diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-07-03 03:43:18 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-07-15 15:35:09 +1000 |
| commit | c28fc62d789d860c75e23a9fa9fb250eb2beca57 (patch) | |
| tree | 9b540db8aed167256bb61cd9df90dbedb31cc79d /ssh-keygen.c | |
| parent | 564d63e1b4a9637a209d42a9d49646781fc9caef (diff) | |
upstream commit
delete support for legacy v00 certificates; "sure"
markus@ dtucker@
Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 67 |
1 files changed, 17 insertions, 50 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 8259d87e7..b546366f1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -239,7 +239,6 @@ ask_filename(struct passwd *pw, const char *prompt) | |||
| 239 | name = _PATH_SSH_CLIENT_IDENTITY; | 239 | name = _PATH_SSH_CLIENT_IDENTITY; |
| 240 | break; | 240 | break; |
| 241 | case KEY_DSA_CERT: | 241 | case KEY_DSA_CERT: |
| 242 | case KEY_DSA_CERT_V00: | ||
| 243 | case KEY_DSA: | 242 | case KEY_DSA: |
| 244 | name = _PATH_SSH_CLIENT_ID_DSA; | 243 | name = _PATH_SSH_CLIENT_ID_DSA; |
| 245 | break; | 244 | break; |
| @@ -250,7 +249,6 @@ ask_filename(struct passwd *pw, const char *prompt) | |||
| 250 | break; | 249 | break; |
| 251 | #endif | 250 | #endif |
| 252 | case KEY_RSA_CERT: | 251 | case KEY_RSA_CERT: |
| 253 | case KEY_RSA_CERT_V00: | ||
| 254 | case KEY_RSA: | 252 | case KEY_RSA: |
| 255 | name = _PATH_SSH_CLIENT_ID_RSA; | 253 | name = _PATH_SSH_CLIENT_ID_RSA; |
| 256 | break; | 254 | break; |
| @@ -1575,25 +1573,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
| 1575 | struct sshkey *ca, *public; | 1573 | struct sshkey *ca, *public; |
| 1576 | char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; | 1574 | char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
| 1577 | FILE *f; | 1575 | FILE *f; |
| 1578 | int v00 = 0; /* legacy keys */ | ||
| 1579 | |||
| 1580 | if (key_type_name != NULL) { | ||
| 1581 | switch (sshkey_type_from_name(key_type_name)) { | ||
| 1582 | case KEY_RSA_CERT_V00: | ||
| 1583 | case KEY_DSA_CERT_V00: | ||
| 1584 | v00 = 1; | ||
| 1585 | break; | ||
| 1586 | case KEY_UNSPEC: | ||
| 1587 | if (strcasecmp(key_type_name, "v00") == 0) { | ||
| 1588 | v00 = 1; | ||
| 1589 | break; | ||
| 1590 | } else if (strcasecmp(key_type_name, "v01") == 0) | ||
| 1591 | break; | ||
| 1592 | /* FALLTHROUGH */ | ||
| 1593 | default: | ||
| 1594 | fatal("unknown key type %s", key_type_name); | ||
| 1595 | } | ||
| 1596 | } | ||
| 1597 | 1576 | ||
| 1598 | #ifdef ENABLE_PKCS11 | 1577 | #ifdef ENABLE_PKCS11 |
| 1599 | pkcs11_init(1); | 1578 | pkcs11_init(1); |
| @@ -1630,7 +1609,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
| 1630 | __func__, tmp, sshkey_type(public)); | 1609 | __func__, tmp, sshkey_type(public)); |
| 1631 | 1610 | ||
| 1632 | /* Prepare certificate to sign */ | 1611 | /* Prepare certificate to sign */ |
| 1633 | if ((r = sshkey_to_certified(public, v00)) != 0) | 1612 | if ((r = sshkey_to_certified(public)) != 0) |
| 1634 | fatal("Could not upgrade key %s to certificate: %s", | 1613 | fatal("Could not upgrade key %s to certificate: %s", |
| 1635 | tmp, ssh_err(r)); | 1614 | tmp, ssh_err(r)); |
| 1636 | public->cert->type = cert_key_type; | 1615 | public->cert->type = cert_key_type; |
| @@ -1640,15 +1619,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
| 1640 | public->cert->principals = plist; | 1619 | public->cert->principals = plist; |
| 1641 | public->cert->valid_after = cert_valid_from; | 1620 | public->cert->valid_after = cert_valid_from; |
| 1642 | public->cert->valid_before = cert_valid_to; | 1621 | public->cert->valid_before = cert_valid_to; |
| 1643 | if (v00) { | 1622 | prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); |
| 1644 | prepare_options_buf(public->cert->critical, | 1623 | prepare_options_buf(public->cert->extensions, |
| 1645 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); | 1624 | OPTIONS_EXTENSIONS); |
| 1646 | } else { | ||
| 1647 | prepare_options_buf(public->cert->critical, | ||
| 1648 | OPTIONS_CRITICAL); | ||
| 1649 | prepare_options_buf(public->cert->extensions, | ||
| 1650 | OPTIONS_EXTENSIONS); | ||
| 1651 | } | ||
| 1652 | if ((r = sshkey_from_private(ca, | 1625 | if ((r = sshkey_from_private(ca, |
| 1653 | &public->cert->signature_key)) != 0) | 1626 | &public->cert->signature_key)) != 0) |
| 1654 | fatal("key_from_private (ca key): %s", ssh_err(r)); | 1627 | fatal("key_from_private (ca key): %s", ssh_err(r)); |
| @@ -1833,7 +1806,7 @@ add_cert_option(char *opt) | |||
| 1833 | } | 1806 | } |
| 1834 | 1807 | ||
| 1835 | static void | 1808 | static void |
