[ssh_x509] X.509 certificates support version 7.4.1 for OpenSSH 6.2p1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Mar 23 19:01:33 EET 2013


It seems that the mailer strips attachments so I will inckude the patch here.

diff --new-file -r openssh-6.1p1-x509-74-hostkeys/ssh-pkcs11.c openssh-6.1p1-x509-74-hostkeys-dsa/ssh-pkcs11.c
50a51,53
> #define DSA_set_app_data(s,arg)         DSA_set_ex_data(s,0,arg)
> #define DSA_get_app_data(s)             DSA_get_ex_data(s,0)
> 
76a80
> 	DSA_METHOD		dsa_method;
197a202,220
> /* openssl callback for freeing an DSA key */
> static int
> pkcs11_dsa_finish(DSA *dsa)
> {
> 	struct pkcs11_key	*k11;
> 	int rv = -1;
> 
> 	if ((k11 = DSA_get_app_data(dsa)) != NULL) {
> 		if (k11->orig_finish)
> 			rv = k11->orig_finish(dsa);
> 		if (k11->provider)
> 			pkcs11_provider_unref(k11->provider);
> 		if (k11->keyid)
> 			xfree(k11->keyid);
> 		xfree(k11);
> 	}
> 	return (rv);
> }
> 
337a361,480
> /* redirect private key operations for dsa key to pkcs11 token */
> 
> #define DSA_SIG_LEN 40
> 
> static DSA_SIG *pkcs11_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) {
> 
> 	struct pkcs11_key	*k11;
> 	struct pkcs11_slotinfo	*si;
> 	CK_FUNCTION_LIST	*f;
> 	CK_OBJECT_HANDLE	obj;
> 	CK_ULONG		tlen = DSA_SIG_LEN;
> 	CK_RV			rv;
> 	CK_OBJECT_CLASS		private_key_class = CKO_PRIVATE_KEY;
> 	CK_BBOOL		true_val = CK_TRUE;
> 	CK_MECHANISM		mech = {
> 		CKM_RSA_PKCS, NULL_PTR, 0
> 	};
> 	CK_ATTRIBUTE		key_filter[] = {
> 		{CKA_CLASS, NULL, sizeof(private_key_class) },
> 		{CKA_ID, NULL, 0},
> 		{CKA_SIGN, NULL, sizeof(true_val) }
> 	};
> 	char			*pin, prompt[1024];
> 	char rs[DSA_SIG_LEN];
> 	DSA_SIG *sig;
> 
> 	fprintf(stderr, "pkcs11_dsa_do_sign\n");
> 
> 	/* some compilers complain about non-constant initializer so we
> 	   use NULL in CK_ATTRIBUTE above and set the values here */
> 	key_filter[0].pValue = &private_key_class;
> 	key_filter[2].pValue = &true_val;
> 
> 	if ((k11 = DSA_get_app_data(dsa)) == NULL) {
> 		error("DSA_get_app_data failed for dsa %p", dsa);
> 		return NULL;
> 	}
> 	if (!k11->provider || !k11->provider->valid) {
> 		error("no pkcs11 (valid) provider for dsa %p", dsa);
> 		return NULL;
> 	}
> 	f = k11->provider->function_list;
> 	si = &k11->provider->slotinfo[k11->slotidx];
> 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
> 		if (!pkcs11_interactive) {
> 			error("need pin");
> 			return NULL;
> 		}
> 		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
> 		    si->token.label);
> 		pin = read_passphrase(prompt, RP_ALLOW_EOF);
> 		if (pin == NULL)
> 			return NULL;	/* bail out */
> 		if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin)))
> 		    != CKR_OK) {
> 			xfree(pin);
> 			error("C_Login failed: %lu", rv);
> 			return NULL;
> 		}
> 		xfree(pin);
> 		si->logged_in = 1;
> 	}
> 	key_filter[1].pValue = k11->keyid;
> 	key_filter[1].ulValueLen = k11->keyid_len;
> 	/* try to find object w/CKA_SIGN first, retry w/o */
> 	if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&
> 	    pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0) {
> 		error("cannot find private key");
> 	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
> 		error("C_SignInit failed: %lu", rv);
> 	} else {
> 		rv = f->C_Sign(si->session, (CK_BYTE *)dgst, dlen, rs, &tlen);
