version 1.244, 2014/04/20 09:24:26 |
version 1.247, 2014/06/24 01:13:21 |
|
|
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
exit(1); |
exit(1); |
} |
} |
|
#ifdef WITH_OPENSSL |
if (type == KEY_DSA && *bitsp != 1024) |
if (type == KEY_DSA && *bitsp != 1024) |
fatal("DSA keys must be 1024 bits"); |
fatal("DSA keys must be 1024 bits"); |
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
|
|
else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) |
else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) |
fatal("Invalid ECDSA key length - valid lengths are " |
fatal("Invalid ECDSA key length - valid lengths are " |
"256, 384 or 521 bits"); |
"256, 384 or 521 bits"); |
|
#endif |
} |
} |
|
|
static void |
static void |
|
|
#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" |
#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" |
#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb |
#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb |
|
|
|
#ifdef WITH_OPENSSL |
static void |
static void |
do_convert_to_ssh2(struct passwd *pw, Key *k) |
do_convert_to_ssh2(struct passwd *pw, Key *k) |
{ |
{ |
|
|
buffer_get_bignum_bits(&b, key->rsa->iqmp); |
buffer_get_bignum_bits(&b, key->rsa->iqmp); |
buffer_get_bignum_bits(&b, key->rsa->q); |
buffer_get_bignum_bits(&b, key->rsa->q); |
buffer_get_bignum_bits(&b, key->rsa->p); |
buffer_get_bignum_bits(&b, key->rsa->p); |
rsa_generate_additional_parameters(key->rsa); |
if (rsa_generate_additional_parameters(key->rsa) != 0) |
|
fatal("%s: rsa_generate_additional_parameters " |
|
"error", __func__); |
break; |
break; |
} |
} |
rlen = buffer_len(&b); |
rlen = buffer_len(&b); |
|
|
key_free(k); |
key_free(k); |
exit(0); |
exit(0); |
} |
} |
|
#endif |
|
|
static void |
static void |
do_print_public(struct passwd *pw) |
do_print_public(struct passwd *pw) |
|
|
} |
} |
} |
} |
|
|
|
#ifdef ENABLE_PKCS11 |
pkcs11_init(1); |
pkcs11_init(1); |
|
#endif |
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
if (pkcs11provider != NULL) { |
if (pkcs11provider != NULL) { |
if ((ca = load_pkcs11_key(tmp)) == NULL) |
if ((ca = load_pkcs11_key(tmp)) == NULL) |
|
|
public->cert->valid_after = cert_valid_from; |
public->cert->valid_after = cert_valid_from; |
public->cert->valid_before = cert_valid_to; |
public->cert->valid_before = cert_valid_to; |
if (v00) { |
if (v00) { |
prepare_options_buf(&public->cert->critical, |
prepare_options_buf(public->cert->critical, |
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); |
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); |
} else { |
} else { |
prepare_options_buf(&public->cert->critical, |
prepare_options_buf(public->cert->critical, |
OPTIONS_CRITICAL); |
OPTIONS_CRITICAL); |
prepare_options_buf(&public->cert->extensions, |
prepare_options_buf(public->cert->extensions, |
OPTIONS_EXTENSIONS); |
OPTIONS_EXTENSIONS); |
} |
} |
public->cert->signature_key = key_from_private(ca); |
public->cert->signature_key = key_from_private(ca); |
|
|
key_free(public); |
key_free(public); |
free(out); |
free(out); |
} |
} |
|
#ifdef ENABLE_PKCS11 |
pkcs11_terminate(); |
pkcs11_terminate(); |
|
#endif |
exit(0); |
exit(0); |
} |
} |
|
|
|
|
static void |
static void |
show_options(const Buffer *optbuf, int v00, int in_critical) |
show_options(const Buffer *optbuf, int v00, int in_critical) |
{ |
{ |
char *name; |
char *name, *arg; |
u_char *data; |
const u_char *data; |
u_int dlen; |
u_int dlen; |
Buffer options, option; |
Buffer options, option; |
|
|
|
|
else if ((v00 || in_critical) && |
else if ((v00 || in_critical) && |
(strcmp(name, "force-command") == 0 || |
(strcmp(name, "force-command") == 0 || |
strcmp(name, "source-address") == 0)) { |
strcmp(name, "source-address") == 0)) { |
data = buffer_get_string(&option, NULL); |
arg = buffer_get_cstring(&option, NULL); |
printf(" %s\n", data); |
printf(" %s\n", arg); |
free(data); |
free(arg); |
} else { |
} else { |
printf(" UNKNOWN OPTION (len %u)\n", |
printf(" UNKNOWN OPTION (len %u)\n", |
buffer_len(&option)); |
buffer_len(&option)); |
|
|
printf("\n"); |
printf("\n"); |
} |
} |
printf(" Critical Options: "); |
printf(" Critical Options: "); |
if (buffer_len(&key->cert->critical) == 0) |
if (buffer_len(key->cert->critical) == 0) |
printf("(none)\n"); |
printf("(none)\n"); |
else { |
else { |
printf("\n"); |
printf("\n"); |
show_options(&key->cert->critical, v00, 1); |
show_options(key->cert->critical, v00, 1); |
} |
} |
if (!v00) { |
if (!v00) { |
printf(" Extensions: "); |
printf(" Extensions: "); |
if (buffer_len(&key->cert->extensions) == 0) |
if (buffer_len(key->cert->extensions) == 0) |
printf("(none)\n"); |
printf("(none)\n"); |
else { |
else { |
printf("\n"); |
printf("\n"); |
show_options(&key->cert->extensions, v00, 0); |
show_options(key->cert->extensions, v00, 0); |
} |
} |
} |
} |
exit(0); |
exit(0); |
} |
} |
|
|
|
#ifdef WITH_OPENSSL |
static void |
static void |
load_krl(const char *path, struct ssh_krl **krlp) |
load_krl(const char *path, struct ssh_krl **krlp) |
{ |
{ |
|
|
ssh_krl_free(krl); |
ssh_krl_free(krl); |
exit(ret); |
exit(ret); |
} |
} |
|
#endif |
|
|
static void |
static void |
usage(void) |
usage(void) |
|
|
printf("Cannot use -l with -H or -R.\n"); |
printf("Cannot use -l with -H or -R.\n"); |
usage(); |
usage(); |
} |
} |
|
#ifdef WITH_OPENSSL |
if (gen_krl) { |
if (gen_krl) { |
do_gen_krl(pw, update_krl, argc, argv); |
do_gen_krl(pw, update_krl, argc, argv); |
return (0); |
return (0); |
|
|
do_check_krl(pw, argc, argv); |
do_check_krl(pw, argc, argv); |
return (0); |
return (0); |
} |
} |
|
#endif |
if (ca_key_path != NULL) { |
if (ca_key_path != NULL) { |
if (cert_key_id == NULL) |
if (cert_key_id == NULL) |
fatal("Must specify key id (-I) when certifying"); |
fatal("Must specify key id (-I) when certifying"); |
|
|
do_change_passphrase(pw); |
do_change_passphrase(pw); |
if (change_comment) |
if (change_comment) |
do_change_comment(pw); |
do_change_comment(pw); |
|
#ifdef WITH_OPENSSL |
if (convert_to) |
if (convert_to) |
do_convert_to(pw); |
do_convert_to(pw); |
if (convert_from) |
if (convert_from) |
do_convert_from(pw); |
do_convert_from(pw); |
|
#endif |
if (print_public) |
if (print_public) |
do_print_public(pw); |
do_print_public(pw); |
if (rr_hostname != NULL) { |
if (rr_hostname != NULL) { |