diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-05-02 11:36:42 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-05-02 12:35:05 +0200 |
| commit | 57464e3934ba53ad8590ee3ccd840f693407fc1e (patch) | |
| tree | a87cc5d5de85e4ea3b735d8bff2dbc9f4b35f2dc | |
| parent | upstream commit (diff) | |
| download | openssh-57464e3934ba53ad8590ee3ccd840f693407fc1e.tar.xz openssh-57464e3934ba53ad8590ee3ccd840f693407fc1e.zip | |
upstream commit
support SHA256 and SHA512 RSA signatures in certificates;
ok markus@
Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
| -rw-r--r-- | key.c | 4 | ||||
| -rw-r--r-- | ssh-keygen.c | 12 | ||||
| -rw-r--r-- | sshkey.c | 6 | ||||
| -rw-r--r-- | sshkey.h | 4 |
4 files changed, 16 insertions, 10 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */ +/* $OpenBSD: key.c,v 1.130 2016/05/02 09:36:42 djm Exp $ */ /* * placed in the public domain */ @@ -214,7 +214,7 @@ key_certify(Key *k, Key *ca) { int r; - if ((r = sshkey_certify(k, ca)) != 0) { + if ((r = sshkey_certify(k, ca, NULL)) != 0) { fatal_on_fatal_errors(r, __func__, 0); error("%s: %s", __func__, ssh_err(r)); return -1; diff --git a/ssh-keygen.c b/ssh-keygen.c index 079f10321..0bd5fc93a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.289 2016/05/02 08:49:03 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.290 2016/05/02 09:36:42 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1599,6 +1599,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) ca = load_identity(tmp); free(tmp); + if (key_type_name != NULL && + sshkey_type_from_name(key_type_name) != ca->type) { + fatal("CA key type %s doesn't match specified %s", + sshkey_ssh_name(ca), key_type_name); + } + for (i = 0; i < argc; i++) { /* Split list of principals */ n = 0; @@ -1640,8 +1646,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) &public->cert->signature_key)) != 0) fatal("key_from_private (ca key): %s", ssh_err(r)); - if (sshkey_certify(public, ca) != 0) - fatal("Couldn't not certify key %s", tmp); + if ((r = sshkey_certify(public, ca, key_type_name)) != 0) + fatal("Couldn't certify key %s: %s", tmp, ssh_err(r)); if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) *cp = '\0'; @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.32 2016/04/09 12:39:30 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.33 2016/05/02 09:36:42 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -2370,7 +2370,7 @@ sshkey_drop_cert(struct sshkey *k) /* Sign a certified key, (re-)generating the signed certblob. */ int -sshkey_certify(struct sshkey *k, struct sshkey *ca) +sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) { struct sshbuf *principals = NULL; u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; @@ -2460,7 +2460,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) /* Sign the whole mess */ if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), - sshbuf_len(cert), NULL, 0)) != 0) + sshbuf_len(cert), alg, 0)) != 0) goto out; /* Append signature and we are done */ @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */ +/* $OpenBSD: sshkey.h,v 1.13 2016/05/02 09:36:42 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -137,7 +137,7 @@ int sshkey_type_is_cert(int); int sshkey_type_plain(int); int sshkey_to_certified(struct sshkey *); int sshkey_drop_cert(struct sshkey *); -int sshkey_certify(struct sshkey *, struct sshkey *); +int sshkey_certify(struct sshkey *, struct sshkey *, const char *); int sshkey_cert_copy(const struct sshkey *, struct sshkey *); int sshkey_cert_check_authority(const struct sshkey *, int, int, const char *, const char **); |