diff options
Diffstat (limited to 'sshkey.c')
-rw-r--r-- | sshkey.c | 26 |
1 files changed, 16 insertions, 10 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.108 2020/04/11 10:16:11 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.111 2020/08/27 01:06:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -132,6 +132,8 @@ static const struct keytype keytypes[] = { | |||
132 | # endif /* OPENSSL_HAS_NISTP521 */ | 132 | # endif /* OPENSSL_HAS_NISTP521 */ |
133 | { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, | 133 | { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, |
134 | KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, | 134 | KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, |
135 | { "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, | ||
136 | KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 1 }, | ||
135 | # endif /* OPENSSL_HAS_ECC */ | 137 | # endif /* OPENSSL_HAS_ECC */ |
136 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, | 138 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, |
137 | KEY_RSA_CERT, 0, 1, 0 }, | 139 | KEY_RSA_CERT, 0, 1, 0 }, |
@@ -2725,7 +2727,7 @@ int | |||
2725 | sshkey_sign(struct sshkey *key, | 2727 | sshkey_sign(struct sshkey *key, |
2726 | u_char **sigp, size_t *lenp, | 2728 | u_char **sigp, size_t *lenp, |
2727 | const u_char *data, size_t datalen, | 2729 | const u_char *data, size_t datalen, |
2728 | const char *alg, const char *sk_provider, u_int compat) | 2730 | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
2729 | { | 2731 | { |
2730 | int was_shielded = sshkey_is_shielded(key); | 2732 | int was_shielded = sshkey_is_shielded(key); |
2731 | int r2, r = SSH_ERR_INTERNAL_ERROR; | 2733 | int r2, r = SSH_ERR_INTERNAL_ERROR; |
@@ -2764,7 +2766,7 @@ sshkey_sign(struct sshkey *key, | |||
2764 | case KEY_ECDSA_SK_CERT: | 2766 | case KEY_ECDSA_SK_CERT: |
2765 | case KEY_ECDSA_SK: | 2767 | case KEY_ECDSA_SK: |
2766 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, | 2768 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, |
2767 | datalen, compat, /* XXX PIN */ NULL); | 2769 | datalen, compat, sk_pin); |
2768 | break; | 2770 | break; |
2769 | #ifdef WITH_XMSS | 2771 | #ifdef WITH_XMSS |
2770 | case KEY_XMSS: | 2772 | case KEY_XMSS: |
@@ -2886,7 +2888,8 @@ sshkey_drop_cert(struct sshkey *k) | |||
2886 | /* Sign a certified key, (re-)generating the signed certblob. */ | 2888 | /* Sign a certified key, (re-)generating the signed certblob. */ |
2887 | int | 2889 | int |
2888 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | 2890 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
2889 | const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx) | 2891 | const char *sk_provider, const char *sk_pin, |
2892 | sshkey_certify_signer *signer, void *signer_ctx) | ||
2890 | { | 2893 | { |
2891 | struct sshbuf *principals = NULL; | 2894 | struct sshbuf *principals = NULL; |
2892 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | 2895 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
@@ -3024,7 +3027,7 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
3024 | 3027 | ||
3025 | /* Sign the whole mess */ | 3028 | /* Sign the whole mess */ |
3026 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 3029 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
3027 | sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0) | 3030 | sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) |
3028 | goto out; | 3031 | goto out; |
3029 | /* Check and update signature_type against what was actually used */ | 3032 | /* Check and update signature_type against what was actually used */ |
3030 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) | 3033 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
@@ -3054,19 +3057,20 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
3054 | static int | 3057 | static int |
3055 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, | 3058 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
3056 | const u_char *data, size_t datalen, | 3059 | const u_char *data, size_t datalen, |
3057 | const char *alg, const char *sk_provider, u_int compat, void *ctx) | 3060 | const char *alg, const char *sk_provider, const char *sk_pin, |
3061 | u_int compat, void *ctx) | ||
3058 | { | 3062 | { |
3059 | if (ctx != NULL) | 3063 | if (ctx != NULL) |
3060 | return SSH_ERR_INVALID_ARGUMENT; | 3064 | return SSH_ERR_INVALID_ARGUMENT; |
3061 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, | 3065 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
3062 | sk_provider, compat); | 3066 | sk_provider, sk_pin, compat); |
3063 | } | 3067 | } |
3064 | 3068 | ||
3065 | int | 3069 | int |
3066 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, | 3070 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
3067 | const char *sk_provider) | 3071 | const char *sk_provider, const char *sk_pin) |
3068 | { | 3072 | { |
3069 | return sshkey_certify_custom(k, ca, alg, sk_provider, | 3073 | return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, |
3070 | default_key_sign, NULL); | 3074 | default_key_sign, NULL); |
3071 | } | 3075 | } |
3072 | 3076 | ||
@@ -3598,10 +3602,12 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) | |||
3598 | case KEY_XMSS: | 3602 | case KEY_XMSS: |
3599 | case KEY_XMSS_CERT: | 3603 | case KEY_XMSS_CERT: |
3600 | if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || | 3604 | if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || |
3601 | (r = sshkey_xmss_init(k, xmss_name)) != 0 || | ||
3602 | (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || | 3605 | (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || |
3603 | (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) | 3606 | (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) |
3604 | goto out; | 3607 | goto out; |
3608 | if (type == KEY_XMSS && | ||
3609 | (r = sshkey_xmss_init(k, xmss_name)) != 0) | ||
3610 | goto out; | ||
3605 | if (pklen != sshkey_xmss_pklen(k) || | 3611 | if (pklen != sshkey_xmss_pklen(k) || |
3606 | sklen != sshkey_xmss_sklen(k)) { | 3612 | sklen != sshkey_xmss_sklen(k)) { |
3607 | r = SSH_ERR_INVALID_FORMAT; | 3613 | r = SSH_ERR_INVALID_FORMAT; |