diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-05-02 09:36:42 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-05-02 20:35:05 +1000 |
commit | 57464e3934ba53ad8590ee3ccd840f693407fc1e (patch) | |
tree | a87cc5d5de85e4ea3b735d8bff2dbc9f4b35f2dc | |
parent | 1a31d02b2411c4718de58ce796dbb7b5e14db93e (diff) |
upstream commit
support SHA256 and SHA512 RSA signatures in certificates;
ok markus@
Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
-rw-r--r-- | key.c | 4 | ||||
-rw-r--r-- | ssh-keygen.c | 12 | ||||
-rw-r--r-- | sshkey.c | 6 | ||||
-rw-r--r-- | sshkey.h | 4 |
4 files changed, 16 insertions, 10 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.130 2016/05/02 09:36:42 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * placed in the public domain | 3 | * placed in the public domain |
4 | */ | 4 | */ |
@@ -214,7 +214,7 @@ key_certify(Key *k, Key *ca) | |||
214 | { | 214 | { |
215 | int r; | 215 | int r; |
216 | 216 | ||
217 | if ((r = sshkey_certify(k, ca)) != 0) { | 217 | if ((r = sshkey_certify(k, ca, NULL)) != 0) { |
218 | fatal_on_fatal_errors(r, __func__, 0); | 218 | fatal_on_fatal_errors(r, __func__, 0); |
219 | error("%s: %s", __func__, ssh_err(r)); | 219 | error("%s: %s", __func__, ssh_err(r)); |
220 | return -1; | 220 | return -1; |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 079f10321..0bd5fc93a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.289 2016/05/02 08:49:03 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.290 2016/05/02 09:36:42 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1599,6 +1599,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1599 | ca = load_identity(tmp); | 1599 | ca = load_identity(tmp); |
1600 | free(tmp); | 1600 | free(tmp); |
1601 | 1601 | ||
1602 | if (key_type_name != NULL && | ||
1603 | sshkey_type_from_name(key_type_name) != ca->type) { | ||
1604 | fatal("CA key type %s doesn't match specified %s", | ||
1605 | sshkey_ssh_name(ca), key_type_name); | ||
1606 | } | ||
1607 | |||
1602 | for (i = 0; i < argc; i++) { | 1608 | for (i = 0; i < argc; i++) { |
1603 | /* Split list of principals */ | 1609 | /* Split list of principals */ |
1604 | n = 0; | 1610 | n = 0; |
@@ -1640,8 +1646,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1640 | &public->cert->signature_key)) != 0) | 1646 | &public->cert->signature_key)) != 0) |
1641 | fatal("key_from_private (ca key): %s", ssh_err(r)); | 1647 | fatal("key_from_private (ca key): %s", ssh_err(r)); |
1642 | 1648 | ||
1643 | if (sshkey_certify(public, ca) != 0) | 1649 | if ((r = sshkey_certify(public, ca, key_type_name)) != 0) |
1644 | fatal("Couldn't not certify key %s", tmp); | 1650 | fatal("Couldn't certify key %s: %s", tmp, ssh_err(r)); |
1645 | 1651 | ||
1646 | if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) | 1652 | if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) |
1647 | *cp = '\0'; | 1653 | *cp = '\0'; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.32 2016/04/09 12:39:30 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.33 2016/05/02 09:36:42 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -2370,7 +2370,7 @@ sshkey_drop_cert(struct sshkey *k) | |||
2370 | 2370 | ||
2371 | /* Sign a certified key, (re-)generating the signed certblob. */ | 2371 | /* Sign a certified key, (re-)generating the signed certblob. */ |
2372 | int | 2372 | int |
2373 | sshkey_certify(struct sshkey *k, struct sshkey *ca) | 2373 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) |
2374 | { | 2374 | { |
2375 | struct sshbuf *principals = NULL; | 2375 | struct sshbuf *principals = NULL; |
2376 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | 2376 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
@@ -2460,7 +2460,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) | |||
2460 | 2460 | ||
2461 | /* Sign the whole mess */ | 2461 | /* Sign the whole mess */ |
2462 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 2462 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
2463 | sshbuf_len(cert), NULL, 0)) != 0) | 2463 | sshbuf_len(cert), alg, 0)) != 0) |
2464 | goto out; | 2464 | goto out; |
2465 | 2465 | ||
2466 | /* Append signature and we are done */ | 2466 | /* Append signature and we are done */ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */ | 1 | /* $OpenBSD: sshkey.h,v 1.13 2016/05/02 09:36:42 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -137,7 +137,7 @@ int sshkey_type_is_cert(int); | |||
137 | int sshkey_type_plain(int); | 137 | int sshkey_type_plain(int); |
138 | int sshkey_to_certified(struct sshkey *); | 138 | int sshkey_to_certified(struct sshkey *); |
139 | int sshkey_drop_cert(struct sshkey *); | 139 | int sshkey_drop_cert(struct sshkey *); |
140 | int sshkey_certify(struct sshkey *, struct sshkey *); | 140 | int sshkey_certify(struct sshkey *, struct sshkey *, const char *); |
141 | int sshkey_cert_copy(const struct sshkey *, struct sshkey *); | 141 | int sshkey_cert_copy(const struct sshkey *, struct sshkey *); |
142 | int sshkey_cert_check_authority(const struct sshkey *, int, int, | 142 | int sshkey_cert_check_authority(const struct sshkey *, int, int, |
143 | const char *, const char **); | 143 | const char *, const char **); |