1 files changed, 578 insertions, 35 deletions
diff --git a/key.c b/key.c
index 327aa4e7f..f67a799c1 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.80 2008/10/10 05:00:12 stevesk Exp $ */
+/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */
 /*
 * read_bignum():
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -52,6 +52,21 @@
 #include "uuencode.h"
 #include "buffer.h"
 #include "log.h"
+#include "ssh2.h"
+static struct KeyCert *
+cert_new(void)
+{
+        struct KeyCert *cert;
+        cert = xcalloc(1, sizeof(*cert));
+        buffer_init(&cert->certblob);
+        buffer_init(&cert->constraints);
+        cert->key_id = NULL;
+        cert->principals = NULL;
+        cert->signature_key = NULL;
+        return cert;
+}
 Key *
 key_new(int type)
@@ -63,9 +78,11 @@ key_new(int type)
        k->type = type;
        k->dsa = NULL;
        k->rsa = NULL;
+        k->cert = NULL;
        switch (k->type) {
        case KEY_RSA1:
        case KEY_RSA:
+        case KEY_RSA_CERT:
                if ((rsa = RSA_new()) == NULL)
                        fatal("key_new: RSA_new failed");
                if ((rsa->n = BN_new()) == NULL)
@@ -75,6 +92,7 @@ key_new(int type)
                k->rsa = rsa;
                break;
        case KEY_DSA:
+        case KEY_DSA_CERT:
                if ((dsa = DSA_new()) == NULL)
                        fatal("key_new: DSA_new failed");
                if ((dsa->p = BN_new()) == NULL)
@@ -93,16 +111,20 @@ key_new(int type)
                fatal("key_new: bad key type %d", k->type);
                break;
        }
+        if (key_is_cert(k))
+                k->cert = cert_new();
        return k;
 }
-Key *
+void
-key_new_private(int type)
+key_add_private(Key *k)
 {
-        Key *k = key_new(type);
        switch (k->type) {
        case KEY_RSA1:
        case KEY_RSA:
+        case KEY_RSA_CERT:
                if ((k->rsa->d = BN_new()) == NULL)
                        fatal("key_new_private: BN_new failed");
                if ((k->rsa->iqmp = BN_new()) == NULL)
@@ -117,6 +139,7 @@ key_new_private(int type)
                        fatal("key_new_private: BN_new failed");
                break;
        case KEY_DSA:
+        case KEY_DSA_CERT:
                if ((k->dsa->priv_key = BN_new()) == NULL)
                        fatal("key_new_private: BN_new failed");
                break;
@@ -125,9 +148,34 @@ key_new_private(int type)
        default:
                break;
        }
+}
+Key *
+key_new_private(int type)
+{
+        Key *k = key_new(type);
+        key_add_private(k);
        return k;
 }
+static void
+cert_free(struct KeyCert *cert)
+{
+        u_int i;
+        buffer_free(&cert->certblob);
+        buffer_free(&cert->constraints);
+        if (cert->key_id != NULL)
+                xfree(cert->key_id);
+        for (i = 0; i < cert->nprincipals; i++)
+                xfree(cert->principals[i]);
+        if (cert->principals != NULL)
+                xfree(cert->principals);
+        if (cert->signature_key != NULL)
+                key_free(cert->signature_key);
+}
 void
 key_free(Key *k)
 {
@@ -136,11 +184,13 @@ key_free(Key *k)
        switch (k->type) {
        case KEY_RSA1:
        case KEY_RSA:
+        case KEY_RSA_CERT:
                if (k->rsa != NULL)
                        RSA_free(k->rsa);
                k->rsa = NULL;
                break;
        case KEY_DSA:
+        case KEY_DSA_CERT:
                if (k->dsa != NULL)
                        DSA_free(k->dsa);
                k->dsa = NULL;
@@ -151,20 +201,49 @@ key_free(Key *k)
                fatal("key_free: bad key type %d", k->type);
                break;
        }
+        if (key_is_cert(k)) {
+                if (k->cert != NULL)
+                        cert_free(k->cert);
+                k->cert = NULL;
+        }
        xfree(k);
 }
+static int
+cert_compare(struct KeyCert *a, struct KeyCert *b)
+{
+        if (a == NULL && b == NULL)
+                return 1;
+        if (a == NULL || b == NULL)
+                return 0;
+        if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
+                return 0;
+        if (memcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
+            buffer_len(&a->certblob)) != 0)
+                return 0;
+        return 1;
+}
+/*
+ * Compare public portions of key only, allowing comparisons between
+ * certificates and plain keys too.
