| version 1.304, 2017/05/30 14:16:41 |
version 1.311, 2018/02/10 05:43:26 |
|
|
| |
|
| #include "xmalloc.h" |
#include "xmalloc.h" |
| #include "sshkey.h" |
#include "sshkey.h" |
| #include "rsa.h" |
|
| #include "authfile.h" |
#include "authfile.h" |
| #include "uuencode.h" |
#include "uuencode.h" |
| #include "sshbuf.h" |
#include "sshbuf.h" |
|
|
| #include "krl.h" |
#include "krl.h" |
| #include "digest.h" |
#include "digest.h" |
| #include "utf8.h" |
#include "utf8.h" |
| |
#include "authfd.h" |
| |
|
| #ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
| #include "ssh-pkcs11.h" |
#include "ssh-pkcs11.h" |
|
|
| /* Path to CA key when certifying keys. */ |
/* Path to CA key when certifying keys. */ |
| char *ca_key_path = NULL; |
char *ca_key_path = NULL; |
| |
|
| |
/* Prefer to use agent keys for CA signing */ |
| |
int prefer_agent = 0; |
| |
|
| /* Certificate serial number */ |
/* Certificate serial number */ |
| unsigned long long cert_serial = 0; |
unsigned long long cert_serial = 0; |
| |
|
|
|
| if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
| fatal("PEM_write_RSAPublicKey failed"); |
fatal("PEM_write_RSAPublicKey failed"); |
| break; |
break; |
| #if notyet /* OpenSSH 0.9.8 lacks this function */ |
|
| case KEY_DSA: |
|
| if (!PEM_write_DSAPublicKey(stdout, k->dsa)) |
|
| fatal("PEM_write_DSAPublicKey failed"); |
|
| break; |
|
| #endif |
|
| /* XXX ECDSA? */ |
|
| default: |
default: |
| fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); |
fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); |
| } |
} |
|
|
| buffer_get_bignum_bits(b, key->rsa->iqmp); |
buffer_get_bignum_bits(b, key->rsa->iqmp); |
| buffer_get_bignum_bits(b, key->rsa->q); |
buffer_get_bignum_bits(b, key->rsa->q); |
| buffer_get_bignum_bits(b, key->rsa->p); |
buffer_get_bignum_bits(b, key->rsa->p); |
| if ((r = rsa_generate_additional_parameters(key->rsa)) != 0) |
if ((r = ssh_rsa_generate_additional_parameters(key)) != 0) |
| fatal("generate RSA parameters failed: %s", ssh_err(r)); |
fatal("generate RSA parameters failed: %s", ssh_err(r)); |
| break; |
break; |
| } |
} |
|
|
| |
|
| /* try the key */ |
/* try the key */ |
| if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 || |
if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 || |
| sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) { |
sshkey_verify(key, sig, slen, data, sizeof(data), NULL, 0) != 0) { |
| sshkey_free(key); |
sshkey_free(key); |
| free(sig); |
free(sig); |
| return NULL; |
return NULL; |
|
|
| { |
{ |
| FILE *fp; |
FILE *fp; |
| RSA *rsa; |
RSA *rsa; |
| #ifdef notyet |
|
| DSA *dsa; |
|
| #endif |
|
| |
|
| if ((fp = fopen(identity_file, "r")) == NULL) |
if ((fp = fopen(identity_file, "r")) == NULL) |
| fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
|
|
| fclose(fp); |
fclose(fp); |
| return; |
return; |
| } |
} |
| #if notyet /* OpenSSH 0.9.8 lacks this function */ |
|
| rewind(fp); |
|
| if ((dsa = PEM_read_DSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { |
|
| if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
|
| fatal("sshkey_new failed"); |
|
| (*k)->type = KEY_DSA; |
|
| (*k)->dsa = dsa; |
|
| fclose(fp); |
|
| return; |
|
| } |
|
| /* XXX ECDSA */ |
|
| #endif |
|
| fatal("%s: unrecognised raw private key format", __func__); |
fatal("%s: unrecognised raw private key format", __func__); |
| } |
} |
| |
|
|
|
| int first = 0; |
int first = 0; |
| struct stat st; |
struct stat st; |
| struct sshkey *private, *public; |
struct sshkey *private, *public; |
| char comment[1024]; |
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; |
| int i, type, fd, r; |
int i, type, fd, r; |
| FILE *f; |
FILE *f; |
| |
|
| for (i = 0; key_types[i].key_type; i++) { |
for (i = 0; key_types[i].key_type; i++) { |
| if (stat(key_types[i].path, &st) == 0) |
public = private = NULL; |
| continue; |
prv_tmp = pub_tmp = prv_file = pub_file = NULL; |
| if (errno != ENOENT) { |
|
| |
