summaryrefslogtreecommitdiff
path: root/sshkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshkey.c')
-rw-r--r--sshkey.c108
1 files changed, 16 insertions, 92 deletions
diff --git a/sshkey.c b/sshkey.c
index 2c87d8099..14b6dc383 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -111,10 +111,6 @@ static const struct keytype keytypes[] = {
111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */ 112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */ 113# endif /* OPENSSL_HAS_ECC */
114 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
115 KEY_RSA_CERT_V00, 0, 1 },
116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
117 KEY_DSA_CERT_V00, 0, 1 },
118#endif /* WITH_OPENSSL */ 114#endif /* WITH_OPENSSL */
119 { "null", "null", KEY_NULL, 0, 0 }, 115 { "null", "null", KEY_NULL, 0, 0 },
120 { NULL, NULL, -1, -1, 0 } 116 { NULL, NULL, -1, -1, 0 }
@@ -273,11 +269,9 @@ sshkey_size(const struct sshkey *k)
273#ifdef WITH_OPENSSL 269#ifdef WITH_OPENSSL
274 case KEY_RSA1: 270 case KEY_RSA1:
275 case KEY_RSA: 271 case KEY_RSA:
276 case KEY_RSA_CERT_V00:
277 case KEY_RSA_CERT: 272 case KEY_RSA_CERT:
278 return BN_num_bits(k->rsa->n); 273 return BN_num_bits(k->rsa->n);
279 case KEY_DSA: 274 case KEY_DSA:
280 case KEY_DSA_CERT_V00:
281 case KEY_DSA_CERT: 275 case KEY_DSA_CERT:
282 return BN_num_bits(k->dsa->p); 276 return BN_num_bits(k->dsa->p);
283 case KEY_ECDSA: 277 case KEY_ECDSA:
@@ -291,18 +285,6 @@ sshkey_size(const struct sshkey *k)
291 return 0; 285 return 0;
292} 286}
293 287
294int
295sshkey_cert_is_legacy(const struct sshkey *k)
296{
297 switch (k->type) {
298 case KEY_DSA_CERT_V00:
299 case KEY_RSA_CERT_V00:
300 return 1;
301 default:
302 return 0;
303 }
304}
305
306static int 288static int
307sshkey_type_is_valid_ca(int type) 289sshkey_type_is_valid_ca(int type)
308{ 290{
@@ -330,10 +312,8 @@ int
330sshkey_type_plain(int type) 312sshkey_type_plain(int type)
331{ 313{
332 switch (type) { 314 switch (type) {
333 case KEY_RSA_CERT_V00:
334 case KEY_RSA_CERT: 315 case KEY_RSA_CERT:
335 return KEY_RSA; 316 return KEY_RSA;
336 case KEY_DSA_CERT_V00:
337 case KEY_DSA_CERT: 317 case KEY_DSA_CERT:
338 return KEY_DSA; 318 return KEY_DSA;
339 case KEY_ECDSA_CERT: 319 case KEY_ECDSA_CERT:
@@ -498,7 +478,6 @@ sshkey_new(int type)
498#ifdef WITH_OPENSSL 478#ifdef WITH_OPENSSL
499 case KEY_RSA1: 479 case KEY_RSA1:
500 case KEY_RSA: 480 case KEY_RSA:
501 case KEY_RSA_CERT_V00:
502 case KEY_RSA_CERT: 481 case KEY_RSA_CERT:
503 if ((rsa = RSA_new()) == NULL || 482 if ((rsa = RSA_new()) == NULL ||
504 (rsa->n = BN_new()) == NULL || 483 (rsa->n = BN_new()) == NULL ||
@@ -511,7 +490,6 @@ sshkey_new(int type)
511 k->rsa = rsa; 490 k->rsa = rsa;
512 break; 491 break;
513 case KEY_DSA: 492 case KEY_DSA:
514 case KEY_DSA_CERT_V00:
515 case KEY_DSA_CERT: 493 case KEY_DSA_CERT:
516 if ((dsa = DSA_new()) == NULL || 494 if ((dsa = DSA_new()) == NULL ||
517 (dsa->p = BN_new()) == NULL || 495 (dsa->p = BN_new()) == NULL ||
@@ -559,7 +537,6 @@ sshkey_add_private(struct sshkey *k)
559#ifdef WITH_OPENSSL 537#ifdef WITH_OPENSSL
560 case KEY_RSA1: 538 case KEY_RSA1:
561 case KEY_RSA: 539 case KEY_RSA:
562 case KEY_RSA_CERT_V00:
563 case KEY_RSA_CERT: 540 case KEY_RSA_CERT:
564#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 541#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
565 if (bn_maybe_alloc_failed(k->rsa->d) || 542 if (bn_maybe_alloc_failed(k->rsa->d) ||
@@ -571,7 +548,6 @@ sshkey_add_private(struct sshkey *k)
571 return SSH_ERR_ALLOC_FAIL; 548 return SSH_ERR_ALLOC_FAIL;
572 break; 549 break;
573 case KEY_DSA: 550 case KEY_DSA:
574 case KEY_DSA_CERT_V00:
575 case KEY_DSA_CERT: 551 case KEY_DSA_CERT:
576 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 552 if (bn_maybe_alloc_failed(k->dsa->priv_key))
577 return SSH_ERR_ALLOC_FAIL; 553 return SSH_ERR_ALLOC_FAIL;
@@ -617,14 +593,12 @@ sshkey_free(struct sshkey *k)
617#ifdef WITH_OPENSSL 593#ifdef WITH_OPENSSL
618 case KEY_RSA1: 594 case KEY_RSA1:
619 case KEY_RSA: 595 case KEY_RSA:
620 case KEY_RSA_CERT_V00:
621 case KEY_RSA_CERT: 596 case KEY_RSA_CERT:
