version 1.118, 2021/07/12 06:08:57 |
version 1.119, 2021/07/23 03:37:52 |
|
|
int |
int |
sshkey_cert_check_authority(const struct sshkey *k, |
sshkey_cert_check_authority(const struct sshkey *k, |
int want_host, int require_principal, int wildcard_pattern, |
int want_host, int require_principal, int wildcard_pattern, |
const char *name, const char **reason) |
uint64_t verify_time, const char *name, const char **reason) |
{ |
{ |
u_int i, principal_matches; |
u_int i, principal_matches; |
time_t now = time(NULL); |
|
|
|
if (reason == NULL) |
if (reason == NULL) |
return SSH_ERR_INVALID_ARGUMENT; |
return SSH_ERR_INVALID_ARGUMENT; |
|
|
return SSH_ERR_KEY_CERT_INVALID; |
return SSH_ERR_KEY_CERT_INVALID; |
} |
} |
} |
} |
if (now < 0) { |
if (verify_time < k->cert->valid_after) { |
/* yikes - system clock before epoch! */ |
|
*reason = "Certificate invalid: not yet valid"; |
*reason = "Certificate invalid: not yet valid"; |
return SSH_ERR_KEY_CERT_INVALID; |
return SSH_ERR_KEY_CERT_INVALID; |
} |
} |
if ((u_int64_t)now < k->cert->valid_after) { |
if (verify_time >= k->cert->valid_before) { |
*reason = "Certificate invalid: not yet valid"; |
|
return SSH_ERR_KEY_CERT_INVALID; |
|
} |
|
if ((u_int64_t)now >= k->cert->valid_before) { |
|
*reason = "Certificate invalid: expired"; |
*reason = "Certificate invalid: expired"; |
return SSH_ERR_KEY_CERT_INVALID; |
return SSH_ERR_KEY_CERT_INVALID; |
} |
} |
|
|
} |
} |
|
|
int |
int |
|
sshkey_cert_check_authority_now(const struct sshkey *k, |
|
int want_host, int require_principal, int wildcard_pattern, |
|
const char *name, const char **reason) |
|
{ |
|
time_t now; |
|
|
|
if ((now = time(NULL)) < 0) { |
|
/* yikes - system clock before epoch! */ |
|
*reason = "Certificate invalid: not yet valid"; |
|
return SSH_ERR_KEY_CERT_INVALID; |
|
} |
|
return sshkey_cert_check_authority(k, want_host, require_principal, |
|
wildcard_pattern, (uint64_t)now, name, reason); |
|
} |
|
|
|
int |
sshkey_cert_check_host(const struct sshkey *key, const char *host, |
sshkey_cert_check_host(const struct sshkey *key, const char *host, |
int wildcard_principals, const char *ca_sign_algorithms, |
int wildcard_principals, const char *ca_sign_algorithms, |
const char **reason) |
const char **reason) |
{ |
{ |
int r; |
int r; |
|
|
if ((r = sshkey_cert_check_authority(key, 1, 0, wildcard_principals, |
if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, |
host, reason)) != 0) |
host, reason)) != 0) |
return r; |
return r; |
if (sshbuf_len(key->cert->critical) != 0) { |
if (sshbuf_len(key->cert->critical) != 0) { |