1 // Copyright 2014 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // +build darwin dragonfly freebsd linux netbsd openbsd
14 "golang.org/x/crypto/ssh"
17 // Test both logging in with a cert, and also that the certificate presented by an OpenSSH host can be validated correctly
18 func TestCertLogin(t *testing.T) {
22 // Use a key different from the default.
23 clientKey := testSigners["dsa"]
24 caAuthKey := testSigners["ecdsa"]
25 cert := &ssh.Certificate{
26 Key: clientKey.PublicKey(),
27 ValidPrincipals: []string{username()},
28 CertType: ssh.UserCert,
29 ValidBefore: ssh.CertTimeInfinity,
31 if err := cert.SignCert(rand.Reader, caAuthKey); err != nil {
32 t.Fatalf("SetSignature: %v", err)
35 certSigner, err := ssh.NewCertSigner(cert, clientKey)
37 t.Fatalf("NewCertSigner: %v", err)
40 conf := &ssh.ClientConfig{
42 HostKeyCallback: (&ssh.CertChecker{
43 IsHostAuthority: func(pk ssh.PublicKey, addr string) bool {
44 return bytes.Equal(pk.Marshal(), testPublicKeys["ca"].Marshal())
48 conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner))
50 for _, test := range []struct {
54 {addr: "host.example.com:22", succeed: true},
55 {addr: "host.example.com:10000", succeed: true}, // non-standard port must be OK
56 {addr: "host.example.com", succeed: false}, // port must be specified
57 {addr: "host.ex4mple.com:22", succeed: false}, // wrong host
59 client, err := s.TryDialWithAddr(conf, test.addr)
61 // Always close client if opened successfully
66 // Now evaluate whether the test failed or passed
69 t.Fatalf("TryDialWithAddr: %v", err)
73 t.Fatalf("TryDialWithAddr, unexpected success")