+ */
 int
-key_equal(const Key *a, const Key *b)
+key_equal_public(const Key *a, const Key *b)
 {
-        if (a == NULL || b == NULL || a->type != b->type)
+        if (a == NULL || b == NULL ||
+            key_type_plain(a->type) != key_type_plain(b->type))
                return 0;
        switch (a->type) {
        case KEY_RSA1:
+        case KEY_RSA_CERT:
        case KEY_RSA:
                return a->rsa != NULL && b->rsa != NULL &&
                    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
                    BN_cmp(a->rsa->n, b->rsa->n) == 0;
+        case KEY_DSA_CERT:
        case KEY_DSA:
                return a->dsa != NULL && b->dsa != NULL &&
                    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
@@ -177,16 +256,27 @@ key_equal(const Key *a, const Key *b)
        /* NOTREACHED */
 }
+int
+key_equal(const Key *a, const Key *b)
+{
+        if (a == NULL || b == NULL || a->type != b->type)
+                return 0;
+        if (key_is_cert(a)) {
+                if (!cert_compare(a->cert, b->cert))
+                        return 0;
+        }
+        return key_equal_public(a, b);
+}
 u_char*
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
-    u_int *dgst_raw_length)
 {
        const EVP_MD *md = NULL;
        EVP_MD_CTX ctx;
        u_char *blob = NULL;
        u_char *retval = NULL;
        u_int len = 0;
-        int nlen, elen;
+        int nlen, elen, otype;
        *dgst_raw_length = 0;
@@ -214,6 +304,14 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
        case KEY_RSA:
                key_to_blob(k, &blob, &len);
                break;
+        case KEY_DSA_CERT:
+        case KEY_RSA_CERT:
+                /* We want a fingerprint of the _key_ not of the cert */
+                otype = k->type;
+                k->type = key_type_plain(k->type);
+                key_to_blob(k, &blob, &len);
+                k->type = otype;
+                break;
        case KEY_UNSPEC:
                return retval;
        default:
@@ -408,7 +506,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
 }
 char *
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
+key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
 {
        char *retval = NULL;
        u_char *dgst_raw;
@@ -522,11 +620,19 @@ key_read(Key *ret, char **cpp)
                        return -1;
                if (!read_bignum(cpp, ret->rsa->n))
                        return -1;
+                /* validate the claimed number of bits */
+                if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
+                        verbose("key_read: claimed key size %d does not match "
+                           "actual %d", bits, BN_num_bits(ret->rsa->n));
+                        return -1;
+                }
                success = 1;
                break;
        case KEY_UNSPEC:
        case KEY_RSA:
        case KEY_DSA:
+        case KEY_DSA_CERT:
+        case KEY_RSA_CERT:
                space = strchr(cp, ' ');
                if (space == NULL) {
                        debug3("key_read: missing whitespace");
@@ -571,25 +677,36 @@ key_read(Key *ret, char **cpp)
                        return -1;
                }
 /*XXXX*/
-                if (ret->type == KEY_RSA) {
+                if (key_is_cert(ret)) {
+                        if (!key_is_cert(k)) {
+                                error("key_read: loaded key is not a cert");
+                                key_free(k);
+                                return -1;
+                        }
+                        if (ret->cert != NULL)
+                                cert_free(ret->cert);
+                        ret->cert = k->cert;
+                        k->cert = NULL;
+                }
+                if (key_type_plain(ret->type) == KEY_RSA) {
                        if (ret->rsa != NULL)
                                RSA_free(ret->rsa);
                        ret->rsa = k->rsa;
                        k->rsa = NULL;
-                        success = 1;
 #ifdef DEBUG_PK
                        RSA_print_fp(stderr, ret->rsa, 8);
 #endif
-                } else {
+                }
+                if (key_type_plain(ret->type) == KEY_DSA) {
                        if (ret->dsa != NULL)
                                DSA_free(ret->dsa);
                        ret->dsa = k->dsa;
                        k->dsa = NULL;
-                        success = 1;
 #ifdef DEBUG_PK
