diff options
| author | Damien Miller <djm@mindrot.org> | 2010-04-16 15:56:21 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-04-16 15:56:21 +1000 |
| commit | 4e270b05dd9d850fb9e2e0ac43f33cb4090d3ebc (patch) | |
| tree | 4fc84942b5966e9f38f18a1257ac43ddbed336be /key.h | |
| parent | 031c9100dfe3ee65a29084ebbd61965a76b3ad26 (diff) | |
- djm@cvs.openbsd.org 2010/04/16 01:47:26
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
Diffstat (limited to 'key.h')
| -rw-r--r-- | key.h | 11 |
1 files changed, 8 insertions, 3 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */ | 1 | /* $OpenBSD: key.h,v 1.30 2010/04/16 01:47:26 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| @@ -37,6 +37,8 @@ enum types { | |||
| 37 | KEY_DSA, | 37 | KEY_DSA, |
| 38 | KEY_RSA_CERT, | 38 | KEY_RSA_CERT, |
| 39 | KEY_DSA_CERT, | 39 | KEY_DSA_CERT, |
| 40 | KEY_RSA_CERT_V00, | ||
| 41 | KEY_DSA_CERT_V00, | ||
| 40 | KEY_UNSPEC | 42 | KEY_UNSPEC |
| 41 | }; | 43 | }; |
| 42 | enum fp_type { | 44 | enum fp_type { |
| @@ -56,11 +58,13 @@ enum fp_rep { | |||
| 56 | struct KeyCert { | 58 | struct KeyCert { |
| 57 | Buffer certblob; /* Kept around for use on wire */ | 59 | Buffer certblob; /* Kept around for use on wire */ |
| 58 | u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */ | 60 | u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */ |
| 61 | u_int64_t serial; | ||
| 59 | char *key_id; | 62 | char *key_id; |
| 60 | u_int nprincipals; | 63 | u_int nprincipals; |
| 61 | char **principals; | 64 | char **principals; |
| 62 | u_int64_t valid_after, valid_before; | 65 | u_int64_t valid_after, valid_before; |
| 63 | Buffer constraints; | 66 | Buffer critical; |
| 67 | Buffer extensions; | ||
| 64 | Key *signature_key; | 68 | Key *signature_key; |
| 65 | }; | 69 | }; |
| 66 | 70 | ||
| @@ -92,12 +96,13 @@ Key *key_from_private(const Key *); | |||
| 92 | int key_type_from_name(char *); | 96 | int key_type_from_name(char *); |
| 93 | int key_is_cert(const Key *); | 97 | int key_is_cert(const Key *); |
| 94 | int key_type_plain(int); | 98 | int key_type_plain(int); |
| 95 | int key_to_certified(Key *); | 99 | int key_to_certified(Key *, int); |
| 96 | int key_drop_cert(Key *); | 100 | int key_drop_cert(Key *); |
| 97 | int key_certify(Key *, Key *); | 101 | int key_certify(Key *, Key *); |
| 98 | void key_cert_copy(const Key *, struct Key *); | 102 | void key_cert_copy(const Key *, struct Key *); |
| 99 | int key_cert_check_authority(const Key *, int, int, const char *, | 103 | int key_cert_check_authority(const Key *, int, int, const char *, |
| 100 | const char **); | 104 | const char **); |
| 105 | int key_cert_is_legacy(Key *); | ||
| 101 | 106 | ||
| 102 | Key *key_from_blob(const u_char *, u_int); | 107 | Key *key_from_blob(const u_char *, u_int); |
| 103 | int key_to_blob(const Key *, u_char **, u_int *); | 108 | int key_to_blob(const Key *, u_char **, u_int *); |