(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'certified host keys'>)}
          spids: [7]
        )
      ]
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_'> <Id.Lit_Star '*'>}
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/host_krl_'> <Id.Lit_Star '*'>}
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:types)
          op: assign_op.Equal
          rhs: {(DQ )}
          spids: [45]
        )
      ]
    )
    (command.ForEach
      iter_name: i
      iter_words: [
        {
          (command_sub
            left_token: <Id.Left_Backtick '`'>
            child: (C {($ Id.VSub_DollarName '$SSH')} {<-Q>} {<key>})
          )
        }
      ]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {<-z>} {(DQ ($ Id.VSub_DollarName '$types'))} 
                              {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:types)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$i'))}
                          spids: [85]
                        )
                      ]
                    )
                    (command.ControlFlow token:<Id.ControlFlow_Continue continue>)
                  ]
                  spids: [69 82]
                )
              ]
            )
            (command.Case
              to_match: {(DQ ($ Id.VSub_DollarName '$i'))}
              arms: [
                (case_arm
                  pat_list: [{<Id.Lit_Star '*'> <cert> <Id.Lit_Star '*'>}]
                  action: [
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:types)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$i') <','> ($ Id.VSub_DollarName '$types'))}
                          spids: [111]
                        )
                      ]
                    )
                  ]
                  spids: [106 109 117 -1]
                )
                (case_arm
                  pat_list: [{<Id.Lit_Star '*'>}]
                  action: [
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:types)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$types') <','> ($ Id.VSub_DollarName '$i'))}
                          spids: [123]
                        )
                      ]
                    )
                  ]
                  spids: [120 121 129 -1]
                )
              ]
            )
          ]
        )
    )
    (command.Subshell
      child: 
        (command.CommandList
          children: [
            (C {<echo>} {(DQ <'HostKeyAlgorithms '> (${ Id.VSub_Name types))})
            (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes *'>)})
          ]
        )
      redirects: [
        (redir
          op: <Id.Redir_DGreat '>>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
        )
      ]
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}
    )
    (command.Subshell
      child: 
        (command.CommandList
          children: [
            (C {<echo>} {(DQ <'HostKeyAlgorithms *'>)})
            (C {<echo>} {(DQ <'PubkeyAcceptedKeyTypes *'>)})
          ]
        )
      redirects: [
        (redir
          op: <Id.Redir_DGreat '>>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>}
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:HOSTS)
          op: assign_op.Equal
          rhs: {(SQ <'localhost-with-alias,127.0.0.1,::1'>)}
          spids: [194]
        )
      ]
    )
    (command.ShFunction
      name: kh_ca
      body: 
        (BraceGroup
          children: [
            (command.ForEach
              iter_name: k
              iter_words: [{(DQ ($ Id.VSub_At '$@'))}]
              do_arg_iter: F
              body: 
                (command.DoGroup
                  children: [
                    (C {<printf>} {(DQ <'@cert-authority '> ($ Id.VSub_DollarName '$HOSTS') <' '>)})
                    (command.AndOr
                      ops: [Id.Op_DPipe]
                      children: [
                        (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/'> ($ Id.VSub_DollarName '$k')})
                        (C {<fatal>} {(DQ <'couldn\'t cat '> ($ Id.VSub_DollarName '$k'))})
                      ]
                    )
                  ]
                )
            )
          ]
        )
    )
    (command.ShFunction
      name: kh_revoke
      body: 
        (BraceGroup
          children: [
            (command.ForEach
              iter_name: k
              iter_words: [{(DQ ($ Id.VSub_At '$@'))}]
              do_arg_iter: F
              body: 
                (command.DoGroup
                  children: [
                    (C {<printf>} {(DQ <'@revoked * '>)})
                    (command.AndOr
                      ops: [Id.Op_DPipe]
                      children: [
                        (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/'> ($ Id.VSub_DollarName '$k')})
                        (C {<fatal>} {(DQ <'couldn\'t cat '> ($ Id.VSub_DollarName '$k'))})
                      ]
                    )
                  ]
                )
            )
          ]
        )
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<ed25519>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>}
        )
        (C {<fail>} {(DQ <'ssh-keygen of host_ca_key failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {<rsa>} {<-f>} 
          {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>}
        )
        (C {<fail>} {(DQ <'ssh-keygen of host_ca_key failed'>)})
      ]
    )
    (command.Simple
      words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
        )
      ]
      do_fork: T
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
    )
    (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_empty'>})
    (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_plain'>})
    (C {<touch>} {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_cert'>})
    (command.Simple
      words: [
        {<cat>}
        {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key.pub'>}
        {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2.pub'>}
