x509v3-sign-rsa authentication type...
Markus Friedl
markus at openbsd.org
Sat May 10 02:48:29 EST 2003
oops, here's the patch
On Fri, May 09, 2003 at 06:29:23PM +0200, Markus Friedl wrote:
> On Fri, May 09, 2003 at 10:56:55AM -0400, Kevin Stefanik wrote:
> > Sorry to pester, but I'd really like to get interoperability with Windows
> > clients using certificates in the mainline openssh. Since the heavy lifting
> > has already been done (and well!), I hope it's possible.
>
> i've been using this patch for hostkeys+x509 support.
> interop with ssh.com's windows client w/o problem.
>
> but Roumen sees problems with this approach.
Index: Makefile.inc
===================================================================
RCS file: /cvs/src/usr.bin/ssh/Makefile.inc,v
retrieving revision 1.23
diff -U10 -r1.23 Makefile.inc
--- Makefile.inc 6 Mar 2002 00:23:27 -0000 1.23
+++ Makefile.inc 9 Jan 2003 09:48:05 -0000
@@ -3,21 +3,23 @@
CFLAGS+= -I${.CURDIR}/..
CDIAGFLAGS= -Wall
#CDIAGFLAGS+= -Werror
CDIAGFLAGS+= -Wpointer-arith
CDIAGFLAGS+= -Wno-uninitialized
#CDIAGFLAGS+= -Wstrict-prototypes
CDIAGFLAGS+= -Wmissing-prototypes
CDIAGFLAGS+= -Wunused
-#DEBUG=-g
+DEBUG=-g
+
+CFLAGS+= -DDEBUG_X509
#CFLAGS+= -DSMARTCARD
#LDADD+= -lsectok
.include <bsd.obj.mk>
.if exists(${.CURDIR}/../lib/${__objdir})
LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh
DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a
.else
Index: authfile.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/authfile.c,v
retrieving revision 1.52
diff -U10 -r1.52 authfile.c
--- authfile.c 13 Mar 2003 11:42:18 -0000 1.52
+++ authfile.c 9 May 2003 16:25:10 -0000
@@ -477,20 +477,38 @@
prv->dsa = EVP_PKEY_get1_DSA(pk);
prv->type = KEY_DSA;
name = "dsa w/o comment";
#ifdef DEBUG_PK
DSA_print_fp(stderr, prv->dsa, 8);
#endif
} else {
error("PEM_read_PrivateKey: mismatch or "
"unknown EVP_PKEY save_type %d", pk->save_type);
}
+ if (prv != NULL) {
+ /* try to get a certificate if we have the private key */
+ prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase);
+ if (prv->x509 != NULL) {
+ debug("PEM_read_X509");
+#ifdef DEBUG_X509
+ X509_print_fp(stdout, prv->x509);
+ {
+ EVP_PKEY *pkey = X509_get_pubkey(prv->x509);
+ if (pkey->type == EVP_PKEY_RSA) {
+ debug("PEM_read_X509 -> RSA");
+ } else if (pkey->type == EVP_PKEY_DSA) {
+ debug("PEM_read_X509 -> DSA");
+ }
+ }
+#endif
+ }
+ }
fclose(fp);
if (pk != NULL)
EVP_PKEY_free(pk);
if (prv != NULL && commentp)
*commentp = xstrdup(name);
debug("read PEM private key done: type %s",
prv ? key_type(prv) : "<unknown>");
return prv;
}
Index: key.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.c,v
retrieving revision 1.51
diff -U10 -r1.51 key.c
--- key.c 12 Feb 2003 09:33:04 -0000 1.51
+++ key.c 5 Mar 2003 22:31:16 -0000
@@ -44,24 +44,26 @@
#include "bufaux.h"
#include "log.h"
Key *
key_new(int type)
{
Key *k;
RSA *rsa;
DSA *dsa;
k = xmalloc(sizeof(*k));
+ memset(k, 0, sizeof(*k));
k->type = type;
k->flags = 0;
k->dsa = NULL;
k->rsa = NULL;
+ k->x509 = NULL;
switch (k->type) {
case KEY_RSA1:
case KEY_RSA:
if ((rsa = RSA_new()) == NULL)
fatal("key_new: RSA_new failed");
if ((rsa->n = BN_new()) == NULL)
fatal("key_new: BN_new failed");
if ((rsa->e = BN_new()) == NULL)
fatal("key_new: BN_new failed");
k->rsa = rsa;
@@ -134,20 +136,24 @@
if (k->dsa != NULL)
DSA_free(k->dsa);
k->dsa = NULL;
break;
case KEY_UNSPEC:
break;
default:
fatal("key_free: bad key type %d", k->type);
break;
}
+ if (k->x509 != NULL) {
+ X509_free(k->x509);
+ k->x509 = NULL;
+ }
xfree(k);
}
int
