torture_auth: Add tests for client side certificate authentication

- enabled TrustedUserCAKeys option in torture.c
 - adds a new set of (signed) keys for bob in a separate dir

 The private key used to generate the certs is included, but not required.

Signed-off-by: Axel Eppe <aeppe@google.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

tests/client/torture_auth.c

@@ -147,6 +147,32 @@ static int agent_setup(void **state)
     return 0;
 }
 
+static int agent_cert_setup(void **state)
+{
+    char bob_alt_ssh_key[1024];
+    struct passwd *pwd;
+    int rc;
+
+    rc = agent_setup(state);
+    if (rc != 0) {
+        return rc;
+    }
+
+    pwd = getpwnam("bob");
+    assert_non_null(pwd);
+
+    /* remove all keys, load alternative key + cert */
+    snprintf(bob_alt_ssh_key,
+             sizeof(bob_alt_ssh_key),
+             "ssh-add -D && ssh-add %s/.ssh_cert/id_rsa",
+             pwd->pw_dir);
+
+    rc = system(bob_alt_ssh_key);
+    assert_return_code(rc, errno);
+
+    return 0;
+}
+
 static int agent_teardown(void **state)
 {
     const char *ssh_agent_pidfile;
@@ -464,6 +490,69 @@ static void torture_auth_agent_nonblocking(void **state) {
     assert_int_equal(rc, SSH_AUTH_SUCCESS);
 }
 
+static void torture_auth_cert(void **state) {
+    struct torture_state *s = *state;
+    ssh_session session = s->ssh.session;
+    ssh_key privkey = NULL;
+    ssh_key cert = NULL;
+    char bob_ssh_key[1024];
+    char bob_ssh_cert[1024];
+    struct passwd *pwd;
+    int rc;
+
+    privkey = ssh_key_new();
+    assert_true(privkey != NULL);
+
+    cert = ssh_key_new();
+    assert_true(cert != NULL);
+
+    pwd = getpwnam("bob");
+    assert_non_null(pwd);
+
+    snprintf(bob_ssh_key,
+             sizeof(bob_ssh_key),
+             "%s/.ssh_cert/id_rsa",
+             pwd->pw_dir);
+    snprintf(bob_ssh_cert,
+             sizeof(bob_ssh_cert),
+             "%s-cert.pub",
+             bob_ssh_key);
+
+    /* cert has been signed for login as alice */
+    rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_connect(session);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_pki_import_privkey_file(bob_ssh_key, NULL, NULL, NULL, &privkey);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_pki_import_cert_file(bob_ssh_cert, &cert);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_pki_copy_cert_to_privkey(cert, privkey);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_userauth_try_publickey(session, NULL, cert);
+    assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+    rc = ssh_userauth_publickey(session, NULL, privkey);
+    assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+    ssh_key_free(privkey);
+    ssh_key_free(cert);
+}
+
+static void torture_auth_agent_cert(void **state) {
+  /* Setup loads a different key, tests are exactly the same. */
+  torture_auth_agent(state);
+}
+
+static void torture_auth_agent_cert_nonblocking(void **state) {
+  torture_auth_agent_nonblocking(state);
+}
+
 
 int torture_run_tests(void) {
     int rc;
@@ -498,6 +587,15 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_auth_agent_nonblocking,
                                         agent_setup,
                                         agent_teardown),
+        cmocka_unit_test_setup_teardown(torture_auth_cert,
+                                        pubkey_setup,
+                                        session_teardown),
+        cmocka_unit_test_setup_teardown(torture_auth_agent_cert,
+                                        agent_cert_setup,
+                                        agent_teardown),
+        cmocka_unit_test_setup_teardown(torture_auth_agent_cert_nonblocking,
+                                        agent_cert_setup,
+                                        agent_teardown),
     };
 
     ssh_init();