622 if (k->rsa != NULL) 597 if (k->rsa != NULL)
623 RSA_free(k->rsa); 598 RSA_free(k->rsa);
624 k->rsa = NULL; 599 k->rsa = NULL;
625 break; 600 break;
626 case KEY_DSA: 601 case KEY_DSA:
627 case KEY_DSA_CERT_V00:
628 case KEY_DSA_CERT: 602 case KEY_DSA_CERT:
629 if (k->dsa != NULL) 603 if (k->dsa != NULL)
630 DSA_free(k->dsa); 604 DSA_free(k->dsa);
@@ -696,13 +670,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
696 switch (a->type) { 670 switch (a->type) {
697#ifdef WITH_OPENSSL 671#ifdef WITH_OPENSSL
698 case KEY_RSA1: 672 case KEY_RSA1:
699 case KEY_RSA_CERT_V00:
700 case KEY_RSA_CERT: 673 case KEY_RSA_CERT:
701 case KEY_RSA: 674 case KEY_RSA:
702 return a->rsa != NULL && b->rsa != NULL && 675 return a->rsa != NULL && b->rsa != NULL &&
703 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 676 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
704 BN_cmp(a->rsa->n, b->rsa->n) == 0; 677 BN_cmp(a->rsa->n, b->rsa->n) == 0;
705 case KEY_DSA_CERT_V00:
706 case KEY_DSA_CERT: 678 case KEY_DSA_CERT:
707 case KEY_DSA: 679 case KEY_DSA:
708 return a->dsa != NULL && b->dsa != NULL && 680 return a->dsa != NULL && b->dsa != NULL &&
@@ -773,8 +745,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
773 745
774 switch (type) { 746 switch (type) {
775#ifdef WITH_OPENSSL 747#ifdef WITH_OPENSSL
776 case KEY_DSA_CERT_V00:
777 case KEY_RSA_CERT_V00:
778 case KEY_DSA_CERT: 748 case KEY_DSA_CERT:
779 case KEY_ECDSA_CERT: 749 case KEY_ECDSA_CERT:
780 case KEY_RSA_CERT: 750 case KEY_RSA_CERT:
@@ -1298,8 +1268,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
1298 case KEY_DSA: 1268 case KEY_DSA:
1299 case KEY_ECDSA: 1269 case KEY_ECDSA:
1300 case KEY_ED25519: 1270 case KEY_ED25519:
1301 case KEY_DSA_CERT_V00:
1302 case KEY_RSA_CERT_V00:
1303 case KEY_DSA_CERT: 1271 case KEY_DSA_CERT:
1304 case KEY_ECDSA_CERT: 1272 case KEY_ECDSA_CERT:
1305 case KEY_RSA_CERT: 1273 case KEY_RSA_CERT:
@@ -1798,7 +1766,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1798 switch (k->type) { 1766 switch (k->type) {
1799#ifdef WITH_OPENSSL 1767#ifdef WITH_OPENSSL
1800 case KEY_DSA: 1768 case KEY_DSA:
1801 case KEY_DSA_CERT_V00:
1802 case KEY_DSA_CERT: 1769 case KEY_DSA_CERT:
1803 if ((n = sshkey_new(k->type)) == NULL) 1770 if ((n = sshkey_new(k->type)) == NULL)
1804 return SSH_ERR_ALLOC_FAIL; 1771 return SSH_ERR_ALLOC_FAIL;
@@ -1830,7 +1797,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1830# endif /* OPENSSL_HAS_ECC */ 1797# endif /* OPENSSL_HAS_ECC */
1831 case KEY_RSA: 1798 case KEY_RSA:
1832 case KEY_RSA1: 1799 case KEY_RSA1:
1833 case KEY_RSA_CERT_V00:
1834 case KEY_RSA_CERT: 1800 case KEY_RSA_CERT:
1835 if ((n = sshkey_new(k->type)) == NULL) 1801 if ((n = sshkey_new(k->type)) == NULL)
1836 return SSH_ERR_ALLOC_FAIL; 1802 return SSH_ERR_ALLOC_FAIL;
@@ -1874,21 +1840,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1874 u_char *sig = NULL; 1840 u_char *sig = NULL;
1875 size_t signed_len = 0, slen = 0, kidlen = 0; 1841 size_t signed_len = 0, slen = 0, kidlen = 0;
1876 int ret = SSH_ERR_INTERNAL_ERROR; 1842 int ret = SSH_ERR_INTERNAL_ERROR;
1877 int v00 = sshkey_cert_is_legacy(key);
1878 1843
1879 /* Copy the entire key blob for verification and later serialisation */ 1844 /* Copy the entire key blob for verification and later serialisation */
1880 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1845 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1881 return ret; 1846 return ret;
1882 1847
1883 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || 1848 /* Parse body of certificate up to signature */
1849 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1884 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1850 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1885 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1851 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1886 (ret = sshbuf_froms(b, &principals)) != 0 || 1852 (ret = sshbuf_froms(b, &principals)) != 0 ||
