upstream commit

support SHA256 and SHA512 RSA signatures in certificates;
 ok markus@

Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a

4 files changed, 16 insertions, 10 deletions

diff --git a/key.c b/key.c
index 28d7c6207..93f4ccb24 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: key.c,v 1.130 2016/05/02 09:36:42 djm Exp $ */
 /*
  * placed in the public domain
  */
@@ -214,7 +214,7 @@ key_certify(Key *k, Key *ca)
 {
         int r;
 
-        if ((r = sshkey_certify(k, ca)) != 0) {
+        if ((r = sshkey_certify(k, ca, NULL)) != 0) {
                 fatal_on_fatal_errors(r, __func__, 0);
                 error("%s: %s", __func__, ssh_err(r));
                 return -1;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 079f10321..0bd5fc93a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.289 2016/05/02 08:49:03 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.290 2016/05/02 09:36:42 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1599,6 +1599,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                 ca = load_identity(tmp);
         free(tmp);
 
+        if (key_type_name != NULL &&
+            sshkey_type_from_name(key_type_name) != ca->type)  {
+                fatal("CA key type %s doesn't match specified %s",
+                    sshkey_ssh_name(ca), key_type_name);
+        }
+
         for (i = 0; i < argc; i++) {
                 /* Split list of principals */
                 n = 0;
@@ -1640,8 +1646,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                     &public->cert->signature_key)) != 0)
                         fatal("key_from_private (ca key): %s", ssh_err(r));
 
-                if (sshkey_certify(public, ca) != 0)
-                        fatal("Couldn't not certify key %s", tmp);
+                if ((r = sshkey_certify(public, ca, key_type_name)) != 0)
+                        fatal("Couldn't certify key %s: %s", tmp, ssh_err(r));
 
                 if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
                         *cp = '\0';
diff --git a/sshkey.c b/sshkey.c
index 2ce7ada9f..c20e5868b 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.32 2016/04/09 12:39:30 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.33 2016/05/02 09:36:42 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -2370,7 +2370,7 @@ sshkey_drop_cert(struct sshkey *k)
 
 /* Sign a certified key, (re-)generating the signed certblob. */
 int
-sshkey_certify(struct sshkey *k, struct sshkey *ca)
+sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
 {
         struct sshbuf *principals = NULL;
         u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
@@ -2460,7 +2460,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
 
         /* Sign the whole mess */
         if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
-            sshbuf_len(cert), NULL, 0)) != 0)
+            sshbuf_len(cert), alg, 0)) != 0)
                 goto out;
 
         /* Append signature and we are done */
diff --git a/sshkey.h b/sshkey.h
index a20a14f9e..8c3d866bf 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: sshkey.h,v 1.13 2016/05/02 09:36:42 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -137,7 +137,7 @@ int	 sshkey_type_is_cert(int);
 int      sshkey_type_plain(int);
 int      sshkey_to_certified(struct sshkey *);
 int      sshkey_drop_cert(struct sshkey *);
-int      sshkey_certify(struct sshkey *, struct sshkey *);
+int      sshkey_certify(struct sshkey *, struct sshkey *, const char *);
 int      sshkey_cert_copy(const struct sshkey *, struct sshkey *);
 int      sshkey_cert_check_authority(const struct sshkey *, int, int,
     const char *, const char **);