diff options
Diffstat (limited to 'sshkey.c')
-rw-r--r-- | sshkey.c | 26 |
1 files changed, 18 insertions, 8 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.85 2019/10/31 21:15:14 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.86 2019/10/31 21:23:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -57,6 +57,7 @@ | |||
57 | #define SSHKEY_INTERNAL | 57 | #define SSHKEY_INTERNAL |
58 | #include "sshkey.h" | 58 | #include "sshkey.h" |
59 | #include "match.h" | 59 | #include "match.h" |
60 | #include "ssh-sk.h" | ||
60 | 61 | ||
61 | #ifdef WITH_XMSS | 62 | #ifdef WITH_XMSS |
62 | #include "sshkey-xmss.h" | 63 | #include "sshkey-xmss.h" |
@@ -2658,7 +2659,8 @@ sshkey_check_sigtype(const u_char *sig, size_t siglen, | |||
2658 | int | 2659 | int |
2659 | sshkey_sign(struct sshkey *key, | 2660 | sshkey_sign(struct sshkey *key, |
2660 | u_char **sigp, size_t *lenp, | 2661 | u_char **sigp, size_t *lenp, |
2661 | const u_char *data, size_t datalen, const char *alg, u_int compat) | 2662 | const u_char *data, size_t datalen, |
2663 | const char *alg, const char *sk_provider, u_int compat) | ||
2662 | { | 2664 | { |
2663 | int was_shielded = sshkey_is_shielded(key); | 2665 | int was_shielded = sshkey_is_shielded(key); |
2664 | int r2, r = SSH_ERR_INTERNAL_ERROR; | 2666 | int r2, r = SSH_ERR_INTERNAL_ERROR; |
@@ -2682,6 +2684,11 @@ sshkey_sign(struct sshkey *key, | |||
2682 | case KEY_ECDSA: | 2684 | case KEY_ECDSA: |
2683 | r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); | 2685 | r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); |
2684 | break; | 2686 | break; |
2687 | case KEY_ECDSA_SK_CERT: | ||
2688 | case KEY_ECDSA_SK: | ||
2689 | r = sshsk_ecdsa_sign(sk_provider, key, sigp, lenp, | ||
2690 | data, datalen, compat); | ||
2691 | break; | ||
2685 | # endif /* OPENSSL_HAS_ECC */ | 2692 | # endif /* OPENSSL_HAS_ECC */ |
2686 | case KEY_RSA_CERT: | 2693 | case KEY_RSA_CERT: |
2687 | case KEY_RSA: | 2694 | case KEY_RSA: |
@@ -2802,7 +2809,7 @@ sshkey_drop_cert(struct sshkey *k) | |||
2802 | /* Sign a certified key, (re-)generating the signed certblob. */ | 2809 | /* Sign a certified key, (re-)generating the signed certblob. */ |
2803 | int | 2810 | int |
2804 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | 2811 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
2805 | sshkey_certify_signer *signer, void *signer_ctx) | 2812 | const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx) |
2806 | { | 2813 | { |
2807 | struct sshbuf *principals = NULL; | 2814 | struct sshbuf *principals = NULL; |
2808 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | 2815 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
@@ -2934,7 +2941,7 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
2934 | 2941 | ||
2935 | /* Sign the whole mess */ | 2942 | /* Sign the whole mess */ |
2936 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 2943 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
2937 | sshbuf_len(cert), alg, 0, signer_ctx)) != 0) | 2944 | sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0) |
2938 | goto out; | 2945 | goto out; |
2939 | /* Check and update signature_type against what was actually used */ | 2946 | /* Check and update signature_type against what was actually used */ |
2940 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) | 2947 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
@@ -2964,17 +2971,20 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
2964 | static int | 2971 | static int |
2965 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, | 2972 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
2966 | const u_char *data, size_t datalen, | 2973 | const u_char *data, size_t datalen, |
2967 | const char *alg, u_int compat, void *ctx) | 2974 | const char *alg, const char *sk_provider, u_int compat, void *ctx) |
2968 | { | 2975 | { |
2969 | if (ctx != NULL) | 2976 | if (ctx != NULL) |
2970 | return SSH_ERR_INVALID_ARGUMENT; | 2977 | return SSH_ERR_INVALID_ARGUMENT; |
2971 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); | 2978 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
2979 | sk_provider, compat); | ||
2972 | } | 2980 | } |
2973 | 2981 | ||
2974 | int | 2982 | int |
2975 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) | 2983 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
2984 | const char *sk_provider) | ||
2976 | { | 2985 | { |
2977 | return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); | 2986 | return sshkey_certify_custom(k, ca, alg, sk_provider, |
2987 | default_key_sign, NULL); | ||
2978 | } | 2988 | } |
2979 | 2989 | ||
2980 | int | 2990 | int |