1887 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1853 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1888 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1854 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1889 (ret = sshbuf_froms(b, &crit)) != 0 || 1855 (ret = sshbuf_froms(b, &crit)) != 0 ||
1890 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1856 (ret = sshbuf_froms(b, &exts)) != 0 ||
1891 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
1892 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1857 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1893 (ret = sshbuf_froms(b, &ca)) != 0) { 1858 (ret = sshbuf_froms(b, &ca)) != 0) {
1894 /* XXX debug print error for ret */ 1859 /* XXX debug print error for ret */
@@ -1925,9 +1890,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1925 goto out; 1890 goto out;
1926 } 1891 }
1927 oprincipals = key->cert->principals; 1892 oprincipals = key->cert->principals;
1928 key->cert->principals = realloc(key->cert->principals, 1893 key->cert->principals = reallocarray(key->cert->principals,
1929 (key->cert->nprincipals + 1) * 1894 key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1930 sizeof(*key->cert->principals));
1931 if (key->cert->principals == NULL) { 1895 if (key->cert->principals == NULL) {
1932 free(principal); 1896 free(principal);
1933 key->cert->principals = oprincipals; 1897 key->cert->principals = oprincipals;
@@ -1948,7 +1912,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1948 1912
1949 /* 1913 /*
1950 * Validate critical options and extensions sections format. 1914 * Validate critical options and extensions sections format.
1951 * NB. extensions are not present in v00 certs.
1952 */ 1915 */
1953 while (sshbuf_len(crit) != 0) { 1916 while (sshbuf_len(crit) != 0) {
1954 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1917 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
@@ -2033,7 +1996,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2033 } 1996 }
2034 /* FALLTHROUGH */ 1997 /* FALLTHROUGH */
2035 case KEY_RSA: 1998 case KEY_RSA:
2036 case KEY_RSA_CERT_V00:
2037 if ((key = sshkey_new(type)) == NULL) { 1999 if ((key = sshkey_new(type)) == NULL) {
2038 ret = SSH_ERR_ALLOC_FAIL; 2000 ret = SSH_ERR_ALLOC_FAIL;
2039 goto out; 2001 goto out;
@@ -2055,7 +2017,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2055 } 2017 }
2056 /* FALLTHROUGH */ 2018 /* FALLTHROUGH */
2057 case KEY_DSA: 2019 case KEY_DSA:
2058 case KEY_DSA_CERT_V00:
2059 if ((key = sshkey_new(type)) == NULL) { 2020 if ((key = sshkey_new(type)) == NULL) {
2060 ret = SSH_ERR_ALLOC_FAIL; 2021 ret = SSH_ERR_ALLOC_FAIL;
2061 goto out; 2022 goto out;
@@ -2225,7 +2186,6 @@ sshkey_sign(const struct sshkey *key,
2225 return SSH_ERR_INVALID_ARGUMENT; 2186 return SSH_ERR_INVALID_ARGUMENT;
2226 switch (key->type) { 2187 switch (key->type) {
2227#ifdef WITH_OPENSSL 2188#ifdef WITH_OPENSSL
2228 case KEY_DSA_CERT_V00:
2229 case KEY_DSA_CERT: 2189 case KEY_DSA_CERT:
2230 case KEY_DSA: 2190 case KEY_DSA:
2231 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2191 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
@@ -2234,7 +2194,6 @@ sshkey_sign(const struct sshkey *key,
2234 case KEY_ECDSA: 2194 case KEY_ECDSA:
2235 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2195 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2236# endif /* OPENSSL_HAS_ECC */ 2196# endif /* OPENSSL_HAS_ECC */
2237 case KEY_RSA_CERT_V00:
2238 case KEY_RSA_CERT: 2197 case KEY_RSA_CERT:
2239 case KEY_RSA: 2198 case KEY_RSA:
2240 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2199 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
@@ -2259,7 +2218,6 @@ sshkey_verify(const struct sshkey *key,
2259 return SSH_ERR_INVALID_ARGUMENT; 2218 return SSH_ERR_INVALID_ARGUMENT;
2260 switch (key->type) { 2219 switch (key->type) {
2261#ifdef WITH_OPENSSL 2220#ifdef WITH_OPENSSL
2262 case KEY_DSA_CERT_V00:
2263 case KEY_DSA_CERT: 2221 case KEY_DSA_CERT:
2264 case KEY_DSA: 2222 case KEY_DSA:
2265 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2223 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
@@ -2268,7 +2226,6 @@ sshkey_verify(const struct sshkey *key,
2268 case KEY_ECDSA: 2226 case KEY_ECDSA:
