}" >/dev/null &&
+	echo "\"timeboxed valid key\" valid-after=\"20050407000000\",valid-before=\"200504100000\" $(cat "${GPGSSH_KEY_TIMEBOXEDVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
+	ssh-keygen -t ed25519 -N "" -C "timeboxed invalid key" -f "${GPGSSH_KEY_TIMEBOXEDINVALID}" >/dev/null &&
+	echo "\"timeboxed invalid key\" valid-after=\"20050401000000\",valid-before=\"20050402000000\" $(cat "${GPGSSH_KEY_TIMEBOXEDINVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
+	ssh-keygen -t ed25519 -N "" -C "expired key" -f "${GPGSSH_KEY_EXPIRED}" >/dev/null &&
+	echo "\"principal with expired key\" valid-before=\"20000101000000\" $(cat "${GPGSSH_KEY_EXPIRED}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}" &&
+	ssh-keygen -t ed25519 -N "" -C "not yet valid key" -f "${GPGSSH_KEY_NOTYETVALID}" >/dev/null &&
+	echo "\"principal with not yet valid key\" valid-after=\"29990101000000\" $(cat "${GPGSSH_KEY_NOTYETVALID}.pub")" >> "${GPGSSH_ALLOWED_SIGNERS}"
 '
 
 sanitize_pgp() {
-- 
2.31.1


  parent reply	other threads:[~2021-10-27  8:06 UTC|newest]

Thread overview: 60+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-27  8:06 [PATCH v2 0/6] ssh signing: verify key lifetime Fabian Stelzer
2021-10-27  8:06 ` [PATCH v2 1/6] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-10-27  8:06 ` Fabian Stelzer [this message]
2021-10-27  8:06 ` [PATCH v2 3/6] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-10-27 20:30   ` Junio C Hamano
2021-10-28  8:01     ` Fabian Stelzer
2021-11-17  9:35     ` [PATCH v3 0/7] ssh signing: verify " Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 1/7] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 2/7] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 3/7] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 4/7] ssh signing: make git log verify " Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 5/7] ssh signing: make verify-tag consider " Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 6/7] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-11-17  9:35       ` [PATCH v3 7/7] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-11-19  6:15         ` Junio C Hamano
2021-11-30 14:11       ` [PATCH v4 0/7] ssh signing: verify key lifetime Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 1/7] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 2/7] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 3/7] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 4/7] ssh signing: make git log verify " Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 5/7] ssh signing: make verify-tag consider " Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 6/7] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-12-05 19:23           ` SZEDER Gábor
2021-12-08 15:59             ` Fabian Stelzer
2021-11-30 14:11         ` [PATCH v4 7/7] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-12-02  0:18           ` Junio C Hamano
2021-12-02  9:31             ` Fabian Stelzer
2021-12-02 17:10               ` Junio C Hamano
2021-12-03 11:07                 ` Ævar Arnfjörð Bjarmason
2021-12-03 12:20                   ` Fabian Stelzer
2021-12-03 18:46                 ` Junio C Hamano
2021-12-08 16:33         ` [PATCH v5 0/8] ssh signing: verify key lifetime Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 1/8] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 2/8] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 3/8] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 4/8] ssh signing: make git log verify " Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 5/8] ssh signing: make verify-tag consider " Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 6/8] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 7/8] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-12-08 16:33           ` [PATCH v5 8/8] t/fmt-merge-msg: make gpg/ssh tests more specific Fabian Stelzer
2021-12-08 23:20             ` Junio C Hamano
2021-12-09  8:36               ` Fabian Stelzer
2021-12-09  8:52           ` [PATCH v6 0/9] ssh signing: verify key lifetime Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 1/9] t/fmt-merge-msg: do not redirect stderr Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 2/9] t/fmt-merge-msg: make gpgssh tests more specific Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 3/9] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 4/9] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 5/9] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 6/9] ssh signing: make git log verify " Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 7/9] ssh signing: make verify-tag consider " Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 8/9] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-12-09  8:52             ` [PATCH v6 9/9] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-10-27  8:06 ` [PATCH v2 4/6] ssh signing: make git log verify key lifetime Fabian Stelzer
2021-10-27  8:06 ` [PATCH v2 5/6] ssh signing: make verify-tag consider " Fabian Stelzer
2021-10-27  8:06 ` [PATCH v2 6/6] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-11-03 19:27 ` [PATCH v2 0/6] ssh signing: verify " Adam Dinwoodie
2021-11-03 19:45   ` Fabian Stelzer
2021-11-04 16:31     ` Adam Dinwoodie
2021-11-04 16:54       ` Fabian Stelzer
2021-11-04 17:22         ` Adam Dinwoodie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211027080616.619956-3-fs@gigacodes.de \
    --to=fs@gigacodes.de \
    --cc=avarab@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).