> 		if (rv != CKR_OK) error("C_Sign failed: %lu", rv);
> 		else {
> 			if (!(sig = calloc(1, sizeof(DSA_SIG)))) return NULL;
> 			sig->r = BN_bin2bn(rs, DSA_SIG_LEN/2, NULL);
> 			sig->s = BN_bin2bn(rs+DSA_SIG_LEN/2, DSA_SIG_LEN/2, NULL);
> 			return sig;
> 		}
> 	}
> 	return NULL;
> }
> 
> static int pkcs11_dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) {
> 	fprintf(stderr, "pkcs11_dsa_sign_setup\n");
> 	return -1;
> }
> 
> static int pkcs11_dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) {
> 	fprintf(stderr, "pkcs11_dsa_do_verify\n");
> 	return -1;
> }
> 
> static int
> pkcs11_dsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
>     CK_ATTRIBUTE *keyid_attrib, DSA *dsa)
> {
> 	struct pkcs11_key	*k11;
> 	const DSA_METHOD	*def = DSA_get_default_method();
> 
> 	k11 = xcalloc(1, sizeof(*k11));
> 	k11->provider = provider;
> 	provider->refcount++;	/* provider referenced by DSA key */
> 	k11->slotidx = slotidx;
> 	/* identify key object on smartcard */
> 	k11->keyid_len = keyid_attrib->ulValueLen;
> 	k11->keyid = xmalloc(k11->keyid_len);
> 	memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
> 	k11->orig_finish = def->finish;
> 	memcpy(&k11->dsa_method, def, sizeof(k11->dsa_method));
> 	k11->dsa_method.name = "pkcs11";
> 	k11->dsa_method.dsa_sign_setup = pkcs11_dsa_sign_setup;
> 	k11->dsa_method.dsa_do_sign = pkcs11_dsa_do_sign;
> 	k11->dsa_method.dsa_do_verify = pkcs11_dsa_do_verify;
> 	k11->dsa_method.finish = pkcs11_dsa_finish;
> 	DSA_set_method(dsa, &k11->dsa_method);
> 	DSA_set_app_data(dsa, k11);
> 	return (0);
> }
> 
514,521c657,675
< 			/* FIXME non-rsa keys */
< 			if (key && pkcs11_rsa_wrap(p, slotidx, &attribs[0], key->rsa) == 0) {
< 				key->flags |= KEY_FLAG_EXT;
< 				/* expand key array and add key */
< 				*keysp = xrealloc(*keysp, *nkeys + 1, sizeof(Key *));
< 				(*keysp)[*nkeys] = key;
< 				*nkeys = *nkeys + 1;
< 				debug("have %d keys", *nkeys);
---
> 			if (key) {
> 			  switch(key->type) {
> 			  case(KEY_X509_RSA):
> 			    if ((rv = pkcs11_rsa_wrap(p, slotidx, &attribs[0], key->rsa)))
> 			      error("C_GetAttributeValue failed: %lu",rv);
> 			    break;
> 			  case(KEY_X509_DSA):
> 			    if ((rv = pkcs11_dsa_wrap(p, slotidx, &attribs[0], key->dsa)))
> 			      error("C_GetAttributeValue failed: %lu",rv);
> 			    break;
> 			  default:
> 			    error("Bad case in pkcs11_fetch_keys");
> 			  }
> 			  key->flags |= KEY_FLAG_EXT;
> 			  /* expand key array and add key */
> 			  *keysp = xrealloc(*keysp, *nkeys + 1, sizeof(Key *));
> 			  (*keysp)[*nkeys] = key;
> 			  *nkeys = *nkeys + 1;
> 			  debug("have %d keys", *nkeys);


On Thu, Jan 31, 2013 at 09:11:59AM -0300, SSH X509 wrote:
> 
> Hi,
> 
> This isn't the greatest code - it's badly indented (sorry), poorly tested, and
> the error handling may be incomplete - but it extends the PKCS11 code to
> handle DSA keys as well as RSA (see the "FIXME" comment in your ssh-pkcs11.c).
> 
> I, my employer, and our client waive all rights to this code, but provide no
> warranty or guarantees to its safety, correctness or usefulness.  Feel free to
> include it in your patches if it helps.
> 
> Cheers + thanks for the work,
> Andrew
> 
> PS It's against v74 and 6.1p1.
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> 





More information about the ssh_x509 mailing list