PKCS#11: Load public keys from ECDSA certificates
Submitted in upstream bugzilla https://bugzilla.mindrot.org/show_bug.cgi?id=2474#c21
This commit is contained in:
parent
aad4430f17
commit
077597136c
@ -2563,23 +2563,36 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
|
||||
+ if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0)
|
||||
+ error("RSA_set0_key failed");
|
||||
}
|
||||
} else {
|
||||
cp = attribs[2].pValue;
|
||||
@@ -525,16 +538,18 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
== NULL) {
|
||||
error("d2i_X509 failed");
|
||||
} else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
||||
- evp->type != EVP_PKEY_RSA ||
|
||||
- evp->pkey.rsa == NULL) {
|
||||
+ EVP_PKEY_id(evp) != EVP_PKEY_RSA ||
|
||||
+ EVP_PKEY_get0_RSA(evp) == NULL) {
|
||||
debug("X509_get_pubkey failed or no rsa");
|
||||
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
|
||||
+ } else if ((rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(evp)))
|
||||
== NULL) {
|
||||
error("RSAPublicKey_dup");
|
||||
}
|
||||
X509_free(x509);
|
||||
#ifdef ENABLE_PKCS11_ECDSA
|
||||
} else if (attribs[2].type == CKA_EC_PARAMS ) {
|
||||
@@ -920,19 +936,19 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
} else if ((evp = X509_get_pubkey(x509)) == NULL) {
|
||||
debug("X509_get_pubkey failed");
|
||||
} else {
|
||||
- switch (evp->type) {
|
||||
+ switch (EVP_PKEY_id(evp)) {
|
||||
case EVP_PKEY_RSA:
|
||||
- if (evp->pkey.rsa == NULL)
|
||||
+ if (EVP_PKEY_get0_RSA(evp) == NULL)
|
||||
debug("Missing RSA key");
|
||||
- else if ((rsa = RSAPublicKey_dup(
|
||||
- evp->pkey.rsa)) == NULL)
|
||||
+ else if ((rsa = RSAPublicKey_dup(
|
||||
+ EVP_PKEY_get0_RSA(evp))) == NULL)
|
||||
error("RSAPublicKey_dup failed");
|
||||
break;
|
||||
case EVP_PKEY_EC:
|
||||
- if (evp->pkey.ecdsa == NULL)
|
||||
+ if (EVP_PKEY_get0_EC_KEY(evp) == NULL)
|
||||
debug("Missing ECDSA key");
|
||||
- else if ((ecdsa = EC_KEY_dup(
|
||||
- evp->pkey.ecdsa)) == NULL)
|
||||
+ else if ((ecdsa = EC_KEY_dup(
|
||||
+ EVP_PKEY_get0_EC_KEY(evp))) == NULL)
|
||||
error("EC_KEY_dup failed");
|
||||
break;
|
||||
default:
|
||||
@@ -538,7 +551,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
}
|
||||
key = NULL;
|
||||
if (rsa || ecdsa) {
|
||||
|
@ -750,3 +750,45 @@ diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
|
||||
int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***);
|
||||
int pkcs11_del_provider(char *);
|
||||
int pkcs11_uri_write(const struct sshkey *, FILE *);
|
||||
|
||||
|
||||
|
||||
diff -up openssh-7.6p1/ssh-pkcs11.c.old openssh-7.6p1/ssh-pkcs11.c
|
||||
--- openssh-7.6p1/ssh-pkcs11.c.old 2018-02-16 16:43:08.861520255 +0100
|
||||
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 16:56:35.312601451 +0100
|
||||
@@ -917,13 +917,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
|
||||
== NULL) {
|
||||
error("d2i_X509 failed");
|
||||
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
||||
- evp->type != EVP_PKEY_RSA ||
|
||||
- evp->pkey.rsa == NULL) {
|
||||
- debug("X509_get_pubkey failed or no rsa");
|
||||
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
|
||||
- == NULL) {
|
||||
- error("RSAPublicKey_dup");
|
||||
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
|
||||
+ debug("X509_get_pubkey failed");
|
||||
+ } else {
|
||||
+ switch (evp->type) {
|
||||
+ case EVP_PKEY_RSA:
|
||||
+ if (evp->pkey.rsa == NULL)
|
||||
+ debug("Missing RSA key");
|
||||
+ else if ((rsa = RSAPublicKey_dup(
|
||||
+ evp->pkey.rsa)) == NULL)
|
||||
+ error("RSAPublicKey_dup failed");
|
||||
+ break;
|
||||
+ case EVP_PKEY_EC:
|
||||
+ if (evp->pkey.ecdsa == NULL)
|
||||
+ debug("Missing ECDSA key");
|
||||
+ else if ((ecdsa = EC_KEY_dup(
|
||||
+ evp->pkey.ecdsa)) == NULL)
|
||||
+ error("EC_KEY_dup failed");
|
||||
+ break;
|
||||
+ default:
|
||||
+ debug("not a RSA or ECDSA key");
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
if (x509)
|
||||
X509_free(x509);
|
||||
|
Loading…
Reference in New Issue
Block a user