version 1.334, 2019/07/05 04:55:40 |
version 1.336, 2019/07/15 13:16:29 |
|
|
#include "xmalloc.h" |
#include "xmalloc.h" |
#include "sshkey.h" |
#include "sshkey.h" |
#include "authfile.h" |
#include "authfile.h" |
|
#include "uuencode.h" |
#include "sshbuf.h" |
#include "sshbuf.h" |
#include "pathnames.h" |
#include "pathnames.h" |
#include "log.h" |
#include "log.h" |
|
|
/* Load key from this PKCS#11 provider */ |
/* Load key from this PKCS#11 provider */ |
static char *pkcs11provider = NULL; |
static char *pkcs11provider = NULL; |
|
|
/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ |
/* Format for writing private keys */ |
static int use_new_format = 1; |
static int private_key_format = SSHKEY_PRIVATE_OPENSSH; |
|
|
/* Cipher for new-format private keys */ |
/* Cipher for new-format private keys */ |
static char *new_format_cipher = NULL; |
static char *openssh_format_cipher = NULL; |
|
|
/* |
/* |
* Number of KDF rounds to derive new format keys / |
* Number of KDF rounds to derive new format keys / |
|
|
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
hostname); |
hostname); |
if ((r = sshkey_save_private(private, prv_tmp, "", |
if ((r = sshkey_save_private(private, prv_tmp, "", |
comment, use_new_format, new_format_cipher, rounds)) != 0) { |
comment, private_key_format, openssh_format_cipher, |
|
rounds)) != 0) { |
error("Saving key \"%s\" failed: %s", |
error("Saving key \"%s\" failed: %s", |
prv_tmp, ssh_err(r)); |
prv_tmp, ssh_err(r)); |
goto failnext; |
goto failnext; |
|
|
|
|
/* Save the file using the new passphrase. */ |
/* Save the file using the new passphrase. */ |
if ((r = sshkey_save_private(private, identity_file, passphrase1, |
if ((r = sshkey_save_private(private, identity_file, passphrase1, |
comment, use_new_format, new_format_cipher, rounds)) != 0) { |
comment, private_key_format, openssh_format_cipher, rounds)) != 0) { |
error("Saving key \"%s\" failed: %s.", |
error("Saving key \"%s\" failed: %s.", |
identity_file, ssh_err(r)); |
identity_file, ssh_err(r)); |
explicit_bzero(passphrase1, strlen(passphrase1)); |
explicit_bzero(passphrase1, strlen(passphrase1)); |
|
|
} |
} |
|
|
if (private->type != KEY_ED25519 && private->type != KEY_XMSS && |
if (private->type != KEY_ED25519 && private->type != KEY_XMSS && |
!use_new_format) { |
private_key_format != SSHKEY_PRIVATE_OPENSSH) { |
error("Comments are only supported for keys stored in " |
error("Comments are only supported for keys stored in " |
"the new format (-o)."); |
"the new format (-o)."); |
explicit_bzero(passphrase, strlen(passphrase)); |
explicit_bzero(passphrase, strlen(passphrase)); |
|
|
|
|
/* Save the file using the new passphrase. */ |
/* Save the file using the new passphrase. */ |
if ((r = sshkey_save_private(private, identity_file, passphrase, |
if ((r = sshkey_save_private(private, identity_file, passphrase, |
new_comment, use_new_format, new_format_cipher, rounds)) != 0) { |
new_comment, private_key_format, openssh_format_cipher, |
|
rounds)) != 0) { |
error("Saving key \"%s\" failed: %s", |
error("Saving key \"%s\" failed: %s", |
identity_file, ssh_err(r)); |
identity_file, ssh_err(r)); |
explicit_bzero(passphrase, strlen(passphrase)); |
explicit_bzero(passphrase, strlen(passphrase)); |
|
|
} |
} |
if (strcasecmp(optarg, "PKCS8") == 0) { |
if (strcasecmp(optarg, "PKCS8") == 0) { |
convert_format = FMT_PKCS8; |
convert_format = FMT_PKCS8; |
|
private_key_format = SSHKEY_PRIVATE_PKCS8; |
break; |
break; |
} |
} |
if (strcasecmp(optarg, "PEM") == 0) { |
if (strcasecmp(optarg, "PEM") == 0) { |
convert_format = FMT_PEM; |
convert_format = FMT_PEM; |
use_new_format = 0; |
private_key_format = SSHKEY_PRIVATE_PEM; |
break; |
break; |
} |
} |
fatal("Unsupported conversion format \"%s\"", optarg); |
fatal("Unsupported conversion format \"%s\"", optarg); |
|
|
add_cert_option(optarg); |
add_cert_option(optarg); |
break; |
break; |
case 'Z': |
case 'Z': |
new_format_cipher = optarg; |
openssh_format_cipher = optarg; |
break; |
break; |
case 'C': |
case 'C': |
identity_comment = optarg; |
identity_comment = optarg; |
|
|
|
|
/* Save the key with the given passphrase and comment. */ |
/* Save the key with the given passphrase and comment. */ |
if ((r = sshkey_save_private(private, identity_file, passphrase1, |
if ((r = sshkey_save_private(private, identity_file, passphrase1, |
comment, use_new_format, new_format_cipher, rounds)) != 0) { |
comment, private_key_format, openssh_format_cipher, rounds)) != 0) { |
error("Saving key \"%s\" failed: %s", |
error("Saving key \"%s\" failed: %s", |
identity_file, ssh_err(r)); |
identity_file, ssh_err(r)); |
explicit_bzero(passphrase1, strlen(passphrase1)); |
explicit_bzero(passphrase1, strlen(passphrase1)); |