diff options
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 67 |
1 files changed, 17 insertions, 50 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 8259d87e7..b546366f1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -239,7 +239,6 @@ ask_filename(struct passwd *pw, const char *prompt) | |||
239 | name = _PATH_SSH_CLIENT_IDENTITY; | 239 | name = _PATH_SSH_CLIENT_IDENTITY; |
240 | break; | 240 | break; |
241 | case KEY_DSA_CERT: | 241 | case KEY_DSA_CERT: |
242 | case KEY_DSA_CERT_V00: | ||
243 | case KEY_DSA: | 242 | case KEY_DSA: |
244 | name = _PATH_SSH_CLIENT_ID_DSA; | 243 | name = _PATH_SSH_CLIENT_ID_DSA; |
245 | break; | 244 | break; |
@@ -250,7 +249,6 @@ ask_filename(struct passwd *pw, const char *prompt) | |||
250 | break; | 249 | break; |
251 | #endif | 250 | #endif |
252 | case KEY_RSA_CERT: | 251 | case KEY_RSA_CERT: |
253 | case KEY_RSA_CERT_V00: | ||
254 | case KEY_RSA: | 252 | case KEY_RSA: |
255 | name = _PATH_SSH_CLIENT_ID_RSA; | 253 | name = _PATH_SSH_CLIENT_ID_RSA; |
256 | break; | 254 | break; |
@@ -1575,25 +1573,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1575 | struct sshkey *ca, *public; | 1573 | struct sshkey *ca, *public; |
1576 | char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; | 1574 | char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
1577 | FILE *f; | 1575 | FILE *f; |
1578 | int v00 = 0; /* legacy keys */ | ||
1579 | |||
1580 | if (key_type_name != NULL) { | ||
1581 | switch (sshkey_type_from_name(key_type_name)) { | ||
1582 | case KEY_RSA_CERT_V00: | ||
1583 | case KEY_DSA_CERT_V00: | ||
1584 | v00 = 1; | ||
1585 | break; | ||
1586 | case KEY_UNSPEC: | ||
1587 | if (strcasecmp(key_type_name, "v00") == 0) { | ||
1588 | v00 = 1; | ||
1589 | break; | ||
1590 | } else if (strcasecmp(key_type_name, "v01") == 0) | ||
1591 | break; | ||
1592 | /* FALLTHROUGH */ | ||
1593 | default: | ||
1594 | fatal("unknown key type %s", key_type_name); | ||
1595 | } | ||
1596 | } | ||
1597 | 1576 | ||
1598 | #ifdef ENABLE_PKCS11 | 1577 | #ifdef ENABLE_PKCS11 |
1599 | pkcs11_init(1); | 1578 | pkcs11_init(1); |
@@ -1630,7 +1609,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1630 | __func__, tmp, sshkey_type(public)); | 1609 | __func__, tmp, sshkey_type(public)); |
1631 | 1610 | ||
1632 | /* Prepare certificate to sign */ | 1611 | /* Prepare certificate to sign */ |
1633 | if ((r = sshkey_to_certified(public, v00)) != 0) | 1612 | if ((r = sshkey_to_certified(public)) != 0) |
1634 | fatal("Could not upgrade key %s to certificate: %s", | 1613 | fatal("Could not upgrade key %s to certificate: %s", |
1635 | tmp, ssh_err(r)); | 1614 | tmp, ssh_err(r)); |
1636 | public->cert->type = cert_key_type; | 1615 | public->cert->type = cert_key_type; |
@@ -1640,15 +1619,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1640 | public->cert->principals = plist; | 1619 | public->cert->principals = plist; |
1641 | public->cert->valid_after = cert_valid_from; | 1620 | public->cert->valid_after = cert_valid_from; |
1642 | public->cert->valid_before = cert_valid_to; | 1621 | public->cert->valid_before = cert_valid_to; |
1643 | if (v00) { | 1622 | prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); |
1644 | prepare_options_buf(public->cert->critical, | 1623 | prepare_options_buf(public->cert->extensions, |
1645 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); | 1624 | OPTIONS_EXTENSIONS); |
1646 | } else { | ||
1647 | prepare_options_buf(public->cert->critical, | ||
1648 | OPTIONS_CRITICAL); | ||
1649 | prepare_options_buf(public->cert->extensions, | ||
1650 | OPTIONS_EXTENSIONS); | ||
1651 | } | ||
1652 | if ((r = sshkey_from_private(ca, | 1625 | if ((r = sshkey_from_private(ca, |
1653 | &public->cert->signature_key)) != 0) | 1626 | &public->cert->signature_key)) != 0) |
1654 | fatal("key_from_private (ca key): %s", ssh_err(r)); | 1627 | fatal("key_from_private (ca key): %s", ssh_err(r)); |
@@ -1833,7 +1806,7 @@ add_cert_option(char *opt) | |||
1833 | } | 1806 | } |
1834 | 1807 | ||
1835 | static void | 1808 | static void |
1836 | show_options(struct sshbuf *optbuf, int v00, int in_critical) | 1809 | show_options(struct sshbuf *optbuf, int in_critical) |
1837 | { | 1810 | { |
1838 | char *name, *arg; | 1811 | char *name, *arg; |
