version 1.194, 2010/06/30 07:26:03 |
version 1.198, 2010/08/12 23:34:38 |
|
|
|
|
char *key_type_name = NULL; |
char *key_type_name = NULL; |
|
|
|
/* Load key from this PKCS#11 provider */ |
|
char *pkcs11provider = NULL; |
|
|
/* argv0 */ |
/* argv0 */ |
extern char *__progname; |
extern char *__progname; |
|
|
do_convert_from(struct passwd *pw) |
do_convert_from(struct passwd *pw) |
{ |
{ |
Key *k = NULL; |
Key *k = NULL; |
int private = 0, ok; |
int private = 0, ok = 0; |
struct stat st; |
struct stat st; |
|
|
if (!have_identity) |
if (!have_identity) |
|
|
} |
} |
|
|
static void |
static void |
do_download(struct passwd *pw, char *pkcs11provider) |
do_download(struct passwd *pw) |
{ |
{ |
#ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
Key **keys = NULL; |
Key **keys = NULL; |
|
|
prepare_options_buf(Buffer *c, int which) |
prepare_options_buf(Buffer *c, int which) |
{ |
{ |
buffer_clear(c); |
buffer_clear(c); |
|
if ((which & OPTIONS_CRITICAL) != 0 && |
|
certflags_command != NULL) |
|
add_string_option(c, "force-command", certflags_command); |
if ((which & OPTIONS_EXTENSIONS) != 0 && |
if ((which & OPTIONS_EXTENSIONS) != 0 && |
(certflags_flags & CERTOPT_X_FWD) != 0) |
|
add_flag_option(c, "permit-X11-forwarding"); |
|
if ((which & OPTIONS_EXTENSIONS) != 0 && |
|
(certflags_flags & CERTOPT_AGENT_FWD) != 0) |
(certflags_flags & CERTOPT_AGENT_FWD) != 0) |
add_flag_option(c, "permit-agent-forwarding"); |
add_flag_option(c, "permit-agent-forwarding"); |
if ((which & OPTIONS_EXTENSIONS) != 0 && |
if ((which & OPTIONS_EXTENSIONS) != 0 && |
|
|
if ((which & OPTIONS_EXTENSIONS) != 0 && |
if ((which & OPTIONS_EXTENSIONS) != 0 && |
(certflags_flags & CERTOPT_USER_RC) != 0) |
(certflags_flags & CERTOPT_USER_RC) != 0) |
add_flag_option(c, "permit-user-rc"); |
add_flag_option(c, "permit-user-rc"); |
|
if ((which & OPTIONS_EXTENSIONS) != 0 && |
|
(certflags_flags & CERTOPT_X_FWD) != 0) |
|
add_flag_option(c, "permit-X11-forwarding"); |
if ((which & OPTIONS_CRITICAL) != 0 && |
if ((which & OPTIONS_CRITICAL) != 0 && |
certflags_command != NULL) |
|
add_string_option(c, "force-command", certflags_command); |
|
if ((which & OPTIONS_CRITICAL) != 0 && |
|
certflags_src_addr != NULL) |
certflags_src_addr != NULL) |
add_string_option(c, "source-address", certflags_src_addr); |
add_string_option(c, "source-address", certflags_src_addr); |
} |
} |
|
|
|
static Key * |
|
load_pkcs11_key(char *path) |
|
{ |
|
#ifdef ENABLE_PKCS11 |
|
Key **keys = NULL, *public, *private = NULL; |
|
int i, nkeys; |
|
|
|
if ((public = key_load_public(path, NULL)) == NULL) |
|
fatal("Couldn't load CA public key \"%s\"", path); |
|
|
|
nkeys = pkcs11_add_provider(pkcs11provider, identity_passphrase, &keys); |
|
debug3("%s: %d keys", __func__, nkeys); |
|
if (nkeys <= 0) |
|
fatal("cannot read public key from pkcs11"); |
|
for (i = 0; i < nkeys; i++) { |
|
if (key_equal_public(public, keys[i])) { |
|
private = keys[i]; |
|
continue; |
|
} |
|
key_free(keys[i]); |
|
} |
|
xfree(keys); |
|
key_free(public); |
|
return private; |
|
#else |
|
fatal("no pkcs11 support"); |
|
#endif /* ENABLE_PKCS11 */ |
|
} |
|
|
static void |
static void |
do_ca_sign(struct passwd *pw, int argc, char **argv) |
do_ca_sign(struct passwd *pw, int argc, char **argv) |
{ |
{ |
|
|
FILE *f; |
FILE *f; |
int v00 = 0; /* legacy keys */ |
int v00 = 0; /* legacy keys */ |
|
|
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
|
if ((ca = load_identity(tmp)) == NULL) |
|
fatal("Couldn't load CA key \"%s\"", tmp); |
|
xfree(tmp); |
|
|
|
if (key_type_name != NULL) { |
if (key_type_name != NULL) { |
switch (key_type_from_name(key_type_name)) { |
switch (key_type_from_name(key_type_name)) { |
case KEY_RSA_CERT_V00: |
case KEY_RSA_CERT_V00: |
|
|
} |
} |
} |
} |
|
|
|
pkcs11_init(1); |
|
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
|
if (pkcs11provider != NULL) { |
|
if ((ca = load_pkcs11_key(tmp)) == NULL) |
|
fatal("No PKCS#11 key matching %s found", ca_key_path); |
|
} else if ((ca = load_identity(tmp)) == NULL) |
|
fatal("Couldn't load CA key \"%s\"", tmp); |
|
xfree(tmp); |
|
|
for (i = 0; i < argc; i++) { |
for (i = 0; i < argc; i++) { |
/* Split list of principals */ |
/* Split list of principals */ |
n = 0; |
n = 0; |
|
|
key_free(public); |
key_free(public); |
xfree(out); |
xfree(out); |
} |
} |
|
pkcs11_terminate(); |
exit(0); |
exit(0); |
} |
} |
|
|
|
|
main(int argc, char **argv) |
main(int argc, char **argv) |
{ |
{ |
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; |
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; |
char out_file[MAXPATHLEN], *pkcs11provider = NULL; |
char out_file[MAXPATHLEN], *rr_hostname = NULL; |
char *rr_hostname = NULL; |
|
Key *private, *public; |
Key *private, *public; |
struct passwd *pw; |
struct passwd *pw; |
struct stat st; |
struct stat st; |
|
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
sanitise_stdfd(); |
sanitise_stdfd(); |
|
|
SSLeay_add_all_algorithms(); |
OpenSSL_add_all_algorithms(); |
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
|
|
/* we need this for the home * directory. */ |
/* we need this for the home * directory. */ |
|
|
} |
} |
} |
} |
if (pkcs11provider != NULL) |
if (pkcs11provider != NULL) |
do_download(pw, pkcs11provider); |
do_download(pw); |
|
|
if (do_gen_candidates) { |
if (do_gen_candidates) { |
FILE *out = fopen(out_file, "w"); |
FILE *out = fopen(out_file, "w"); |