upstream commit

support SHA256 and SHA512 RSA signatures in certificates;
 ok markus@

Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a

diff --git a/key.c b/key.c
index 28d7c62071456d63dd4015113329adf42236e822..93f4ccb24f450a7d607efd579466abdfb987075e 100644 (file)
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: key.c,v 1.130 2016/05/02 09:36:42 djm Exp $ */
 /*
  * placed in the public domain
  */
@@ -214,7 +214,7 @@ key_certify(Key *k, Key *ca)
 {
        int r;
 
-       if ((r = sshkey_certify(k, ca)) != 0) {
+       if ((r = sshkey_certify(k, ca, NULL)) != 0) {
                fatal_on_fatal_errors(r, __func__, 0);
                error("%s: %s", __func__, ssh_err(r));
                return -1;

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 079f10321b1abec381bd412ecdd3bb649bc6c778..0bd5fc93af54e1bca93d7355e3d09e4673d08fef 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.289 2016/05/02 08:49:03 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.290 2016/05/02 09:36:42 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1599,6 +1599,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                ca = load_identity(tmp);
        free(tmp);
 
+       if (key_type_name != NULL &&
+           sshkey_type_from_name(key_type_name) != ca->type)  {
+               fatal("CA key type %s doesn't match specified %s",
+                   sshkey_ssh_name(ca), key_type_name);
+       }
+
        for (i = 0; i < argc; i++) {
                /* Split list of principals */
                n = 0;
@@ -1640,8 +1646,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                    &public->cert->signature_key)) != 0)
                        fatal("key_from_private (ca key): %s", ssh_err(r));
 
-               if (sshkey_certify(public, ca) != 0)
-                       fatal("Couldn't not certify key %s", tmp);
+               if ((r = sshkey_certify(public, ca, key_type_name)) != 0)
+                       fatal("Couldn't certify key %s: %s", tmp, ssh_err(r));
 
                if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
                        *cp = '\0';

diff --git a/sshkey.c b/sshkey.c
index 2ce7ada9f1bd44a716962634a658b165fd98fbfe..c20e5868b806b516be6ce59b58a2bdab99b1a663 100644 (file)
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.32 2016/04/09 12:39:30 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.33 2016/05/02 09:36:42 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -2370,7 +2370,7 @@ sshkey_drop_cert(struct sshkey *k)
 
 /* Sign a certified key, (re-)generating the signed certblob. */
 int
-sshkey_certify(struct sshkey *k, struct sshkey *ca)
+sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
 {
        struct sshbuf *principals = NULL;
        u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
@@ -2460,7 +2460,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
 
        /* Sign the whole mess */
        if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
-           sshbuf_len(cert), NULL, 0)) != 0)
+           sshbuf_len(cert), alg, 0)) != 0)
                goto out;
 
        /* Append signature and we are done */

diff --git a/sshkey.h b/sshkey.h
index a20a14f9e74bde5b82b7b7ef6d77f63cc0517fb8..8c3d866bfd60023b76ff3de80016c6cb39ce8a92 100644 (file)
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: sshkey.h,v 1.13 2016/05/02 09:36:42 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -137,7 +137,7 @@ int  sshkey_type_is_cert(int);
 int     sshkey_type_plain(int);
 int     sshkey_to_certified(struct sshkey *);
 int     sshkey_drop_cert(struct sshkey *);
-int     sshkey_certify(struct sshkey *, struct sshkey *);
+int     sshkey_certify(struct sshkey *, struct sshkey *, const char *);
 int     sshkey_cert_copy(const struct sshkey *, struct sshkey *);
 int     sshkey_cert_check_authority(const struct sshkey *, int, int,
     const char *, const char **);