68 	struct KeyCert *cert;
70 	cert = xcalloc(1, sizeof(*cert));
71 	buffer_init(&cert->certblob);
72 	buffer_init(&cert->critical);
73 	buffer_init(&cert->extensions);
74 	cert->key_id = NULL;
75 	cert->principals = NULL;
76 	cert->signature_key = NULL;
77 	return cert;
92 	k->cert = NULL;
135 		k->cert = cert_new();
188 cert_free(struct KeyCert *cert)
192 	buffer_free(&cert->certblob);
193 	buffer_free(&cert->critical);
194 	buffer_free(&cert->extensions);
195 	if (cert->key_id != NULL)
196 		xfree(cert->key_id);
197 	for (i = 0; i < cert->nprincipals; i++)
198 		xfree(cert->principals[i]);
199 	if (cert->principals != NULL)
200 		xfree(cert->principals);
201 	if (cert->signature_key != NULL)
202 		key_free(cert->signature_key);
241 		if (k->cert != NULL)
242 			cert_free(k->cert);
243 		k->cert = NULL;
327 		if (!cert_compare(a->cert, b->cert))
381 		/* We want a fingerprint of the _key_ not of the cert */
773 				error("key_read: loaded key is not a cert");
777 			if (ret->cert != NULL)
778 				cert_free(ret->cert);
779 			ret->cert = k->cert;
780 			k->cert = NULL;
841 		if (key->cert == NULL) {
842 			error("%s: no cert data", __func__);
845 		if (buffer_len(&key->cert->certblob) == 0) {
932 	switch (k->cert->type) {
951 		return "ssh-rsa-cert-v00@openssh.com";
953 		return "ssh-dss-cert-v00@openssh.com";
955 		return "ssh-rsa-cert-v01@openssh.com";
957 		return "ssh-dss-cert-v01@openssh.com";
974 			return "ecdsa-sha2-nistp256-cert-v01@openssh.com";
976 			return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
978 			return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
1159 		fatal("key_generate: cert keys cannot be generated directly");
1174 	if (to_key->cert != NULL) {
1175 		cert_free(to_key->cert);
1176 		to_key->cert = NULL;
1179 	if ((from = from_key->cert) == NULL)
1182 	to = to_key->cert = cert_new();
1277 	} else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
1279 	} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
1281 	} else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
1283 	} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
1286 	} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
1287 	    strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
1288 	    strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1304 	    strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0)
1307 	    strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0)
1310 	    strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0)
1354 	buffer_append(&key->cert->certblob, blob, blen);
1358 	if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
1359 	    buffer_get_int_ret(&key->cert->type, b) != 0 ||
1360 	    (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
1362 	    buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1363 	    buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
1374 	signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1381 	if (key->cert->type != SSH2_CERT_TYPE_USER &&
1382 	    key->cert->type != SSH2_CERT_TYPE_HOST) {
1383 		error("Unknown certificate type %u", key->cert->type);
1389 		if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
1397 		key->cert->principals = xrealloc(key->cert->principals,
1398 		    key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1399 		key->cert->principals[key->cert->nprincipals++] = principal;
1404 	buffer_append(&key->cert->critical, critical, clen);
1416 	buffer_append(&key->cert->extensions, exts, elen);
1428 	if ((key->cert->signature_key = key_from_blob(sig_key,
1433 	if (key->cert->signature_key->type != KEY_RSA &&
1434 	    key->cert->signature_key->type != KEY_DSA &&
1435 	    key->cert->signature_key->type != KEY_ECDSA) {
1437 		    key_type(key->cert->signature_key),
1438 		    key->cert->signature_key->type);
1442 	switch (key_verify(key->cert->signature_key, sig, slen, 
1443 	    buffer_ptr(&key->cert->certblob), signed_len)) {
1580 		error("key_from_blob: can't parse cert data");
1618 		buffer_append(&b, buffer_ptr(&key->cert->certblob),
1619 		    buffer_len(&key->cert->certblob));
1807 /* Return the cert-less equivalent to a certified key type */
1831 		k->cert = cert_new();
1835 		k->cert = cert_new();
1842 		k->cert = cert_new();
1858 		cert_free(k->cert);
1863 		cert_free(k->cert);
1867 		cert_free(k->cert);
1887 	if (k->cert == NULL) {
1888 		error("%s: key lacks cert info", __func__);
1894 		    k->cert->type);
1907 	buffer_clear(&k->cert->certblob);
1908 	buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1913 		buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1918 		buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1919 		buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1920 		buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1921 		buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1925 		buffer_put_cstring(&k->cert->certblob,
1927 		buffer_put_ecpoint(&k->cert->certblob,
1934 		buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1935 		buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1939 		buffer_clear(&k->cert->certblob);
1946 		buffer_put_int64(&k->cert->certblob, k->cert->serial);
1948 	buffer_put_int(&k->cert->certblob, k->cert->type);
1949 	buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1952 	for (i = 0; i < k->cert->nprincipals; i++)
1953 		buffer_put_cstring(&principals, k->cert->principals[i]);
1954 	buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1958 	buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1959 	buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1960 	buffer_put_string(&k->cert->certblob,
1961 	    buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
1965 		buffer_put_string(&k->cert->certblob,
1966 		    buffer_ptr(&k->cert->extensions),
1967 		    buffer_len(&k->cert->extensions));
1972 		buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1974 	buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1975 	buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1979 	if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
1980 	    buffer_len(&k->cert->certblob)) != 0) {
1982 		buffer_clear(&k->cert->certblob);
1986 	buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
2000 		if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2005 		if (k->cert->type != SSH2_CERT_TYPE_USER) {
2015 	if ((u_int64_t)now < k->cert->valid_after) {
2019 	if ((u_int64_t)now >= k->cert->valid_before) {
2023 	if (k->cert->nprincipals == 0) {
2030 		for (i = 0; i < k->cert->nprincipals; i++) {
2031 			if (strcmp(name, k->cert->principals[i]) == 0) {

Indexes created Thu Jun 27 20:29:42 MDT 2024