xasprintf(&prv_file, "%s%s", |
| |
identity_file, key_types[i].path); |
| |
|
| |
/* Check whether private key exists and is not zero-length */ |
| |
if (stat(prv_file, &st) == 0) { |
| |
if (st.st_size != 0) |
| |
goto next; |
| |
} else if (errno != ENOENT) { |
| error("Could not stat %s: %s", key_types[i].path, |
error("Could not stat %s: %s", key_types[i].path, |
| strerror(errno)); |
strerror(errno)); |
| first = 0; |
goto failnext; |
| continue; |
|
| } |
} |
| |
|
| |
/* |
| |
* Private key doesn't exist or is invalid; proceed with |
| |
* key generation. |
| |
*/ |
| |
xasprintf(&prv_tmp, "%s%s.XXXXXXXXXX", |
| |
identity_file, key_types[i].path); |
| |
xasprintf(&pub_tmp, "%s%s.pub.XXXXXXXXXX", |
| |
identity_file, key_types[i].path); |
| |
xasprintf(&pub_file, "%s%s.pub", |
| |
identity_file, key_types[i].path); |
| |
|
| if (first == 0) { |
if (first == 0) { |
| first = 1; |
first = 1; |
| printf("%s: generating new host keys: ", __progname); |
printf("%s: generating new host keys: ", __progname); |
|
|
| printf("%s ", key_types[i].key_type_display); |
printf("%s ", key_types[i].key_type_display); |
| fflush(stdout); |
fflush(stdout); |
| type = sshkey_type_from_name(key_types[i].key_type); |
type = sshkey_type_from_name(key_types[i].key_type); |
| strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); |
if ((fd = mkstemp(prv_tmp)) == -1) { |
| |
error("Could not save your public key in %s: %s", |
| |
prv_tmp, strerror(errno)); |
| |
goto failnext; |
| |
} |
| |
close(fd); /* just using mkstemp() to generate/reserve a name */ |
| bits = 0; |
bits = 0; |
| type_bits_valid(type, NULL, &bits); |
type_bits_valid(type, NULL, &bits); |
| if ((r = sshkey_generate(type, bits, &private)) != 0) { |
if ((r = sshkey_generate(type, bits, &private)) != 0) { |
| error("sshkey_generate failed: %s", ssh_err(r)); |
error("sshkey_generate failed: %s", ssh_err(r)); |
| first = 0; |
goto failnext; |
| continue; |
|
| } |
} |
| if ((r = sshkey_from_private(private, &public)) != 0) |
if ((r = sshkey_from_private(private, &public)) != 0) |
| fatal("sshkey_from_private failed: %s", ssh_err(r)); |
fatal("sshkey_from_private failed: %s", ssh_err(r)); |
| snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
| hostname); |
hostname); |
| if ((r = sshkey_save_private(private, identity_file, "", |
if ((r = sshkey_save_private(private, prv_tmp, "", |
| comment, use_new_format, new_format_cipher, rounds)) != 0) { |
comment, use_new_format, new_format_cipher, rounds)) != 0) { |
| error("Saving key \"%s\" failed: %s", |
error("Saving key \"%s\" failed: %s", |
| identity_file, ssh_err(r)); |
prv_tmp, ssh_err(r)); |
| sshkey_free(private); |
goto failnext; |
| sshkey_free(public); |
|
| first = 0; |
|
| continue; |
|
| } |
} |
| sshkey_free(private); |
if ((fd = mkstemp(pub_tmp)) == -1) { |
| strlcat(identity_file, ".pub", sizeof(identity_file)); |
error("Could not save your public key in %s: %s", |
| fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); |
pub_tmp, strerror(errno)); |
| if (fd == -1) { |
goto failnext; |
| error("Could not save your public key in %s", |
|
| identity_file); |
|
| sshkey_free(public); |
|
| first = 0; |
|
| continue; |
|
| } |
} |
| |
(void)fchmod(fd, 0644); |
| f = fdopen(fd, "w"); |
f = fdopen(fd, "w"); |
| if (f == NULL) { |
if (f == NULL) { |
| error("fdopen %s failed", identity_file); |
error("fdopen %s failed: %s", pub_tmp, strerror(errno)); |
| close(fd); |
close(fd); |
| sshkey_free(public); |
goto failnext; |
| first = 0; |
|
| continue; |
|
| } |
} |
| if ((r = sshkey_write(public, f)) != 0) { |
if ((r = sshkey_write(public, f)) != 0) { |
| error("write key failed: %s", ssh_err(r)); |
error("write key failed: %s", ssh_err(r)); |
| fclose(f); |
fclose(f); |
| sshkey_free(public); |
goto failnext; |
| first = 0; |
|
| continue; |
|
| } |
} |
| fprintf(f, " %s\n", comment); |
fprintf(f, " %s\n", comment); |
| fclose(f); |
if (ferror(f) != 0) { |
| sshkey_free(public); |
