Merge branch 'tests' into 'main'

tests: make sure user CA can't certify host, and vice versa

See merge request larswirzenius/sshca!68

1 files changed, 36 insertions, 0 deletions

diff --git a/sshca.md b/sshca.md
index 4e3cbc9..57dc317 100644
--- a/sshca.md
+++ b/sshca.md
@@ -686,6 +686,25 @@ then stdout contains "myhost"
 then stdout contains "othername"
 ~~~
 
+### Host CA can't certify a user
+
+_Requirement: we can't certify a user with a host CA._
+
+Justification: It must not be easy to make this mistake.
+
+~~~scenario
+given an installed sshca
+given file .config/sshca/config.yaml from config.yaml
+
+when I run ssh-keygen -t ed25519 -N '' -f some_user
+when I run sshca user new some_user some_user.pub
+
+when I run sshca ca new host CAv1
+when I try to run sshca user certify --ca CAv1 some_user
+then command fails
+then stderr contains "unknown user CA: CAv1"
+~~~
+
 ### By default host certificates are valid for 90 days
 
 _Requirement: By default, host certificates should be valid a limited time._
@@ -987,6 +1006,23 @@ when I run ssh-keygen -L -f my.cert
 then stdout matches regex Valid: from \d+-\d+-\d+T\d+:\d+:\d+ to \d+-\d+-\d+T\d+:\d+:\d+
 ~~~
 
+### User CA can't certify a host
+
+_Requirement: we can't certify a host with a user CA._
+
+Justification: It must not be easy to make this mistake.
+
+~~~scenario
+given an installed sshca
+given file .config/sshca/config.yaml from config.yaml
+
+when I run sshca host generate myhost -p myhost -p othername
+
+when I run sshca ca new user CAv1
+when I try to run sshca host certify --ca CAv1 myhost
+then command fails
+then stderr contains "unknown host CA: CAv1"
+~~~
 # SEE ALSO
 
 * [ssh-keygen manual page](https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html#CERTIFICATES)