      ]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_ca'>}
        )
      ]
      do_fork: T
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:PLAIN_TYPES)
          op: assign_op.Equal
          rhs: 
            {
              (command_sub
                left_token: <Id.Left_Backtick '`'>
                child: 
                  (command.Pipeline
                    children: [
                      (C {($ Id.VSub_DollarName '$SSH')} {<-Q>} {<key-plain>})
                      (C {<sed>} {(SQ <'s/^ssh-dss/ssh-dsa/g;s/^ssh-//'>)})
                    ]
                    negated: F
                  )
              )
            }
          spids: [418]
        )
      ]
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (command.Pipeline
                      children: [
                        (C {<echo>} {(DQ ($ Id.VSub_DollarName '$PLAIN_TYPES'))})
                        (command.Simple
                          words: [{<grep>} {(SQ <'^rsa$'>)}]
                          redirects: [
                            (redir
                              op: <Id.Redir_Great '>'>
                              loc: (redir_loc.Fd fd:1)
                              arg: {<'/dev/null'>}
                            )
                            (redir
                              op: <Id.Redir_GreatAnd '2>&'>
                              loc: (redir_loc.Fd fd:2)
                              arg: {<1>}
                            )
                          ]
                          do_fork: T
                        )
                      ]
                      negated: F
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:PLAIN_TYPES)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_DollarName '$PLAIN_TYPES') <' rsa-sha2-256 rsa-sha2-512'>)}
                  spids: [465]
                )
              ]
            )
          ]
          spids: [438 462]
        )
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_empty'>})
        (C {<fatal>} {(DQ <'KRL init failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_plain'>})
        (C {<fatal>} {(DQ <'KRL init failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_cert'>})
        (C {<fatal>} {(DQ <'KRL init failed'>)})
      ]
    )
    (command.AndOr
      ops: [Id.Op_DPipe]
      children: [
        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-kf>} {($ Id.VSub_DollarName '$OBJ') <'/host_krl_ca'>} 
          {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key.pub'>} {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2.pub'>}
        )
        (C {<fatal>} {(DQ <'KRL init failed'>)})
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:serial)
          op: assign_op.Equal
          rhs: {<1>}
          spids: [557]
        )
      ]
    )
    (command.ForEach
      iter_name: ktype
      iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (C {<verbose>} 
              {(DQ ($ Id.VSub_DollarName '$tid') <': sign host '> (${ Id.VSub_Name ktype) <' cert'>)}
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name ktype)} 
                  {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)}
                )
                (C {<fatal>} {(DQ <'ssh-keygen of cert_host_key_'> (${ Id.VSub_Name ktype) <' failed'>)})
              ]
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-ukf>} 
                  {($ Id.VSub_DollarName '$OBJ') <'/host_krl_plain'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>}
                )
                (C {<fatal>} {(DQ <'KRL update failed'>)})
              ]
            )
            (command.Simple
              words: [
                {<cat>}
                {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>}
              ]
              redirects: [
                (redir
                  op: <Id.Redir_DGreat '>>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_plain'>}
                )
              ]
              do_fork: T
            )
            (command.Case
              to_match: {($ Id.VSub_DollarName '$ktype')}
              arms: [
                (case_arm
                  pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}]
                  action: [
                    (command.Sentence
                      child: 
                        (command.ShAssignment
                          pairs: [
                            (assign_pair
                              lhs: (sh_lhs_expr.Name name:tflag)
                              op: assign_op.Equal
                              rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))}
                              spids: [684]
                            )
                          ]
                        )
                      terminator: <Id.Op_Semi _>
                    )
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:ca)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>)}
                          spids: [691]
                        )
                      ]
                    )
                  ]
                  spids: [680 682 697 -1]
                )
                (case_arm
                  pat_list: [{<Id.Lit_Star '*'>}]
                  action: [
                    (command.Sentence
                      child: 
                        (command.ShAssignment
                          pairs: [
                            (assign_pair
                              lhs: (sh_lhs_expr.Name name:tflag)
                              op: assign_op.Equal
                              rhs: {(DQ )}
                              spids: [703]
                            )
                          ]
                        )
                      terminator: <Id.Op_Semi _>
                    )
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:ca)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>)}
                          spids: [708]
                        )
                      ]
                    )
                  ]
                  spids: [700 701 714 -1]
                )
              ]
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-h>} {<-q>} {<-s>} {($ Id.VSub_DollarName '$ca')} {<-z>} 
                  {($ Id.VSub_DollarName '$serial')} {($ Id.VSub_DollarName '$tflag')} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} 
                  {<-n>} {($ Id.VSub_DollarName '$HOSTS')} 
                  {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)}
                )
                (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name ktype))})
              ]
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-ukf>} 
                  {($ Id.VSub_DollarName '$OBJ') <'/host_krl_cert'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub>}
                )
                (C {<fatal>} {(DQ <'KRL update failed'>)})
              ]
            )
            (command.Simple
              words: [
                {<cat>}
                {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <-cert.pub>}
              ]
              redirects: [
                (redir
                  op: <Id.Redir_DGreat '>>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/host_revoked_cert'>}
                )
              ]
              do_fork: T
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:serial)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (command_sub
                        left_token: <Id.Left_Backtick '`'>
                        child: 
                          (C {<expr>} {($ Id.VSub_DollarName '$serial')} {<Id.Lit_Other '+'>} {<1>})
                      )
                    }
                  spids: [816]
                )
              ]
            )
          ]
        )
    )
    (command.ShFunction
      name: attempt_connect
      body: 
        (BraceGroup
          children: [
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:_ident)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_Number '$1'))}
                  spids: [839]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:_expect_success)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_Number '$2'))}
                  spids: [845]
                )
              ]
            )
            (command.Sentence child:(C {<shift>}) terminator:<Id.Op_Semi _>)
            (C {<shift>})
            (C {<verbose>} 
              {
                (DQ ($ Id.VSub_DollarName '$tid') <': '> ($ Id.VSub_DollarName '$_ident') 
                  <' expect success '> ($ Id.VSub_DollarName '$_expect_success')
                )
              }
            )
            (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
              {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
            )
            (C {(${ Id.VSub_Name SSH)} {<-2>} 
              {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                <'/known_hosts-cert'>
              } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} 
              {(DQ ($ Id.VSub_At '$@'))} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:_r)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [911]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} 
                              {(DQ <x> ($ Id.VSub_DollarName '$_expect_success'))} {<Id.Lit_Equals '='>} {(DQ <xyes>)} {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$_r')} {<-ne>} 
                                      {<0>} {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [
                            (C {<fail>} 
                              {
                                (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$_ident') <' failed'>)
                              }
                            )
                          ]
                          spids: [937 950]
                        )
                      ]
                    )
                  ]
                  spids: [915 934]
                )
              ]
              else_action: [
                (command.If
                  arms: [
                    (if_arm
                      cond: 
                        (condition.Shell
                          commands: [
                            (command.Sentence
                              child: 
                                (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$_r')} {<-eq>} {<0>} 
                                  {<Id.Lit_RBracket ']'>}
                                )
                              terminator: <Id.Op_Semi _>
                            )
                          ]
                        )
                      action: [
                        (C {<fail>} 
                          {
                            (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$_ident') 
                              <' succeeded unexpectedly'>
                            )
                          }
                        )
                      ]
                      spids: [968 981]
                    )
                  ]
                )
              ]
            )
          ]
        )
    )
    (command.ForEach
      iter_name: privsep
      iter_words: [{<yes>} {<no>}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (command.ForEach
              iter_name: ktype
              iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
              do_arg_iter: F
              body: 
                (command.DoGroup
                  children: [
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) 
                          <' cert connect privsep '> ($ Id.VSub_DollarName '$privsep')
                        )
                      }
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                            (C {<echo>} {<HostKey>} 
                              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> 
                                (${ Id.VSub_Name ktype)
                              }
                            )
                            (C {<echo>} {<HostCertificate>} 
                              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> 
                                (${ Id.VSub_Name ktype) <-cert.pub>
                              }
                            )
                            (C {<echo>} {<UsePrivilegeSeparation>} {($ Id.VSub_DollarName '$privsep')})
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                        )
                      ]
                    )
                    (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' basic connect'>)} 
                      {(DQ <yes>)}
                    )
                    (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' empty KRL'>)} 
                      {(DQ <yes>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_empty'>}
                    )
                    (C {<attempt_connect>} 
                      {(DQ ($ Id.VSub_DollarName '$ktype') <' KRL w/ plain key revoked'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_plain'>}
                    )
                    (C {<attempt_connect>} 
                      {(DQ ($ Id.VSub_DollarName '$ktype') <' KRL w/ cert revoked'>)} {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_cert'>}
                    )
                    (C {<attempt_connect>} {(DQ ($ Id.VSub_DollarName '$ktype') <' KRL w/ CA revoked'>)} 
                      {(DQ <no>)} {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/host_krl_ca'>}
                    )
                    (C {<attempt_connect>} 
                      {(DQ ($ Id.VSub_DollarName '$ktype') <' empty plaintext revocation'>)} {(DQ <yes>)} 
                      {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                        <'/host_revoked_empty'>
                      }
                    )
                    (C {<attempt_connect>} 
                      {(DQ ($ Id.VSub_DollarName '$ktype') <' plain key plaintext revocation'>)} {(DQ <no>)} 
                      {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                        <'/host_revoked_plain'>
                      }
                    )
                    (C {<attempt_connect>} 
                      {(DQ ($ Id.VSub_DollarName '$ktype') <' cert plaintext revocation'>)} {(DQ <no>)} 
                      {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                        <'/host_revoked_cert'>
                      }
                    )
                    (C {<attempt_connect>} 
                      {(DQ ($ Id.VSub_DollarName '$ktype') <' CA plaintext revocation'>)} {(DQ <no>)} 
                      {<-oRevokedHostKeys> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                        <'/host_revoked_ca'>
                      }
                    )
                  ]
                )
            )
          ]
        )
    )
    (command.Simple
      words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
        )
      ]
      do_fork: T
    )
    (command.ForEach
      iter_name: ktype
      iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {<test>} {<-f>} 
                  {
                    (DQ ($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>)
                  }
                )
                (C {<fatal>} {(DQ <'no pubkey'>)})
              ]
            )
            (command.Simple
              words: [{<kh_revoke>} {<cert_host_key_> (${ Id.VSub_Name ktype) <.pub>}]
              redirects: [
                (redir
                  op: <Id.Redir_DGreat '>>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
                )
              ]
              do_fork: T
            )
          ]
        )
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
    )
    (command.ForEach
      iter_name: privsep
      iter_words: [{<yes>} {<no>}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (command.ForEach
              iter_name: ktype
              iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
              do_arg_iter: F
              body: 
                (command.DoGroup
                  children: [
                    (C {<verbose>} 
                      {
                        (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) 
                          <' revoked cert privsep '> ($ Id.VSub_DollarName '$privsep')
                        )
                      }
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                            (C {<echo>} {<HostKey>} 
                              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> 
                                (${ Id.VSub_Name ktype)
                              }
                            )
                            (C {<echo>} {<HostCertificate>} 
                              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> 
                                (${ Id.VSub_Name ktype) <-cert.pub>
                              }
                            )
                            (C {<echo>} {<UsePrivilegeSeparation>} {($ Id.VSub_DollarName '$privsep')})
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                        )
                      ]
                    )
                    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2>}
                        {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                          <'/known_hosts-cert'>
                        }
                        {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                          <'/known_hosts-cert'>
                        }
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                                      {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                          spids: [1472 1485]
                        )
                      ]
                    )
                  ]
                )
            )
          ]
        )
    )
    (command.Simple
      words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
        )
      ]
      do_fork: T
    )
    (command.Simple
      words: [{<kh_revoke>} {<host_ca_key.pub>} {<host_ca_key2.pub>}]
      redirects: [
        (redir
          op: <Id.Redir_DGreat '>>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
        )
      ]
      do_fork: T
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
    )
    (command.ForEach
      iter_name: ktype
      iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (C {<verbose>} 
              {
                (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) <' revoked cert'>)
              }
            )
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                    (C {<echo>} {<HostKey>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)}
                    )
                    (C {<echo>} {<HostCertificate>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) 
                        <-cert.pub>
                      }
                    )
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
            (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
              {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
            )
            (command.Simple
              words: [
                {(${ Id.VSub_Name SSH)}
                {<-2>}
                {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                  <'/known_hosts-cert'>
                }
                {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                  <'/known_hosts-cert'>
                }
                {<-F>}
                {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                {<somehost>}
                {<true>}
              ]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {<'/dev/null'>}
                )
                (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>})
              ]
              do_fork: T
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                              {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [(C {<fail>} {(DQ <'ssh cert connect succeeded unexpectedly'>)})]
                  spids: [1646 1659]
                )
              ]
            )
          ]
        )
    )
    (command.Simple
      words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
        )
      ]
      do_fork: T
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
    )
    (command.ShFunction
      name: test_one
      body: 
        (BraceGroup
          children: [
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:ident)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_Number '$1')}
                  spids: [1704]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:result)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_Number '$2')}
                  spids: [1708]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:sign_opts)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_Number '$3')}
                  spids: [1712]
                )
              ]
            )
            (command.ForEach
              iter_name: kt
              iter_words: [{<rsa>} {<ed25519>}]
              do_arg_iter: F
              body: 
                (command.DoGroup
                  children: [
                    (command.Case
                      to_match: {($ Id.VSub_DollarName '$ktype')}
                      arms: [
                        (case_arm
                          pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}]
                          action: [
                            (command.Sentence
                              child: 
                                (command.ShAssignment
                                  pairs: [
                                    (assign_pair
                                      lhs: (sh_lhs_expr.Name name:tflag)
                                      op: assign_op.Equal
                                      rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))}
                                      spids: [1743]
                                    )
                                  ]
                                )
                              terminator: <Id.Op_Semi _>
                            )
                            (command.ShAssignment
                              pairs: [
                                (assign_pair
                                  lhs: (sh_lhs_expr.Name name:ca)
                                  op: assign_op.Equal
                                  rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>)}
                                  spids: [1750]
                                )
                              ]
                            )
                          ]
                          spids: [1739 1741 1756 -1]
                        )
                        (case_arm
                          pat_list: [{<Id.Lit_Star '*'>}]
                          action: [
                            (command.Sentence
                              child: 
                                (command.ShAssignment
                                  pairs: [
                                    (assign_pair
                                      lhs: (sh_lhs_expr.Name name:tflag)
                                      op: assign_op.Equal
                                      rhs: {(DQ )}
                                      spids: [1762]
                                    )
                                  ]
                                )
                              terminator: <Id.Op_Semi _>
                            )
                            (command.ShAssignment
                              pairs: [
                                (assign_pair
                                  lhs: (sh_lhs_expr.Name name:ca)
                                  op: assign_op.Equal
                                  rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>)}
                                  spids: [1767]
                                )
                              ]
                            )
                          ]
                          spids: [1759 1760 1773 -1]
                        )
                      ]
                    )
                    (command.AndOr
                      ops: [Id.Op_DPipe]
                      children: [
                        (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-s>} {($ Id.VSub_DollarName '$ca')} 
                          {($ Id.VSub_DollarName '$tflag')} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} 
                          {($ Id.VSub_DollarName '$sign_opts')} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)}
                        )
                        (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name kt))})
                      ]
                    )
                    (command.Subshell
                      child: 
                        (command.CommandList
                          children: [
                            (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                            (C {<echo>} {<HostKey>} 
                              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)}
                            )
                            (C {<echo>} {<HostCertificate>} 
                              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt) 
                                <-cert.pub>
                              }
                            )
                          ]
                        )
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                        )
                      ]
                    )
                    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
                    )
                    (command.Simple
                      words: [
                        {(${ Id.VSub_Name SSH)}
                        {<-2>}
                        {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                          <'/known_hosts-cert'>
                        }
                        {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                          <'/known_hosts-cert'>
                        }
                        {<-F>}
                        {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                        {<somehost>}
                        {<true>}
                      ]
                      redirects: [
                        (redir
                          op: <Id.Redir_Great '>'>
                          loc: (redir_loc.Fd fd:1)
                          arg: {<'/dev/null'>}
                        )
                        (redir
                          op: <Id.Redir_GreatAnd '2>&'>
                          loc: (redir_loc.Fd fd:2)
                          arg: {<1>}
                        )
                      ]
                      do_fork: T
                    )
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:rc)
                          op: assign_op.Equal
                          rhs: {($ Id.VSub_QMark '$?')}
                          spids: [1907]
                        )
                      ]
                    )
                    (command.If
                      arms: [
                        (if_arm
                          cond: 
                            (condition.Shell
                              commands: [
                                (command.Sentence
                                  child: 
                                    (C {<Id.Lit_LBracket '['>} 
                                      {(DQ <x> ($ Id.VSub_DollarName '$result'))} {<Id.Lit_Equals '='>} {(DQ <xsuccess>)} {<Id.Lit_RBracket ']'>}
                                    )
                                  terminator: <Id.Op_Semi _>
                                )
                              ]
                            )
                          action: [
                            (command.If
                              arms: [
                                (if_arm
                                  cond: 
                                    (condition.Shell
                                      commands: [
                                        (command.Sentence
                                          child: 
                                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$rc')} 
                                              {<-ne>} {<0>} {<Id.Lit_RBracket ']'>}
                                            )
                                          terminator: <Id.Op_Semi _>
                                        )
                                      ]
                                    )
                                  action: [
                                    (C {<fail>} 
                                      {
                                        (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') 
                                          <' failed unexpectedly'>
                                        )
                                      }
                                    )
                                  ]
                                  spids: [1933 1946]
                                )
                              ]
                            )
                          ]
                          spids: [1911 1930]
                        )
                      ]
                      else_action: [
                        (command.If
                          arms: [
                            (if_arm
                              cond: 
                                (condition.Shell
                                  commands: [
                                    (command.Sentence
                                      child: 
                                        (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$rc')} 
                                          {<-eq>} {<0>} {<Id.Lit_RBracket ']'>}
                                        )
                                      terminator: <Id.Op_Semi _>
                                    )
                                  ]
                                )
                              action: [
                                (C {<fail>} 
                                  {
                                    (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') 
                                      <' succeeded unexpectedly'>
                                    )
                                  }
                                )
                              ]
                              spids: [1964 1977]
                            )
                          ]
                        )
                      ]
                    )
                  ]
                )
            )
          ]
        )
    )
    (C {<test_one>} {(DQ <user-certificate>)} {<failure>} {(DQ <'-n '> ($ Id.VSub_DollarName '$HOSTS'))})
    (C {<test_one>} {(DQ <'empty principals'>)} {<success>} {(DQ <-h>)})
    (C {<test_one>} {(DQ <'wrong principals'>)} {<failure>} {(DQ <'-h -n foo'>)})
    (C {<test_one>} {(DQ <'cert not yet valid'>)} {<failure>} {(DQ <'-h -V20200101:20300101'>)})
    (C {<test_one>} {(DQ <'cert expired'>)} {<failure>} {(DQ <'-h -V19800101:19900101'>)})
    (C {<test_one>} {(DQ <'cert valid interval'>)} {<success>} {(DQ <'-h -V-1w:+2w'>)})
    (C {<test_one>} {(DQ <'cert has constraints'>)} {<failure>} {(DQ <'-h -Oforce-command=false'>)})
    (command.ForEach
      iter_name: ktype
      iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} 
              {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>}
            )
            (C {<verbose>} 
              {
                (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name ktype) <' '> 
                  (${ Id.VSub_Name v) <' cert downgrade to raw key'>
                )
              }
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name ktype)} 
                  {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)}
                )
                (C {<fail>} {(DQ <'ssh-keygen of cert_host_key_'> (${ Id.VSub_Name ktype) <' failed'>)})
              ]
            )
            (command.Case
              to_match: {($ Id.VSub_DollarName '$ktype')}
              arms: [
                (case_arm
                  pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}]
                  action: [
                    (command.Sentence
                      child: 
                        (command.ShAssignment
                          pairs: [
                            (assign_pair
                              lhs: (sh_lhs_expr.Name name:tflag)
                              op: assign_op.Equal
                              rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$ktype'))}
                              spids: [2185]
                            )
                          ]
                        )
                      terminator: <Id.Op_Semi _>
                    )
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:ca)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key2'>)}
                          spids: [2192]
                        )
                      ]
                    )
                  ]
                  spids: [2181 2183 2198 -1]
                )
                (case_arm
                  pat_list: [{<Id.Lit_Star '*'>}]
                  action: [
                    (command.Sentence
                      child: 
                        (command.ShAssignment
                          pairs: [
                            (assign_pair
                              lhs: (sh_lhs_expr.Name name:tflag)
                              op: assign_op.Equal
                              rhs: {(DQ )}
                              spids: [2204]
                            )
                          ]
                        )
                      terminator: <Id.Op_Semi _>
                    )
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:ca)
                          op: assign_op.Equal
                          rhs: {(DQ ($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'>)}
                          spids: [2209]
                        )
                      ]
                    )
                  ]
                  spids: [2201 2202 2215 -1]
                )
              ]
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-h>} {<-q>} {($ Id.VSub_DollarName '$tflag')} {<-s>} 
                  {($ Id.VSub_DollarName '$ca')} {($ Id.VSub_DollarName '$tflag')} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} 
                  {<-n>} {($ Id.VSub_DollarName '$HOSTS')} 
                  {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)}
                )
                (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name ktype))})
              ]
            )
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<printf>} {(DQ ($ Id.VSub_DollarName '$HOSTS') <' '>)})
                    (C {<cat>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) <.pub>}
                    )
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
                )
              ]
            )
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                    (C {<echo>} {<HostKey>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype)}
                    )
                    (C {<echo>} {<HostCertificate>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name ktype) 
                        <-cert.pub>
                      }
                    )
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
            (C {(${ Id.VSub_Name SSH)} {<-2>} 
              {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                <'/known_hosts-cert'>
              } {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>} 
              {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>} {<somehost>} {<true>}
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-ne>} {<0>} 
                              {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [(C {<fail>} {(DQ <'ssh cert connect failed'>)})]
                  spids: [2371 2384]
                )
              ]
            )
          ]
        )
    )
    (command.Simple
      words: [{<kh_ca>} {<host_ca_key.pub>} {<host_ca_key2.pub>}]
      redirects: [
        (redir
          op: <Id.Redir_Great '>'>
          loc: (redir_loc.Fd fd:1)
          arg: {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>}
        )
      ]
      do_fork: T
    )
    (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
    )
    (command.ForEach
      iter_name: kt
      iter_words: [{($ Id.VSub_DollarName '$PLAIN_TYPES')}]
      do_arg_iter: F
      body: 
        (command.DoGroup
          children: [
            (C {<verbose>} 
              {
                (DQ ($ Id.VSub_DollarName '$tid') <': host '> (${ Id.VSub_Name kt) 
                  <' connect wrong cert'>
                )
              }
            )
            (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>})
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {<-q>} {<-N>} {(SQ )} {<-t>} {(${ Id.VSub_Name kt)} {<-f>} 
                  {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)}
                )
                (C {<fail>} {(DQ <'ssh-keygen of cert_host_key_'> (${ Id.VSub_Name kt) <' failed'>)})
              ]
            )
            (command.Case
              to_match: {($ Id.VSub_DollarName '$kt')}
              arms: [
                (case_arm
                  pat_list: [{<rsa-sha2-> <Id.Lit_Star '*'>}]
                  action: [
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:tflag)
                          op: assign_op.Equal
                          rhs: {(DQ <'-t '> ($ Id.VSub_DollarName '$kt'))}
                          spids: [2510]
                        )
                      ]
                    )
                  ]
                  spids: [2506 2508 2516 -1]
                )
                (case_arm
                  pat_list: [{<Id.Lit_Star '*'>}]
                  action: [
                    (command.ShAssignment
                      pairs: [
                        (assign_pair
                          lhs: (sh_lhs_expr.Name name:tflag)
                          op: assign_op.Equal
                          rhs: {(DQ )}
                          spids: [2522]
                        )
                      ]
                    )
                  ]
                  spids: [2519 2520 2526 -1]
                )
              ]
            )
            (command.AndOr
              ops: [Id.Op_DPipe]
              children: [
                (C {(${ Id.VSub_Name SSHKEYGEN)} {($ Id.VSub_DollarName '$tflag')} {<-h>} {<-q>} {<-s>} 
                  {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)} {<-I>} {(DQ <'regress host key for '> ($ Id.VSub_DollarName '$USER'))} {<-n>} 
                  {($ Id.VSub_DollarName '$HOSTS')} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)}
                )
                (C {<fatal>} {(DQ <'couldn\'t sign cert_host_key_'> (${ Id.VSub_Name kt))})
              ]
            )
            (command.Subshell
              child: 
                (command.CommandList
                  children: [
                    (C {<cat>} {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy_bak'>})
                    (C {<echo>} {<HostKey>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt)}
                    )
                    (C {<echo>} {<HostCertificate>} 
                      {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key_'> (${ Id.VSub_Name kt) 
                        <-cert.pub>
                      }
                    )
                  ]
                )
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {($ Id.VSub_DollarName '$OBJ') <'/sshd_proxy'>}
                )
              ]
            )
            (C {<cp>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert.orig'>} 
              {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'>}
            )
            (command.Simple
              words: [
                {(${ Id.VSub_Name SSH)}
                {<-2>}
                {<-oUserKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                  <'/known_hosts-cert'>
                }
                {<-oGlobalKnownHostsFile> <Id.Lit_Equals '='> ($ Id.VSub_DollarName '$OBJ') 
                  <'/known_hosts-cert'>
                }
                {<-F>}
                {($ Id.VSub_DollarName '$OBJ') <'/ssh_proxy'>}
                {<-q>}
                {<somehost>}
                {<true>}
              ]
              redirects: [
                (redir
                  op: <Id.Redir_Great '>'>
                  loc: (redir_loc.Fd fd:1)
                  arg: {<'/dev/null'>}
                )
                (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>})
              ]
              do_fork: T
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (C {<Id.Lit_LBracket '['>} {($ Id.VSub_QMark '$?')} {<-eq>} {<0>} 
                              {<Id.Lit_RBracket ']'>}
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [
                    (C {<fail>} 
                      {
                        (DQ <'ssh cert connect '> ($ Id.VSub_DollarName '$ident') 
                          <' succeeded unexpectedly'>
                        )
                      }
                    )
                  ]
                  spids: [2672 2685]
                )
              ]
            )
          ]
        )
    )
    (C {<rm>} {<-f>} {($ Id.VSub_DollarName '$OBJ') <'/known_hosts-cert'> <Id.Lit_Star '*'>} 
      {($ Id.VSub_DollarName '$OBJ') <'/host_ca_key'> <Id.Lit_Star '*'>} {($ Id.VSub_DollarName '$OBJ') <'/cert_host_key'> <Id.Lit_Star '*'>}
    )
  ]
)