                        DSA_print_fp(stderr, ret->dsa, 8);
 #endif
                }
+                success = 1;
 /*XXXX*/
                key_free(k);
                if (success != 1)
@@ -616,28 +733,53 @@ key_write(const Key *key, FILE *f)
        u_char *blob;
        char *uu;
-        if (key->type == KEY_RSA1 && key->rsa != NULL) {
+        if (key_is_cert(key)) {
+                if (key->cert == NULL) {
+                        error("%s: no cert data", __func__);
+                        return 0;
+                }
+                if (buffer_len(&key->cert->certblob) == 0) {
+                        error("%s: no signed certificate blob", __func__);
+                        return 0;
+                }
+        }
+        switch (key->type) {
+        case KEY_RSA1:
+                if (key->rsa == NULL)
+                        return 0;
                /* size of modulus 'n' */
                bits = BN_num_bits(key->rsa->n);
                fprintf(f, "%u", bits);
                if (write_bignum(f, key->rsa->e) &&
-                    write_bignum(f, key->rsa->n)) {
+                    write_bignum(f, key->rsa->n))
-                        success = 1;
+                        return 1;
-                } else {
+                error("key_write: failed for RSA key");
-                        error("key_write: failed for RSA key");
+                return 0;
-                }
+        case KEY_DSA:
-        } else if ((key->type == KEY_DSA && key->dsa != NULL) ||
+        case KEY_DSA_CERT:
-            (key->type == KEY_RSA && key->rsa != NULL)) {
+                if (key->dsa == NULL)
-                key_to_blob(key, &blob, &len);
+                        return 0;
-                uu = xmalloc(2*len);
+                break;
-                n = uuencode(blob, len, uu, 2*len);
+        case KEY_RSA:
-                if (n > 0) {
+        case KEY_RSA_CERT:
-                        fprintf(f, "%s %s", key_ssh_name(key), uu);
+                if (key->rsa == NULL)
-                        success = 1;
+                        return 0;
-                }
+                break;
-                xfree(blob);
+        default:
-                xfree(uu);
+                return 0;
+        }
+        key_to_blob(key, &blob, &len);
+        uu = xmalloc(2*len);
+        n = uuencode(blob, len, uu, 2*len);
+        if (n > 0) {
+                fprintf(f, "%s %s", key_ssh_name(key), uu);
+                success = 1;
        }
+        xfree(blob);
+        xfree(uu);
        return success;
 }
@@ -651,6 +793,10 @@ key_type(const Key *k)
                return "RSA";
        case KEY_DSA:
                return "DSA";
+        case KEY_RSA_CERT:
+                return "RSA-CERT";
+        case KEY_DSA_CERT:
+                return "DSA-CERT";
        }
        return "unknown";
 }
@@ -663,6 +809,10 @@ key_ssh_name(const Key *k)
                return "ssh-rsa";
        case KEY_DSA:
                return "ssh-dss";
+        case KEY_RSA_CERT:
+                return "ssh-rsa-cert-v00@openssh.com";
+        case KEY_DSA_CERT:
+                return "ssh-dss-cert-v00@openssh.com";
        }
        return "ssh-unknown";
 }
@@ -673,8 +823,10 @@ key_size(const Key *k)
        switch (k->type) {
        case KEY_RSA1:
        case KEY_RSA:
+        case KEY_RSA_CERT:
                return BN_num_bits(k->rsa->n);
        case KEY_DSA:
+        case KEY_DSA_CERT:
                return BN_num_bits(k->dsa->p);
        }
        return 0;
@@ -685,7 +837,7 @@ rsa_generate_private_key(u_int bits)
 {
        RSA *private;
-        private = RSA_generate_key(bits, 35, NULL, NULL);
+        private = RSA_generate_key(bits, RSA_F4, NULL, NULL);
        if (private == NULL)
                fatal("rsa_generate_private_key: key generation failed.");
        return private;
@@ -717,6 +869,9 @@ key_generate(int type, u_int bits)
        case KEY_RSA1:
                k->rsa = rsa_generate_private_key(bits);
                break;
+        case KEY_RSA_CERT:
+        case KEY_DSA_CERT:
+                fatal("key_generate: cert keys cannot be generated directly");
        default:
                fatal("key_generate: unknown type %d", type);
        }
@@ -724,12 +879,55 @@ key_generate(int type, u_int bits)
        return k;
 }
+void
+key_cert_copy(const Key *from_key, struct Key *to_key)
+{
+        u_int i;
+        const struct KeyCert *from;
+        struct KeyCert *to;
+        if (to_key->cert != NULL) {
+                cert_free(to_key->cert);
+                to_key->cert = NULL;
+        }
+        if ((from = from_key->cert) == NULL)
+                return;
+        to = to_key->cert = cert_new();
+        buffer_append(&to->certblob, buffer_ptr(&from->certblob),
+            buffer_len(&from->certblob));
+        buffer_append(&to->constraints, buffer_ptr(&from->constraints),
+            buffer_len(&from->constraints));
+        to->type = from->type;
+        to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
+        to->valid_after = from->valid_after;
+        to->valid_before = from->valid_before;
+        to->signature_key = from->signature_key == NULL ?
+            NULL : key_from_private(from->signature_key);
+        to->nprincipals = from->nprincipals;
+        if (to->nprincipals > CERT_MAX_PRINCIPALS)
+                fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
+                    __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
+        if (to->nprincipals > 0) {
+                to->principals = xcalloc(from->nprincipals,
+                    sizeof(*to->principals));
+                for (i = 0; i < to->nprincipals; i++)
+                        to->principals[i] = xstrdup(from->principals[i]);
+        }
+}
 Key *
 key_from_private(const Key *k)
 {
        Key *n = NULL;
        switch (k->type) {
        case KEY_DSA:
+        case KEY_DSA_CERT:
                n = key_new(k->type);
                if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
                    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
@@ -739,6 +937,7 @@ key_from_private(const Key *k)
                break;
        case KEY_RSA:
        case KEY_RSA1:
+        case KEY_RSA_CERT:
                n = key_new(k->type);
                if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
                    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
@@ -748,6 +947,8 @@ key_from_private(const Key *k)
                fatal("key_from_private: unknown type %d", k->type);
                break;
        }
+        if (key_is_cert(k))
+                key_cert_copy(k, n);
        return n;
 }
@@ -764,6 +965,10 @@ key_type_from_name(char *name)
                return KEY_RSA;
        } else if (strcmp(name, "ssh-dss") == 0) {
                return KEY_DSA;
+        } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
+                return KEY_RSA_CERT;
+        } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
+                return KEY_DSA_CERT;
        } else if (strcmp(name, "null") == 0) {
                return KEY_NULL;
        }
@@ -793,6 +998,127 @@ key_names_valid2(const char *names)
        return 1;
 }
+static int
+cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
+{
+        u_char *principals, *constraints, *sig_key, *sig;
+        u_int signed_len, plen, clen, sklen, slen, kidlen;
+        Buffer tmp;
+        char *principal;
+        int ret = -1;
+        buffer_init(&tmp);
+        /* Copy the entire key blob for verification and later serialisation */
+        buffer_append(&key->cert->certblob, blob, blen);
+        principals = constraints = sig_key = sig = NULL;
+        if (buffer_get_int_ret(&key->cert->type, b) != 0 ||
+            (key->cert->key_id = buffer_get_string_ret(b, &kidlen)) == NULL ||
+            (principals = buffer_get_string_ret(b, &plen)) == NULL ||
+            buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
+            buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
+            (constraints = buffer_get_string_ret(b, &clen)) == NULL ||
+            /* skip nonce */ buffer_get_string_ptr_ret(b, NULL) == NULL ||
+            /* skip reserved */ buffer_get_string_ptr_ret(b, NULL) == NULL ||
+            (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
+                error("%s: parse error", __func__);
+                goto out;
+        }
+        if (kidlen != strlen(key->cert->key_id)) {
+                error("%s: key ID contains \\0 character", __func__);
+                goto out;
+        }
+        /* Signature is left in the buffer so we can calculate this length */
+        signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
+        if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
+                error("%s: parse error", __func__);
+                goto out;
+        }
+        if (key->cert->type != SSH2_CERT_TYPE_USER &&