error("write key failed: %s", strerror(errno)); |
| |
fclose(f); |
| |
goto failnext; |
| |
} |
| |
if (fclose(f) != 0) { |
| |
error("key close failed: %s", strerror(errno)); |
| |
goto failnext; |
| |
} |
| |
|
| |
/* Rename temporary files to their permanent locations. */ |
| |
if (rename(pub_tmp, pub_file) != 0) { |
| |
error("Unable to move %s into position: %s", |
| |
pub_file, strerror(errno)); |
| |
goto failnext; |
| |
} |
| |
if (rename(prv_tmp, prv_file) != 0) { |
| |
error("Unable to move %s into position: %s", |
| |
key_types[i].path, strerror(errno)); |
| |
failnext: |
| |
first = 0; |
| |
goto next; |
| |
} |
| |
next: |
| |
sshkey_free(private); |
| |
sshkey_free(public); |
| |
free(prv_tmp); |
| |
free(pub_tmp); |
| |
free(prv_file); |
| |
free(pub_file); |
| } |
} |
| if (first != 0) |
if (first != 0) |
| printf("\n"); |
printf("\n"); |
|
|
| #endif /* ENABLE_PKCS11 */ |
#endif /* ENABLE_PKCS11 */ |
| } |
} |
| |
|
| |
/* Signer for sshkey_certify_custom that uses the agent */ |
| |
static int |
| |
agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp, |
| |
const u_char *data, size_t datalen, |
| |
const char *alg, u_int compat, void *ctx) |
| |
{ |
| |
int *agent_fdp = (int *)ctx; |
| |
|
| |
return ssh_agent_sign(*agent_fdp, key, sigp, lenp, |
| |
data, datalen, alg, compat); |
| |
} |
| |
|
| static void |
static void |
| do_ca_sign(struct passwd *pw, int argc, char **argv) |
do_ca_sign(struct passwd *pw, int argc, char **argv) |
| { |
{ |
| int r, i, fd; |
int r, i, fd, found, agent_fd = -1; |
| u_int n; |
u_int n; |
| struct sshkey *ca, *public; |
struct sshkey *ca, *public; |
| char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
| FILE *f; |
FILE *f; |
| |
struct ssh_identitylist *agent_ids; |
| |
size_t j; |
| |
|
| #ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
| pkcs11_init(1); |
pkcs11_init(1); |
| #endif |
#endif |
| tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
| if (pkcs11provider != NULL) { |
if (pkcs11provider != NULL) { |
| |
/* If a PKCS#11 token was specified then try to use it */ |
| if ((ca = load_pkcs11_key(tmp)) == NULL) |
if ((ca = load_pkcs11_key(tmp)) == NULL) |
| fatal("No PKCS#11 key matching %s found", ca_key_path); |
fatal("No PKCS#11 key matching %s found", ca_key_path); |
| } else |
} else if (prefer_agent) { |
| |
/* |
| |
* Agent signature requested. Try to use agent after making |
| |
* sure the public key specified is actually present in the |
| |
* agent. |
| |
*/ |
| |
if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0) |
| |
fatal("Cannot load CA public key %s: %s", |
| |
tmp, ssh_err(r)); |
| |
if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) |
| |
fatal("Cannot use public key for CA signature: %s", |
| |
ssh_err(r)); |
| |
if ((r = ssh_fetch_identitylist(agent_fd, &agent_ids)) != 0) |
| |
fatal("Retrieve agent key list: %s", ssh_err(r)); |
| |
found = 0; |
| |
for (j = 0; j < agent_ids->nkeys; j++) { |
| |
if (sshkey_equal(ca, agent_ids->keys[j])) { |
| |
found = 1; |
| |
break; |
| |
} |
| |
} |
| |
if (!found) |
| |
fatal("CA key %s not found in agent", tmp); |
| |
ssh_free_identitylist(agent_ids); |
| |
ca->flags |= SSHKEY_FLAG_EXT; |
| |
} else { |
| |
/* CA key is assumed to be a private key on the filesystem */ |
| ca = load_identity(tmp); |
ca = load_identity(tmp); |
| |
} |
| free(tmp); |
free(tmp); |
| |
|
| if (key_type_name != NULL && |
if (key_type_name != NULL && |
|
|
| &public->cert->signature_key)) != 0) |
&public->cert->signature_key)) != 0) |
| fatal("sshkey_from_private (ca key): %s", ssh_err(r)); |
fatal("sshkey_from_private (ca key): %s", ssh_err(r)); |
| |
|
| if ((r = sshkey_certify(public, ca, key_type_name)) != 0) |
if (agent_fd != -1 && (ca->flags & SSHKEY_FLAG_EXT) != 0) { |
| fatal("Couldn't certify key %s: %s", tmp, ssh_err(r)); |
if ((r = sshkey_certify_custom(public, ca, |
| |
key_type_name, agent_signer, &agent_fd)) != 0) |
| |
fatal("Couldn't certify key %s via agent: %s", |
