summaryrefslogtreecommitdiff
path: root/sshkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-06-28 01:09:22 +0000
committerDamien Miller <djm@mindrot.org>2017-06-28 11:13:19 +1000
commita98339edbc1fc21342a390f345179a9c3031bef7 (patch)
tree574e103d0a458f96213e808118eb75d39bc3387f /sshkey.c
parentc9cdef35524bd59007e17d5bd2502dade69e2dfb (diff)
upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 ok markus Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
Diffstat (limited to 'sshkey.c')
-rw-r--r--sshkey.c25
1 files changed, 21 insertions, 4 deletions
diff --git a/sshkey.c b/sshkey.c
index a138a6f66..acc6e3f2d 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.52 2017/06/09 06:40:24 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.53 2017/06/28 01:09:22 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -2253,7 +2253,8 @@ sshkey_drop_cert(struct sshkey *k)
2253 2253
2254/* Sign a certified key, (re-)generating the signed certblob. */ 2254/* Sign a certified key, (re-)generating the signed certblob. */
2255int 2255int
2256sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2256sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
2257 sshkey_certify_signer *signer, void *signer_ctx)
2257{ 2258{
2258 struct sshbuf *principals = NULL; 2259 struct sshbuf *principals = NULL;
2259 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2260 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
@@ -2342,8 +2343,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
2342 goto out; 2343 goto out;
2343 2344
2344 /* Sign the whole mess */ 2345 /* Sign the whole mess */
2345 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2346 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2346 sshbuf_len(cert), alg, 0)) != 0) 2347 sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
2347 goto out; 2348 goto out;
2348 2349
2349 /* Append signature and we are done */ 2350 /* Append signature and we are done */
@@ -2359,6 +2360,22 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
2359 return ret; 2360 return ret;
2360} 2361}
2361 2362
2363static int
2364default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
2365 const u_char *data, size_t datalen,
2366 const char *alg, u_int compat, void *ctx)
2367{
2368 if (ctx != NULL)
2369 return SSH_ERR_INVALID_ARGUMENT;
2370 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat);
2371}
2372
2373int
2374sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
2375{
2376 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL);
2377}
2378
2362int 2379int
2363sshkey_cert_check_authority(const struct sshkey *k, 2380sshkey_cert_check_authority(const struct sshkey *k,
2364 int want_host, int require_principal, 2381 int want_host, int require_principal,