+            key->cert->type != SSH2_CERT_TYPE_HOST) {
+                error("Unknown certificate type %u", key->cert->type);
+                goto out;
+        }
+        buffer_append(&tmp, principals, plen);
+        while (buffer_len(&tmp) > 0) {
+                if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
+                        error("%s: Too many principals", __func__);
+                        goto out;
+                }
+                if ((principal = buffer_get_string_ret(&tmp, &plen)) == NULL) {
+                        error("%s: Principals data invalid", __func__);
+                        goto out;
+                }
+                if (strlen(principal) != plen) {
+                        error("%s: Principal contains \\0 character",
+                            __func__);
+                        goto out;
+                }
+                key->cert->principals = xrealloc(key->cert->principals,
+                    key->cert->nprincipals + 1, sizeof(*key->cert->principals));
+                key->cert->principals[key->cert->nprincipals++] = principal;
+        }
+        buffer_clear(&tmp);
+        buffer_append(&key->cert->constraints, constraints, clen);
+        buffer_append(&tmp, constraints, clen);
+        /* validate structure */
+        while (buffer_len(&tmp) != 0) {
+                if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
+                    buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
+                        error("%s: Constraints data invalid", __func__);
+                        goto out;
+                }
+        }
+        buffer_clear(&tmp);
+        if ((key->cert->signature_key = key_from_blob(sig_key,
+            sklen)) == NULL) {
+                error("%s: Signature key invalid", __func__);
+                goto out;
+        }
+        if (key->cert->signature_key->type != KEY_RSA &&
+            key->cert->signature_key->type != KEY_DSA) {
+                error("%s: Invalid signature key type %s (%d)", __func__,
+                    key_type(key->cert->signature_key),
+                    key->cert->signature_key->type);
+                goto out;
+        }
+        switch (key_verify(key->cert->signature_key, sig, slen, 
+            buffer_ptr(&key->cert->certblob), signed_len)) {
+        case 1:
+                ret = 0;
+                break; /* Good signature */
+        case 0:
+                error("%s: Invalid signature on certificate", __func__);
+                goto out;
+        case -1:
+                error("%s: Certificate signature verification failed",
+                    __func__);
+                goto out;
+        }
+ out:
+        buffer_free(&tmp);
+        if (principals != NULL)
+                xfree(principals);
+        if (constraints != NULL)
+                xfree(constraints);
+        if (sig_key != NULL)
+                xfree(sig_key);
+        if (sig != NULL)
+                xfree(sig);
+        return ret;
+}
 Key *
 key_from_blob(const u_char *blob, u_int blen)
 {
@@ -815,10 +1141,12 @@ key_from_blob(const u_char *blob, u_int blen)
        switch (type) {
        case KEY_RSA:
+        case KEY_RSA_CERT:
                key = key_new(type);
                if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
                    buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
                        error("key_from_blob: can't read rsa key");
+ badkey:
                        key_free(key);
                        key = NULL;
                        goto out;
@@ -828,15 +1156,14 @@ key_from_blob(const u_char *blob, u_int blen)
 #endif
                break;
        case KEY_DSA:
+        case KEY_DSA_CERT:
                key = key_new(type);
                if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
                    buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
                    buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
                    buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
                        error("key_from_blob: can't read dsa key");
-                        key_free(key);
+                        goto badkey;
-                        key = NULL;
-                        goto out;
                }
 #ifdef DEBUG_PK
                DSA_print_fp(stderr, key->dsa, 8);
@@ -849,6 +1176,10 @@ key_from_blob(const u_char *blob, u_int blen)
                error("key_from_blob: cannot handle type %s", ktype);
