PKCS#11: Load public keys from ECDSA certificates

Submitted in upstream bugzilla
  https://bugzilla.mindrot.org/show_bug.cgi?id=2474#c21
This commit is contained in:
Jakub Jelen 2018-02-16 17:26:53 +01:00
parent aad4430f17
commit 077597136c
2 changed files with 72 additions and 17 deletions

View File

@ -2563,23 +2563,36 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
+ if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0) + if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0)
+ error("RSA_set0_key failed"); + error("RSA_set0_key failed");
} }
#ifdef ENABLE_PKCS11_ECDSA
} else if (attribs[2].type == CKA_EC_PARAMS ) {
@@ -920,19 +936,19 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
} else if ((evp = X509_get_pubkey(x509)) == NULL) {
debug("X509_get_pubkey failed");
} else { } else {
cp = attribs[2].pValue; - switch (evp->type) {
@@ -525,16 +538,18 @@ pkcs11_fetch_keys_filter(struct pkcs11_p + switch (EVP_PKEY_id(evp)) {
== NULL) { case EVP_PKEY_RSA:
error("d2i_X509 failed"); - if (evp->pkey.rsa == NULL)
} else if ((evp = X509_get_pubkey(x509)) == NULL || + if (EVP_PKEY_get0_RSA(evp) == NULL)
- evp->type != EVP_PKEY_RSA || debug("Missing RSA key");
- evp->pkey.rsa == NULL) { - else if ((rsa = RSAPublicKey_dup(
+ EVP_PKEY_id(evp) != EVP_PKEY_RSA || - evp->pkey.rsa)) == NULL)
+ EVP_PKEY_get0_RSA(evp) == NULL) { + else if ((rsa = RSAPublicKey_dup(
debug("X509_get_pubkey failed or no rsa"); + EVP_PKEY_get0_RSA(evp))) == NULL)
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) error("RSAPublicKey_dup failed");
+ } else if ((rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(evp))) break;
== NULL) { case EVP_PKEY_EC:
error("RSAPublicKey_dup"); - if (evp->pkey.ecdsa == NULL)
} + if (EVP_PKEY_get0_EC_KEY(evp) == NULL)
X509_free(x509); debug("Missing ECDSA key");
- else if ((ecdsa = EC_KEY_dup(
- evp->pkey.ecdsa)) == NULL)
+ else if ((ecdsa = EC_KEY_dup(
+ EVP_PKEY_get0_EC_KEY(evp))) == NULL)
error("EC_KEY_dup failed");
break;
default:
@@ -538,7 +551,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
} }
key = NULL; key = NULL;
if (rsa || ecdsa) { if (rsa || ecdsa) {

View File

@ -750,3 +750,45 @@ diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***); int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***);
int pkcs11_del_provider(char *); int pkcs11_del_provider(char *);
int pkcs11_uri_write(const struct sshkey *, FILE *); int pkcs11_uri_write(const struct sshkey *, FILE *);
diff -up openssh-7.6p1/ssh-pkcs11.c.old openssh-7.6p1/ssh-pkcs11.c
--- openssh-7.6p1/ssh-pkcs11.c.old 2018-02-16 16:43:08.861520255 +0100
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 16:56:35.312601451 +0100
@@ -917,13 +917,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
== NULL) {
error("d2i_X509 failed");
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
- evp->type != EVP_PKEY_RSA ||
- evp->pkey.rsa == NULL) {
- debug("X509_get_pubkey failed or no rsa");
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
- == NULL) {
- error("RSAPublicKey_dup");
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
+ debug("X509_get_pubkey failed");
+ } else {
+ switch (evp->type) {
+ case EVP_PKEY_RSA:
+ if (evp->pkey.rsa == NULL)
+ debug("Missing RSA key");
+ else if ((rsa = RSAPublicKey_dup(
+ evp->pkey.rsa)) == NULL)
+ error("RSAPublicKey_dup failed");
+ break;
+ case EVP_PKEY_EC:
+ if (evp->pkey.ecdsa == NULL)
+ debug("Missing ECDSA key");
+ else if ((ecdsa = EC_KEY_dup(
+ evp->pkey.ecdsa)) == NULL)
+ error("EC_KEY_dup failed");
+ break;
+ default:
+ debug("not a RSA or ECDSA key");
+ break;
+ }
}
if (x509)
X509_free(x509);