2269 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2227 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2270# endif /* OPENSSL_HAS_ECC */ 2228# endif /* OPENSSL_HAS_ECC */
2271 case KEY_RSA_CERT_V00:
2272 case KEY_RSA_CERT: 2229 case KEY_RSA_CERT:
2273 case KEY_RSA: 2230 case KEY_RSA:
2274 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2231 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
@@ -2304,7 +2261,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2304 2261
2305 switch (k->type) { 2262 switch (k->type) {
2306#ifdef WITH_OPENSSL 2263#ifdef WITH_OPENSSL
2307 case KEY_RSA_CERT_V00:
2308 case KEY_RSA_CERT: 2264 case KEY_RSA_CERT:
2309 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2265 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2310 goto fail; 2266 goto fail;
@@ -2318,7 +2274,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2318 goto fail; 2274 goto fail;
2319 } 2275 }
2320 break; 2276 break;
2321 case KEY_DSA_CERT_V00:
2322 case KEY_DSA_CERT: 2277 case KEY_DSA_CERT:
2323 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2278 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2324 goto fail; 2279 goto fail;
@@ -2377,27 +2332,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2377 2332
2378/* Convert a plain key to their _CERT equivalent */ 2333/* Convert a plain key to their _CERT equivalent */
2379int 2334int
2380sshkey_to_certified(struct sshkey *k, int legacy) 2335sshkey_to_certified(struct sshkey *k)
2381{ 2336{
2382 int newtype; 2337 int newtype;
2383 2338
2384 switch (k->type) { 2339 switch (k->type) {
2385#ifdef WITH_OPENSSL 2340#ifdef WITH_OPENSSL
2386 case KEY_RSA: 2341 case KEY_RSA:
2387 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 2342 newtype = KEY_RSA_CERT;
2388 break; 2343 break;
2389 case KEY_DSA: 2344 case KEY_DSA:
2390 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 2345 newtype = KEY_DSA_CERT;
2391 break; 2346 break;
2392 case KEY_ECDSA: 2347 case KEY_ECDSA:
2393 if (legacy)
2394 return SSH_ERR_INVALID_ARGUMENT;
2395 newtype = KEY_ECDSA_CERT; 2348 newtype = KEY_ECDSA_CERT;
2396 break; 2349 break;
2397#endif /* WITH_OPENSSL */ 2350#endif /* WITH_OPENSSL */
2398 case KEY_ED25519: 2351 case KEY_ED25519:
2399 if (legacy)
2400 return SSH_ERR_INVALID_ARGUMENT;
2401 newtype = KEY_ED25519_CERT; 2352 newtype = KEY_ED25519_CERT;
2402 break; 2353 break;
2403 default: 2354 default:
@@ -2449,15 +2400,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2449 2400
2450 /* -v01 certs put nonce first */ 2401 /* -v01 certs put nonce first */
2451 arc4random_buf(&nonce, sizeof(nonce)); 2402 arc4random_buf(&nonce, sizeof(nonce));
2452 if (!sshkey_cert_is_legacy(k)) { 2403 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2453 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2404 goto out;
2454 goto out;
2455 }
2456 2405
2457 /* XXX this substantially duplicates to_blob(); refactor */ 2406 /* XXX this substantially duplicates to_blob(); refactor */
2458 switch (k->type) { 2407 switch (k->type) {
2459#ifdef WITH_OPENSSL 2408#ifdef WITH_OPENSSL
2460 case KEY_DSA_CERT_V00:
2461 case KEY_DSA_CERT: 2409 case KEY_DSA_CERT:
2462 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2410 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
2463 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2411 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
@@ -2475,7 +2423,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2475 goto out; 2423 goto out;
2476 break; 2424 break;
2477# endif /* OPENSSL_HAS_ECC */ 2425# endif /* OPENSSL_HAS_ECC */
2478 case KEY_RSA_CERT_V00:
2479 case KEY_RSA_CERT: 2426 case KEY_RSA_CERT:
2480 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2427 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
2481 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2428 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
@@ -2492,13 +2439,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2492 goto out; 2439 goto out;
2493 } 2440 }
2494 2441