key_equal(Key *a, Key *b)
{
if (a == NULL || b == NULL || a->type != b->type)
return 0;
switch (a->type) {
case KEY_RSA1:
case KEY_RSA:
@@ -535,20 +541,22 @@
break;
}
return "unknown";
}
char *
key_ssh_name(Key *k)
{
switch (k->type) {
case KEY_RSA:
+ if (k->x509)
+ return "x509v3-sign-rsa";
return "ssh-rsa";
break;
case KEY_DSA:
return "ssh-dss";
break;
}
return "ssh-unknown";
}
u_int
@@ -639,20 +647,24 @@
if (strcmp(name, "rsa1") == 0) {
return KEY_RSA1;
} else if (strcmp(name, "rsa") == 0) {
return KEY_RSA;
} else if (strcmp(name, "dsa") == 0) {
return KEY_DSA;
} else if (strcmp(name, "ssh-rsa") == 0) {
return KEY_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return KEY_DSA;
+ } else if (strcmp(name, "x509v3-sign-rsa") == 0) {
+ return KEY_RSA;
+ } else if (strcmp(name, "x509v3-sign-dss") == 0) {
+ return KEY_DSA;
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
}
int
key_names_valid2(const char *names)
{
char *s, *cp, *p;
@@ -736,23 +748,31 @@
buffer_init(&b);
switch (key->type) {
case KEY_DSA:
buffer_put_cstring(&b, key_ssh_name(key));
buffer_put_bignum2(&b, key->dsa->p);
buffer_put_bignum2(&b, key->dsa->q);
buffer_put_bignum2(&b, key->dsa->g);
buffer_put_bignum2(&b, key->dsa->pub_key);
break;
case KEY_RSA:
- buffer_put_cstring(&b, key_ssh_name(key));
- buffer_put_bignum2(&b, key->rsa->e);
- buffer_put_bignum2(&b, key->rsa->n);
+ if (key->x509) {
+ u_char *p;
+ /* XXX ssh.com does not accept a key name here */
+ len = i2d_X509(key->x509, NULL);
+ p = buffer_append_space(&b, len);
+ i2d_X509(key->x509, &p);
+ } else {
+ buffer_put_cstring(&b, key_ssh_name(key));
+ buffer_put_bignum2(&b, key->rsa->e);
+ buffer_put_bignum2(&b, key->rsa->n);
+ }
break;
default:
error("key_to_blob: unsupported key type %d", key->type);
buffer_free(&b);
return 0;
}
len = buffer_len(&b);
if (lenp != NULL)
*lenp = len;
if (blobp != NULL) {
Index: key.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.h,v
retrieving revision 1.20
diff -U10 -r1.20 key.h
--- key.h 12 Feb 2003 09:33:04 -0000 1.20
+++ key.h 5 Mar 2003 22:31:16 -0000
@@ -21,20 +21,21 @@
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef KEY_H
#define KEY_H
#include <openssl/rsa.h>
#include <openssl/dsa.h>
+#include <openssl/x509.h>
typedef struct Key Key;
enum types {
KEY_RSA1,
KEY_RSA,
KEY_DSA,
KEY_UNSPEC
};
enum fp_type {
SSH_FP_SHA1,
@@ -46,20 +47,21 @@
};
/* key is stored in external hardware */
#define KEY_FLAG_EXT 0x0001
struct Key {
int type;
int flags;
RSA *rsa;
DSA *dsa;
+ X509 *x509;
};
Key *key_new(int);
Key *key_new_private(int);
void key_free(Key *);
Key *key_demote(Key *);
int key_equal(Key *, Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
char *key_type(Key *);
int key_write(Key *, FILE *);
Index: ssh-rsa.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-rsa.c,v
retrieving revision 1.28
diff -U10 -r1.28 ssh-rsa.c
--- ssh-rsa.c 12 Feb 2003 09:33:04 -0000 1.28
+++ ssh-rsa.c 5 Mar 2003 22:31:17 -0000
@@ -81,21 +81,25 @@
debug("slen %u > len %u", slen, len);
memmove(sig + diff, sig, len);
memset(sig, 0, diff);
} else if (len > slen) {
error("ssh_rsa_sign: slen %u slen2 %u", slen, len);
xfree(sig);
return -1;
}
/* encode signature */
buffer_init(&b);
+#if 0
buffer_put_cstring(&b, "ssh-rsa");
+#else
+ buffer_put_cstring(&b, key_ssh_name(key));
+#endif
buffer_put_string(&b, sig, slen);
len = buffer_len(&b);
if (lenp != NULL)
*lenp = len;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
}
buffer_free(&b);
memset(sig, 's', slen);
More information about the openssh-unix-dev
mailing list