                goto out;
        }
+        if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
+                error("key_from_blob: can't parse cert data");
+                goto badkey;
+        }
        rlen = buffer_len(&b);
        if (key != NULL && rlen != 0)
                error("key_from_blob: remaining bytes in key blob %d", rlen);
@@ -871,6 +1202,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
        }
        buffer_init(&b);
        switch (key->type) {
+        case KEY_DSA_CERT:
+        case KEY_RSA_CERT:
+                /* Use the existing blob */
+                buffer_append(&b, buffer_ptr(&key->cert->certblob),
+                    buffer_len(&key->cert->certblob));
+                break;
        case KEY_DSA:
                buffer_put_cstring(&b, key_ssh_name(key));
                buffer_put_bignum2(&b, key->dsa->p);
@@ -907,8 +1244,10 @@ key_sign(
    const u_char *data, u_int datalen)
 {
        switch (key->type) {
+        case KEY_DSA_CERT:
        case KEY_DSA:
                return ssh_dss_sign(key, sigp, lenp, data, datalen);
+        case KEY_RSA_CERT:
        case KEY_RSA:
                return ssh_rsa_sign(key, sigp, lenp, data, datalen);
        default:
@@ -931,8 +1270,10 @@ key_verify(
                return -1;
        switch (key->type) {
+        case KEY_DSA_CERT:
        case KEY_DSA:
                return ssh_dss_verify(key, signature, signaturelen, data, datalen);
+        case KEY_RSA_CERT:
        case KEY_RSA:
                return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
        default:
@@ -954,6 +1295,9 @@ key_demote(const Key *k)
        pk->rsa = NULL;
        switch (k->type) {
+        case KEY_RSA_CERT:
+                key_cert_copy(k, pk);
+                /* FALLTHROUGH */
        case KEY_RSA1:
        case KEY_RSA:
                if ((pk->rsa = RSA_new()) == NULL)
@@ -963,6 +1307,9 @@ key_demote(const Key *k)
                if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
                        fatal("key_demote: BN_dup failed");
                break;
+        case KEY_DSA_CERT:
+                key_cert_copy(k, pk);
+                /* FALLTHROUGH */
        case KEY_DSA:
                if ((pk->dsa = DSA_new()) == NULL)
                        fatal("key_demote: DSA_new failed");
@@ -982,3 +1329,199 @@ key_demote(const Key *k)
        return (pk);
 }
+int
+key_is_cert(const Key *k)
+{
+        return k != NULL &&
+            (k->type == KEY_RSA_CERT || k->type == KEY_DSA_CERT);
+}
+/* Return the cert-less equivalent to a certified key type */
+int
+key_type_plain(int type)
+{
+        switch (type) {
+        case KEY_RSA_CERT:
+                return KEY_RSA;
+        case KEY_DSA_CERT:
+                return KEY_DSA;
+        default:
+                return type;
+        }
+}
+/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */
+int
+key_to_certified(Key *k)
+{
+        switch (k->type) {
+        case KEY_RSA:
+                k->cert = cert_new();
+                k->type = KEY_RSA_CERT;
+                return 0;
+        case KEY_DSA:
+                k->cert = cert_new();
+                k->type = KEY_DSA_CERT;
+                return 0;
+        default:
+                error("%s: key has incorrect type %s", __func__, key_type(k));
+                return -1;
+        }
+}
+/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
+int
+key_drop_cert(Key *k)
+{
+        switch (k->type) {
+        case KEY_RSA_CERT:
+                cert_free(k->cert);
+                k->type = KEY_RSA;
+                return 0;
+        case KEY_DSA_CERT:
+                cert_free(k->cert);
+                k->type = KEY_DSA;
+                return 0;
+        default:
+                error("%s: key has incorrect type %s", __func__, key_type(k));
+                return -1;
+        }
+}
+/* Sign a KEY_RSA_CERT or KEY_DSA_CERT, (re-)generating the signed certblob */
+int
+key_certify(Key *k, Key *ca)
+{
+        Buffer principals;
+        u_char *ca_blob, *sig_blob, nonce[32];
+        u_int i, ca_len, sig_len;
+        if (k->cert == NULL) {
+                error("%s: key lacks cert info", __func__);
+                return -1;
+        }
+        if (!key_is_cert(k)) {
+                error("%s: certificate has unknown type %d", __func__,
+                    k->cert->type);
+                return -1;
+        }
+        if (ca->type != KEY_RSA && ca->type != KEY_DSA) {