1839 | struct sshbuf *options, *option = NULL; | 1812 | struct sshbuf *options, *option = NULL; |
@@ -1848,14 +1821,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical) | |||
1848 | (r = sshbuf_froms(options, &option)) != 0) | 1821 | (r = sshbuf_froms(options, &option)) != 0) |
1849 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1822 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
1850 | printf(" %s", name); | 1823 | printf(" %s", name); |
1851 | if ((v00 || !in_critical) && | 1824 | if (!in_critical && |
1852 | (strcmp(name, "permit-X11-forwarding") == 0 || | 1825 | (strcmp(name, "permit-X11-forwarding") == 0 || |
1853 | strcmp(name, "permit-agent-forwarding") == 0 || | 1826 | strcmp(name, "permit-agent-forwarding") == 0 || |
1854 | strcmp(name, "permit-port-forwarding") == 0 || | 1827 | strcmp(name, "permit-port-forwarding") == 0 || |
1855 | strcmp(name, "permit-pty") == 0 || | 1828 | strcmp(name, "permit-pty") == 0 || |
1856 | strcmp(name, "permit-user-rc") == 0)) | 1829 | strcmp(name, "permit-user-rc") == 0)) |
1857 | printf("\n"); | 1830 | printf("\n"); |
1858 | else if ((v00 || in_critical) && | 1831 | else if (in_critical && |
1859 | (strcmp(name, "force-command") == 0 || | 1832 | (strcmp(name, "force-command") == 0 || |
1860 | strcmp(name, "source-address") == 0)) { | 1833 | strcmp(name, "source-address") == 0)) { |
1861 | if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) | 1834 | if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) |
@@ -1882,7 +1855,7 @@ do_show_cert(struct passwd *pw) | |||
1882 | struct sshkey *key; | 1855 | struct sshkey *key; |
1883 | struct stat st; | 1856 | struct stat st; |
1884 | char *key_fp, *ca_fp; | 1857 | char *key_fp, *ca_fp; |
1885 | u_int i, v00; | 1858 | u_int i; |
1886 | int r; | 1859 | int r; |
1887 | 1860 | ||
1888 | if (!have_identity) | 1861 | if (!have_identity) |
@@ -1894,7 +1867,6 @@ do_show_cert(struct passwd *pw) | |||
1894 | identity_file, ssh_err(r)); | 1867 | identity_file, ssh_err(r)); |
1895 | if (!sshkey_is_cert(key)) | 1868 | if (!sshkey_is_cert(key)) |
1896 | fatal("%s is not a certificate", identity_file); | 1869 | fatal("%s is not a certificate", identity_file); |
1897 | v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; | ||
1898 | 1870 | ||
1899 | key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); | 1871 | key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
1900 | ca_fp = sshkey_fingerprint(key->cert->signature_key, | 1872 | ca_fp = sshkey_fingerprint(key->cert->signature_key, |
@@ -1909,10 +1881,7 @@ do_show_cert(struct passwd *pw) | |||
1909 | printf(" Signing CA: %s %s\n", | 1881 | printf(" Signing CA: %s %s\n", |
1910 | sshkey_type(key->cert->signature_key), ca_fp); | 1882 | sshkey_type(key->cert->signature_key), ca_fp); |
1911 | printf(" Key ID: \"%s\"\n", key->cert->key_id); | 1883 | printf(" Key ID: \"%s\"\n", key->cert->key_id); |
1912 | if (!v00) { | 1884 | printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); |
1913 | printf(" Serial: %llu\n", | ||
1914 | (unsigned long long)key->cert->serial); | ||
1915 | } | ||
1916 | printf(" Valid: %s\n", | 1885 | printf(" Valid: %s\n", |
1917 | fmt_validity(key->cert->valid_after, key->cert->valid_before)); | 1886 | fmt_validity(key->cert->valid_after, key->cert->valid_before)); |
1918 | printf(" Principals: "); | 1887 | printf(" Principals: "); |
@@ -1929,16 +1898,14 @@ do_show_cert(struct passwd *pw) | |||
1929 | printf("(none)\n"); | 1898 | printf("(none)\n"); |
1930 | else { | 1899 | else { |
1931 | printf("\n"); | 1900 | printf("\n"); |
1932 | show_options(key->cert->critical, v00, 1); | 1901 | show_options(key->cert->critical, 1); |
1933 | } | 1902 | } |
1934 | if (!v00) { | 1903 | printf(" Extensions: "); |
1935 | printf(" Extensions: "); | 1904 | if (sshbuf_len(key->cert->extensions) == 0) |
1936 | if (sshbuf_len(key->cert->extensions) == 0) | 1905 | printf("(none)\n"); |
1937 | printf("(none)\n"); | 1906 | else { |
1938 | else { | 1907 | printf("\n"); |
1939 | printf("\n"); | 1908 | show_options(key->cert->extensions, 0); |
1940 | show_options(key->cert->extensions, v00, 0); | ||
1941 | } | ||
1942 | } | 1909 | } |
1943 | exit(0); | 1910 | exit(0); |
1944 | } | 1911 | } |