version 1.274, 2015/05/28 07:37:31 |
version 1.275, 2015/07/03 03:43:18 |
|
|
name = _PATH_SSH_CLIENT_IDENTITY; |
name = _PATH_SSH_CLIENT_IDENTITY; |
break; |
break; |
case KEY_DSA_CERT: |
case KEY_DSA_CERT: |
case KEY_DSA_CERT_V00: |
|
case KEY_DSA: |
case KEY_DSA: |
name = _PATH_SSH_CLIENT_ID_DSA; |
name = _PATH_SSH_CLIENT_ID_DSA; |
break; |
break; |
|
|
name = _PATH_SSH_CLIENT_ID_ECDSA; |
name = _PATH_SSH_CLIENT_ID_ECDSA; |
break; |
break; |
case KEY_RSA_CERT: |
case KEY_RSA_CERT: |
case KEY_RSA_CERT_V00: |
|
case KEY_RSA: |
case KEY_RSA: |
name = _PATH_SSH_CLIENT_ID_RSA; |
name = _PATH_SSH_CLIENT_ID_RSA; |
break; |
break; |
|
|
struct sshkey *ca, *public; |
struct sshkey *ca, *public; |
char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
FILE *f; |
FILE *f; |
int v00 = 0; /* legacy keys */ |
|
|
|
if (key_type_name != NULL) { |
|
switch (sshkey_type_from_name(key_type_name)) { |
|
case KEY_RSA_CERT_V00: |
|
case KEY_DSA_CERT_V00: |
|
v00 = 1; |
|
break; |
|
case KEY_UNSPEC: |
|
if (strcasecmp(key_type_name, "v00") == 0) { |
|
v00 = 1; |
|
break; |
|
} else if (strcasecmp(key_type_name, "v01") == 0) |
|
break; |
|
/* FALLTHROUGH */ |
|
default: |
|
fatal("unknown key type %s", key_type_name); |
|
} |
|
} |
|
|
|
#ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
pkcs11_init(1); |
pkcs11_init(1); |
#endif |
#endif |
|
|
__func__, tmp, sshkey_type(public)); |
__func__, tmp, sshkey_type(public)); |
|
|
/* Prepare certificate to sign */ |
/* Prepare certificate to sign */ |
if ((r = sshkey_to_certified(public, v00)) != 0) |
if ((r = sshkey_to_certified(public)) != 0) |
fatal("Could not upgrade key %s to certificate: %s", |
fatal("Could not upgrade key %s to certificate: %s", |
tmp, ssh_err(r)); |
tmp, ssh_err(r)); |
public->cert->type = cert_key_type; |
public->cert->type = cert_key_type; |
|
|
public->cert->principals = plist; |
public->cert->principals = plist; |
public->cert->valid_after = cert_valid_from; |
public->cert->valid_after = cert_valid_from; |
public->cert->valid_before = cert_valid_to; |
public->cert->valid_before = cert_valid_to; |
if (v00) { |
prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); |
prepare_options_buf(public->cert->critical, |
prepare_options_buf(public->cert->extensions, |
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); |
OPTIONS_EXTENSIONS); |
} else { |
|
prepare_options_buf(public->cert->critical, |
|
OPTIONS_CRITICAL); |
|
prepare_options_buf(public->cert->extensions, |
|
OPTIONS_EXTENSIONS); |
|
} |
|
if ((r = sshkey_from_private(ca, |
if ((r = sshkey_from_private(ca, |
&public->cert->signature_key)) != 0) |
&public->cert->signature_key)) != 0) |
fatal("key_from_private (ca key): %s", ssh_err(r)); |
fatal("key_from_private (ca key): %s", ssh_err(r)); |
|
|
} |
} |
|
|
static void |
static void |
show_options(struct sshbuf *optbuf, int v00, int in_critical) |
show_options(struct sshbuf *optbuf, int in_critical) |
{ |
{ |
char *name, *arg; |
char *name, *arg; |
struct sshbuf *options, *option = NULL; |
struct sshbuf *options, *option = NULL; |
|
|
(r = sshbuf_froms(options, &option)) != 0) |
(r = sshbuf_froms(options, &option)) != 0) |
fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
printf(" %s", name); |
printf(" %s", name); |
if ((v00 || !in_critical) && |
if (!in_critical && |
(strcmp(name, "permit-X11-forwarding") == 0 || |
(strcmp(name, "permit-X11-forwarding") == 0 || |
strcmp(name, "permit-agent-forwarding") == 0 || |
strcmp(name, "permit-agent-forwarding") == 0 || |
strcmp(name, "permit-port-forwarding") == 0 || |
strcmp(name, "permit-port-forwarding") == 0 || |
strcmp(name, "permit-pty") == 0 || |
strcmp(name, "permit-pty") == 0 || |
strcmp(name, "permit-user-rc") == 0)) |
strcmp(name, "permit-user-rc") == 0)) |
printf("\n"); |
printf("\n"); |
else if ((v00 || in_critical) && |
else if (in_critical && |
(strcmp(name, "force-command") == 0 || |
(strcmp(name, "force-command") == 0 || |
strcmp(name, "source-address") == 0)) { |
strcmp(name, "source-address") == 0)) { |
if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) |
if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) |
|
|
struct sshkey *key; |
struct sshkey *key; |
struct stat st; |
struct stat st; |
char *key_fp, *ca_fp; |
char *key_fp, *ca_fp; |
u_int i, v00; |
u_int i; |
int r; |
int r; |
|
|
if (!have_identity) |
if (!have_identity) |
|
|
identity_file, ssh_err(r)); |
identity_file, ssh_err(r)); |
if (!sshkey_is_cert(key)) |
if (!sshkey_is_cert(key)) |
fatal("%s is not a certificate", identity_file); |
fatal("%s is not a certificate", identity_file); |
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; |
|
|
|
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
ca_fp = sshkey_fingerprint(key->cert->signature_key, |
ca_fp = sshkey_fingerprint(key->cert->signature_key, |
|
|
printf(" Signing CA: %s %s\n", |
printf(" Signing CA: %s %s\n", |
sshkey_type(key->cert->signature_key), ca_fp); |
sshkey_type(key->cert->signature_key), ca_fp); |
printf(" Key ID: \"%s\"\n", key->cert->key_id); |
printf(" Key ID: \"%s\"\n", key->cert->key_id); |
if (!v00) { |
printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); |
printf(" Serial: %llu\n", |
|
(unsigned long long)key->cert->serial); |
|
} |
|
printf(" Valid: %s\n", |
printf(" Valid: %s\n", |
fmt_validity(key->cert->valid_after, key->cert->valid_before)); |
fmt_validity(key->cert->valid_after, key->cert->valid_before)); |
printf(" Principals: "); |
printf(" Principals: "); |
|
|
printf("(none)\n"); |
printf("(none)\n"); |
else { |
else { |
printf("\n"); |
printf("\n"); |
show_options(key->cert->critical, v00, 1); |
show_options(key->cert->critical, 1); |
} |
} |
if (!v00) { |
printf(" Extensions: "); |
printf(" Extensions: "); |
if (sshbuf_len(key->cert->extensions) == 0) |
if (sshbuf_len(key->cert->extensions) == 0) |
printf("(none)\n"); |
printf("(none)\n"); |
else { |
else { |
printf("\n"); |
printf("\n"); |
show_options(key->cert->extensions, 0); |
show_options(key->cert->extensions, v00, 0); |
|
} |
|
} |
} |
exit(0); |
exit(0); |
} |
} |