+                error("%s: CA key has unsupported type %s", __func__,
+                    key_type(ca));
+                return -1;
+        }
+        key_to_blob(ca, &ca_blob, &ca_len);
+        buffer_clear(&k->cert->certblob);
+        buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
+        switch (k->type) {
+        case KEY_DSA_CERT:
+                buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
+                buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
+                buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
+                buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
+                break;
+        case KEY_RSA_CERT:
+                buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
+                buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
+                break;
+        default:
+                error("%s: key has incorrect type %s", __func__, key_type(k));
+                buffer_clear(&k->cert->certblob);
+                xfree(ca_blob);
+                return -1;
+        }
+        buffer_put_int(&k->cert->certblob, k->cert->type);
+        buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
+        buffer_init(&principals);
+        for (i = 0; i < k->cert->nprincipals; i++)
+                buffer_put_cstring(&principals, k->cert->principals[i]);
+        buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
+            buffer_len(&principals));
+        buffer_free(&principals);
+        buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
+        buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
+        buffer_put_string(&k->cert->certblob,
+            buffer_ptr(&k->cert->constraints),
+            buffer_len(&k->cert->constraints));
+        arc4random_buf(&nonce, sizeof(nonce));
+        buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
+        buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
+        buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
+        xfree(ca_blob);
+        /* Sign the whole mess */
+        if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
+            buffer_len(&k->cert->certblob)) != 0) {
+                error("%s: signature operation failed", __func__);
+                buffer_clear(&k->cert->certblob);
+                return -1;
+        }
+        /* Append signature and we are done */
+        buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
+        xfree(sig_blob);
+        return 0;
+}
+int
+key_cert_check_authority(const Key *k, int want_host, int require_principal,
+    const char *name, const char **reason)
+{
+        u_int i, principal_matches;
+        time_t now = time(NULL);
+        if (want_host) {
+                if (k->cert->type != SSH2_CERT_TYPE_HOST) {
+                        *reason = "Certificate invalid: not a host certificate";
+                        return -1;
+                }
+        } else {
+                if (k->cert->type != SSH2_CERT_TYPE_USER) {
+                        *reason = "Certificate invalid: not a user certificate";
+                        return -1;
+                }
+        }
+        if (now < 0) {
+                error("%s: system clock lies before epoch", __func__);
+                *reason = "Certificate invalid: not yet valid";
+                return -1;
+        }
+        if ((u_int64_t)now < k->cert->valid_after) {
+                *reason = "Certificate invalid: not yet valid";
+                return -1;
+        }
+        if ((u_int64_t)now >= k->cert->valid_before) {
+                *reason = "Certificate invalid: expired";
+                return -1;
+        }
+        if (k->cert->nprincipals == 0) {
+                if (require_principal) {
+                        *reason = "Certificate lacks principal list";
+                        return -1;
+                }
+        } else {
+                principal_matches = 0;
+                for (i = 0; i < k->cert->nprincipals; i++) {
+                        if (strcmp(name, k->cert->principals[i]) == 0) {
+                                principal_matches = 1;
+                                break;
+                        }
+                }
+                if (!principal_matches) {
+                        *reason = "Certificate invalid: name is not a listed "
+                            "principal";
+                        return -1;
+                }
+        }
+        return 0;
+}