| 1836 | show_options(struct sshbuf *optbuf, int v00, int in_critical) | 1809 | show_options(struct sshbuf *optbuf, int in_critical) |
| 1837 | { | 1810 | { |
| 1838 | char *name, *arg; | 1811 | char *name, *arg; |
| 1839 | struct sshbuf *options, *option = NULL; | 1812 | struct sshbuf *options, *option = NULL; |
| @@ -1848,14 +1821,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical) | |||
| 1848 | (r = sshbuf_froms(options, &option)) != 0) | 1821 | (r = sshbuf_froms(options, &option)) != 0) |
| 1849 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1822 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 1850 | printf(" %s", name); | 1823 | printf(" %s", name); |
| 1851 | if ((v00 || !in_critical) && | 1824 | if (!in_critical && |
| 1852 | (strcmp(name, "permit-X11-forwarding") == 0 || | 1825 | (strcmp(name, "permit-X11-forwarding") == 0 || |
| 1853 | strcmp(name, "permit-agent-forwarding") == 0 || | 1826 | strcmp(name, "permit-agent-forwarding") == 0 || |
| 1854 | strcmp(name, "permit-port-forwarding") == 0 || | 1827 | strcmp(name, "permit-port-forwarding") == 0 || |
| 1855 | strcmp(name, "permit-pty") == 0 || | 1828 | strcmp(name, "permit-pty") == 0 || |
| 1856 | strcmp(name, "permit-user-rc") == 0)) | 1829 | strcmp(name, "permit-user-rc") == 0)) |
| 1857 | printf("\n"); | 1830 | printf("\n"); |
| 1858 | else if ((v00 || in_critical) && | 1831 | else if (in_critical && |
| 1859 | (strcmp(name, "force-command") == 0 || | 1832 | (strcmp(name, "force-command") == 0 || |
| 1860 | strcmp(name, "source-address") == 0)) { | 1833 | strcmp(name, "source-address") == 0)) { |
| 1861 | if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) | 1834 | if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) |
| @@ -1882,7 +1855,7 @@ do_show_cert(struct passwd *pw) | |||
| 1882 | struct sshkey *key; | 1855 | struct sshkey *key; |
| 1883 | struct stat st; | 1856 | struct stat st; |
| 1884 | char *key_fp, *ca_fp; | 1857 | char *key_fp, *ca_fp; |
| 1885 | u_int i, v00; | 1858 | u_int i; |
| 1886 | int r; | 1859 | int r; |
| 1887 | 1860 | ||
| 1888 | if (!have_identity) | 1861 | if (!have_identity) |
| @@ -1894,7 +1867,6 @@ do_show_cert(struct passwd *pw) | |||
| 1894 | identity_file, ssh_err(r)); | 1867 | identity_file, ssh_err(r)); |
| 1895 | if (!sshkey_is_cert(key)) | 1868 | if (!sshkey_is_cert(key)) |
| 1896 | fatal("%s is not a certificate", identity_file); | 1869 | fatal("%s is not a certificate", identity_file); |
| 1897 | v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; | ||
| 1898 | 1870 | ||
| 1899 | key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); | 1871 | key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
| 1900 | ca_fp = sshkey_fingerprint(key->cert->signature_key, | 1872 | ca_fp = sshkey_fingerprint(key->cert->signature_key, |
| @@ -1909,10 +1881,7 @@ do_show_cert(struct passwd *pw) | |||
| 1909 | printf(" Signing CA: %s %s\n", | 1881 | printf(" Signing CA: %s %s\n", |
| 1910 | sshkey_type(key->cert->signature_key), ca_fp); | 1882 | sshkey_type(key->cert->signature_key), ca_fp); |
| 1911 | printf(" Key ID: \"%s\"\n", key->cert->key_id); | 1883 | printf(" Key ID: \"%s\"\n", key->cert->key_id); |
| 1912 | if (!v00) { | 1884 | printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); |
| 1913 | printf(" Serial: %llu\n", | ||
| 1914 | (unsigned long long)key->cert->serial); | ||
| 1915 | } | ||
| 1916 | printf(" Valid: %s\n", | 1885 | printf(" Valid: %s\n", |
| 1917 | fmt_validity(key->cert->valid_after, key->cert->valid_before)); | 1886 | fmt_validity(key->cert->valid_after, key->cert->valid_before)); |
| 1918 | printf(" Principals: "); | 1887 | printf(" Principals: "); |
| @@ -1929,16 +1898,14 @@ do_show_cert(struct passwd *pw) | |||
| 1929 | printf("(none)\n"); | 1898 | printf("(none)\n"); |
| 1930 | else { | 1899 | else { |
| 1931 | printf("\n"); | 1900 | printf("\n"); |
| 1932 | show_options(key->cert->critical, v00, 1); | 1901 | show_options(key->cert->critical, 1); |
| 1933 | } | 1902 | } |
| 1934 | if (!v00) { | 1903 | printf(" Extensions: "); |
| 1935 | printf(" Extensions: "); | 1904 | if (sshbuf_len(key->cert->extensions) == 0) |
| 1936 | if (sshbuf_len(key->cert->extensions) == 0) | 1905 | printf("(none)\n"); |
| 1937 | printf("(none)\n"); | 1906 | else { |
| 1938 | else { | 1907 | printf("\n"); |
| 1939 | printf("\n"); | 1908 | show_options(key->cert->extensions, 0); |
| 1940 | show_options(key->cert->extensions, v00, 0); | ||
| 1941 | } | ||
| 1942 | } | 1909 | } |
| 1943 | exit(0); | 1910 | exit(0); |
| 1944 | } | 1911 | } |