diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-06-28 01:09:22 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-06-28 11:13:19 +1000 |
| commit | a98339edbc1fc21342a390f345179a9c3031bef7 (patch) | |
| tree | 574e103d0a458f96213e808118eb75d39bc3387f /sshkey.c | |
| parent | c9cdef35524bd59007e17d5bd2502dade69e2dfb (diff) | |
upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
Diffstat (limited to 'sshkey.c')
| -rw-r--r-- | sshkey.c | 25 |
1 files changed, 21 insertions, 4 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshkey.c,v 1.52 2017/06/09 06:40:24 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.53 2017/06/28 01:09:22 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
| @@ -2253,7 +2253,8 @@ sshkey_drop_cert(struct sshkey *k) | |||
| 2253 | 2253 | ||
| 2254 | /* Sign a certified key, (re-)generating the signed certblob. */ | 2254 | /* Sign a certified key, (re-)generating the signed certblob. */ |
| 2255 | int | 2255 | int |
| 2256 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) | 2256 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
| 2257 | sshkey_certify_signer *signer, void *signer_ctx) | ||
| 2257 | { | 2258 | { |
| 2258 | struct sshbuf *principals = NULL; | 2259 | struct sshbuf *principals = NULL; |
| 2259 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | 2260 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
| @@ -2342,8 +2343,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) | |||
| 2342 | goto out; | 2343 | goto out; |
| 2343 | 2344 | ||
| 2344 | /* Sign the whole mess */ | 2345 | /* Sign the whole mess */ |
| 2345 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 2346 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
| 2346 | sshbuf_len(cert), alg, 0)) != 0) | 2347 | sshbuf_len(cert), alg, 0, signer_ctx)) != 0) |
| 2347 | goto out; | 2348 | goto out; |
| 2348 | 2349 | ||
| 2349 | /* Append signature and we are done */ | 2350 | /* Append signature and we are done */ |
| @@ -2359,6 +2360,22 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) | |||
| 2359 | return ret; | 2360 | return ret; |
| 2360 | } | 2361 | } |
| 2361 | 2362 | ||
| 2363 | static int | ||
| 2364 | default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, | ||
| 2365 | const u_char *data, size_t datalen, | ||
| 2366 | const char *alg, u_int compat, void *ctx) | ||
| 2367 | { | ||
| 2368 | if (ctx != NULL) | ||
| 2369 | return SSH_ERR_INVALID_ARGUMENT; | ||
| 2370 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); | ||
| 2371 | } | ||
| 2372 | |||
| 2373 | int | ||
| 2374 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) | ||
| 2375 | { | ||
| 2376 | return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); | ||
| 2377 | } | ||
| 2378 | |||
| 2362 | int | 2379 | int |
| 2363 | sshkey_cert_check_authority(const struct sshkey *k, | 2380 | sshkey_cert_check_authority(const struct sshkey *k, |
| 2364 | int want_host, int require_principal, | 2381 | int want_host, int require_principal, |