| |
tmp, ssh_err(r)); |
| |
} else { |
| |
if ((sshkey_certify(public, ca, key_type_name)) != 0) |
| |
fatal("Couldn't certify key %s: %s", |
| |
tmp, ssh_err(r)); |
| |
} |
| |
|
| if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) |
if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) |
| *cp = '\0'; |
*cp = '\0'; |
|
|
| s, s + 4, s + 6, s + 8, s + 10, s + 12); |
s, s + 4, s + 6, s + 8, s + 10, s + 12); |
| break; |
break; |
| default: |
default: |
| fatal("Invalid certificate time format %s", s); |
fatal("Invalid certificate time format \"%s\"", s); |
| } |
} |
| |
|
| memset(&tm, 0, sizeof(tm)); |
memset(&tm, 0, sizeof(tm)); |
|
|
| |
|
| /* |
/* |
| * from:to, where |
* from:to, where |
| * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS |
* from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always" |
| * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS |
* to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever" |
| */ |
*/ |
| from = xstrdup(timespec); |
from = xstrdup(timespec); |
| to = strchr(from, ':'); |
to = strchr(from, ':'); |
|
|
| |
|
| if (*from == '-' || *from == '+') |
if (*from == '-' || *from == '+') |
| cert_valid_from = parse_relative_time(from, now); |
cert_valid_from = parse_relative_time(from, now); |
| |
else if (strcmp(from, "always") == 0) |
| |
cert_valid_from = 0; |
| else |
else |
| cert_valid_from = parse_absolute_time(from); |
cert_valid_from = parse_absolute_time(from); |
| |
|
| if (*to == '-' || *to == '+') |
if (*to == '-' || *to == '+') |
| cert_valid_to = parse_relative_time(to, now); |
cert_valid_to = parse_relative_time(to, now); |
| |
else if (strcmp(to, "forever") == 0) |
| |
cert_valid_to = ~(u_int64_t)0; |
| else |
else |
| cert_valid_to = parse_absolute_time(to); |
cert_valid_to = parse_absolute_time(to); |
| |
|
|
|
| " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
| " [-j start_line] [-K checkpt] [-W generator]\n" |
" [-j start_line] [-K checkpt] [-W generator]\n" |
| #endif |
#endif |
| " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" |
" ssh-keygen -s ca_key -I certificate_identity [-h] [-U]\n" |
| " [-O option] [-V validity_interval] [-z serial_number] file ...\n" |
" [-D pkcs11_provider] [-n principals] [-O option]\n" |
| |
" [-V validity_interval] [-z serial_number] file ...\n" |
| " ssh-keygen -L [-f input_keyfile]\n" |
" ssh-keygen -L [-f input_keyfile]\n" |
| " ssh-keygen -A\n" |
" ssh-keygen -A\n" |
| " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
|
|
| if (gethostname(hostname, sizeof(hostname)) < 0) |
if (gethostname(hostname, sizeof(hostname)) < 0) |
| fatal("gethostname: %s", strerror(errno)); |
fatal("gethostname: %s", strerror(errno)); |
| |
|
| /* Remaining characters: UYdw */ |
/* Remaining characters: Ydw */ |
| while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" |
while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy" |
| "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" |
"C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" |
| "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { |
"a:b:f:g:j:m:n:r:s:t:z:")) != -1) { |
| switch (opt) { |
switch (opt) { |
|
|
| case 'D': |
case 'D': |
| pkcs11provider = optarg; |
pkcs11provider = optarg; |
| break; |
break; |
| |
case 'U': |
| |
prefer_agent = 1; |
| |
break; |
| case 'u': |
case 'u': |
| update_krl = 1; |
update_krl = 1; |
| break; |
break; |
|
|
| if ((r = sshkey_write(public, f)) != 0) |
if ((r = sshkey_write(public, f)) != 0) |
| error("write key failed: %s", ssh_err(r)); |
error("write key failed: %s", ssh_err(r)); |
| fprintf(f, " %s\n", comment); |
fprintf(f, " %s\n", comment); |
| fclose(f); |
if (ferror(f) || fclose(f) != 0) |
| |
fatal("write public failed: %s", strerror(errno)); |
| |
|
| if (!quiet) { |
if (!quiet) { |
| fp = sshkey_fingerprint(public, fingerprint_hash, |
fp = sshkey_fingerprint(public, fingerprint_hash, |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh