1 files changed, 61 insertions, 1 deletions
diff --git a/authfile.c b/authfile.c
index 4d0823209..deac28f6a 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.80 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.82 2010/08/04 05:49:22 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -694,6 +694,66 @@ key_load_public(const char *filename, char **commentp)
        return NULL;
 }
+/* Load the certificate associated with the named private key */
+Key *
+key_load_cert(const char *filename)
+{
+        Key *pub;
+        char *file;
+        pub = key_new(KEY_UNSPEC);
+        xasprintf(&file, "%s-cert.pub", filename);
+        if (key_try_load_public(pub, file, NULL) == 1) {
+                xfree(file);
+                return pub;
+        }
+        xfree(file);
+        key_free(pub);
+        return NULL;
+}
+/* Load private key and certificate */
+Key *
+key_load_private_cert(int type, const char *filename, const char *passphrase,
+    int *perm_ok)
+{
+        Key *key, *pub;
+        switch (type) {
+        case KEY_RSA:
+        case KEY_DSA:
+                break;
+        default:
+                error("%s: unsupported key type", __func__);
+                return NULL;
+        }
+        if ((key = key_load_private_type(type, filename, 
+            passphrase, NULL, perm_ok)) == NULL)
+                return NULL;
+        if ((pub = key_load_cert(filename)) == NULL) {
+                key_free(key);
+                return NULL;
+        }
+        /* Make sure the private key matches the certificate */
+        if (key_equal_public(key, pub) == 0) {
+                error("%s: certificate does not match private key %s",
+                    __func__, filename);
+        } else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
+                error("%s: key_to_certified failed", __func__);
+        } else {
+                key_cert_copy(pub, key);
+                key_free(pub);
+                return key;
+        }
+        key_free(key);
+        key_free(pub);
+        return NULL;
+}
 /*
 * Returns 1 if the specified "key" is listed in the file "filename",
 * 0 if the key is not listed or -1 on error.

diff --git a/authfile.c b/authfile.c index 4d0823209..deac28f6a 100644 --- a/authfile.c +++ b/authfile.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: authfile.c,v 1.80 2010/03/04 10:36:03 djm Exp $ */	1	/* $OpenBSD: authfile.c,v 1.82 2010/08/04 05:49:22 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -694,6 +694,66 @@ key_load_public(const char filename, char *commentp)
694	return NULL;	694	return NULL;
695	}	695	}
696		696
		697	/* Load the certificate associated with the named private key */
		698	Key *
		699	key_load_cert(const char *filename)
		700	{
		701	Key *pub;
		702	char *file;
		703
		704	pub = key_new(KEY_UNSPEC);
		705	xasprintf(&file, "%s-cert.pub", filename);
		706	if (key_try_load_public(pub, file, NULL) == 1) {
		707	xfree(file);
		708	return pub;
		709	}
		710	xfree(file);
		711	key_free(pub);
		712	return NULL;
		713	}
		714
		715	/* Load private key and certificate */
		716	Key *
		717	key_load_private_cert(int type, const char filename, const char passphrase,
		718	int *perm_ok)
		719	{
		720	Key key, pub;
		721
		722	switch (type) {
		723	case KEY_RSA:
		724	case KEY_DSA:
		725	break;
		726	default:
		727	error("%s: unsupported key type", __func__);
		728	return NULL;
		729	}
		730
		731	if ((key = key_load_private_type(type, filename,
		732	passphrase, NULL, perm_ok)) == NULL)
		733	return NULL;
		734
		735	if ((pub = key_load_cert(filename)) == NULL) {
		736	key_free(key);
		737	return NULL;
		738	}
		739
		740	/* Make sure the private key matches the certificate */
		741	if (key_equal_public(key, pub) == 0) {
		742	error("%s: certificate does not match private key %s",
		743	__func__, filename);
		744	} else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
		745	error("%s: key_to_certified failed", __func__);
		746	} else {
		747	key_cert_copy(pub, key);
		748	key_free(pub);
		749	return key;
		750	}
		751
		752	key_free(key);
		753	key_free(pub);
		754	return NULL;
		755	}
		756
697	/*	757	/*
698	* Returns 1 if the specified "key" is listed in the file "filename",	758	* Returns 1 if the specified "key" is listed in the file "filename",
699	* 0 if the key is not listed or -1 on error.	759	* 0 if the key is not listed or -1 on error.