2495 /* -v01 certs have a serial number next */ 2442 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2496 if (!sshkey_cert_is_legacy(k)) { 2443 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2497 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
2498 goto out;
2499 }
2500
2501 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2502 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2444 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2503 goto out; 2445 goto out;
2504 2446
@@ -2514,22 +2456,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2514 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2456 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2515 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2457 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2516 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2458 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
2517 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2459 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2518 goto out; 2460 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2519 2461 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2520 /* -v01 certs have non-critical options here */
2521 if (!sshkey_cert_is_legacy(k)) {
2522 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
2523 goto out;
2524 }
2525
2526 /* -v00 certs put the nonce at the end */
2527 if (sshkey_cert_is_legacy(k)) {
2528 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2529 goto out;
2530 }
2531
2532 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2533 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2462 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2534 goto out; 2463 goto out;
2535 2464
@@ -2629,7 +2558,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2629 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2558 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2630 goto out; 2559 goto out;
2631 break; 2560 break;
2632 case KEY_RSA_CERT_V00:
2633 case KEY_RSA_CERT: 2561 case KEY_RSA_CERT:
2634 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2562 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2635 r = SSH_ERR_INVALID_ARGUMENT; 2563 r = SSH_ERR_INVALID_ARGUMENT;
@@ -2650,7 +2578,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2650 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2578 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2651 goto out; 2579 goto out;
2652 break; 2580 break;
2653 case KEY_DSA_CERT_V00:
2654 case KEY_DSA_CERT: 2581 case KEY_DSA_CERT:
2655 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2582 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2656 r = SSH_ERR_INVALID_ARGUMENT; 2583 r = SSH_ERR_INVALID_ARGUMENT;
@@ -2741,7 +2668,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2741 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2668 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2742 goto out; 2669 goto out;
2743 break; 2670 break;
2744 case KEY_DSA_CERT_V00:
2745 case KEY_DSA_CERT: 2671 case KEY_DSA_CERT:
2746 if ((r = sshkey_froms(buf, &k)) != 0 || 2672 if ((r = sshkey_froms(buf, &k)) != 0 ||
2747 (r = sshkey_add_private(k)) != 0 || 2673 (r = sshkey_add_private(k)) != 0 ||
@@ -2814,7 +2740,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2814 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2740 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2815 goto out; 2741 goto out;
2816 break; 2742 break;
2817 case KEY_RSA_CERT_V00:
2818 case KEY_RSA_CERT: 2743 case KEY_RSA_CERT:
2819 if ((r = sshkey_froms(buf, &k)) != 0 || 2744 if ((r = sshkey_froms(buf, &k)) != 0 ||
2820 (r = sshkey_add_private(k)) != 0 || 2745 (r = sshkey_add_private(k)) != 0 ||
@@ -2864,7 +2789,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2864 /* enable blinding */ 2789 /* enable blinding */
2865 switch (k->type) { 2790 switch (k->type) {
2866 case KEY_RSA: 2791 case KEY_RSA:
2867 case KEY_RSA_CERT_V00:
2868 case KEY_RSA_CERT: 2792 case KEY_RSA_CERT:
2869 case KEY_RSA1: 2793 case KEY_RSA1:
2870 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2794 if (RSA_blinding_on(k->rsa, NULL) != 1) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 04:34:57 +0000