Use the upstream version of the PKCS#8 PEM support (#1722285)
This commit is contained in:
parent
30922f629c
commit
5d6a14bd4a
@ -1,14 +1,176 @@
|
||||
commit 2fe812887139ce32eeca52f9a0c141bdc7c4c8af
|
||||
Author: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Wed May 22 17:25:22 2019 +0200
|
||||
From eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 15 Jul 2019 13:16:29 +0000
|
||||
Subject: [PATCH] upstream: support PKCS8 as an optional format for storage of
|
||||
|
||||
New PEM export format withou MD5
|
||||
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
|
||||
private keys to disk.
|
||||
|
||||
The OpenSSH native key format remains the default, but PKCS8 is a
|
||||
superior format to PEM if interoperability with non-OpenSSH software
|
||||
is required, as it may use a less terrible KDF (IIRC PEM uses a single
|
||||
round of MD5 as a KDF).
|
||||
|
||||
adapted from patch by Jakub Jelen via bz3013; ok markus
|
||||
|
||||
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
|
||||
---
|
||||
authfile.c | 6 ++--
|
||||
ssh-keygen.1 | 9 +++---
|
||||
ssh-keygen.c | 25 +++++++++--------
|
||||
sshkey.c | 78 +++++++++++++++++++++++++++++++++++++---------------
|
||||
sshkey.h | 11 ++++++--
|
||||
5 files changed, 87 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/authfile.c b/authfile.c
|
||||
index 2166c1689..851c1a8a1 100644
|
||||
--- a/authfile.c
|
||||
+++ b/authfile.c
|
||||
@@ -74,7 +74,7 @@ sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
|
||||
int
|
||||
sshkey_save_private(struct sshkey *key, const char *filename,
|
||||
const char *passphrase, const char *comment,
|
||||
- int force_new_format, const char *new_format_cipher, int new_format_rounds)
|
||||
+ int format, const char *openssh_format_cipher, int openssh_format_rounds)
|
||||
{
|
||||
struct sshbuf *keyblob = NULL;
|
||||
int r;
|
||||
@@ -82,7 +82,7 @@ sshkey_save_private(struct sshkey *key, const char *filename,
|
||||
if ((keyblob = sshbuf_new()) == NULL)
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
|
||||
- force_new_format, new_format_cipher, new_format_rounds)) != 0)
|
||||
+ format, openssh_format_cipher, openssh_format_rounds)) != 0)
|
||||
goto out;
|
||||
if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
|
||||
goto out;
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index f42127c60..8184a1797 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -419,11 +419,12 @@ The supported key formats are:
|
||||
.Dq RFC4716
|
||||
(RFC 4716/SSH2 public or private key),
|
||||
.Dq PKCS8
|
||||
-(PEM PKCS8 public key)
|
||||
+(PKCS8 public or private key)
|
||||
or
|
||||
.Dq PEM
|
||||
(PEM public key).
|
||||
-The default conversion format is
|
||||
+By default OpenSSH will write newly-generated private keys in its own
|
||||
+format, but when converting public keys for export the default format is
|
||||
.Dq RFC4716 .
|
||||
Setting a format of
|
||||
.Dq PEM
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index b019a02ff..5dcad1f61 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -147,11 +147,11 @@ static char *key_type_name = NULL;
|
||||
/* Load key from this PKCS#11 provider */
|
||||
static char *pkcs11provider = NULL;
|
||||
|
||||
-/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
|
||||
-static int use_new_format = 1;
|
||||
+/* Format for writing private keys */
|
||||
+static int private_key_format = SSHKEY_PRIVATE_OPENSSH;
|
||||
|
||||
/* Cipher for new-format private keys */
|
||||
-static char *new_format_cipher = NULL;
|
||||
+static char *openssh_format_cipher = NULL;
|
||||
|
||||
/*
|
||||
* Number of KDF rounds to derive new format keys /
|
||||
@@ -1048,7 +1048,8 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
|
||||
hostname);
|
||||
if ((r = sshkey_save_private(private, prv_tmp, "",
|
||||
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
||||
+ comment, private_key_format, openssh_format_cipher,
|
||||
+ rounds)) != 0) {
|
||||
error("Saving key \"%s\" failed: %s",
|
||||
prv_tmp, ssh_err(r));
|
||||
goto failnext;
|
||||
@@ -1391,7 +1392,7 @@ do_change_passphrase(struct passwd *pw)
|
||||
|
||||
/* Save the file using the new passphrase. */
|
||||
if ((r = sshkey_save_private(private, identity_file, passphrase1,
|
||||
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
||||
+ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
|
||||
error("Saving key \"%s\" failed: %s.",
|
||||
identity_file, ssh_err(r));
|
||||
explicit_bzero(passphrase1, strlen(passphrase1));
|
||||
@@ -1480,7 +1481,7 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
|
||||
}
|
||||
|
||||
if (private->type != KEY_ED25519 && private->type != KEY_XMSS &&
|
||||
- !use_new_format) {
|
||||
+ private_key_format != SSHKEY_PRIVATE_OPENSSH) {
|
||||
error("Comments are only supported for keys stored in "
|
||||
"the new format (-o).");
|
||||
explicit_bzero(passphrase, strlen(passphrase));
|
||||
@@ -1514,7 +1515,8 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
|
||||
|
||||
/* Save the file using the new passphrase. */
|
||||
if ((r = sshkey_save_private(private, identity_file, passphrase,
|
||||
- new_comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
||||
+ new_comment, private_key_format, openssh_format_cipher,
|
||||
+ rounds)) != 0) {
|
||||
error("Saving key \"%s\" failed: %s",
|
||||
identity_file, ssh_err(r));
|
||||
explicit_bzero(passphrase, strlen(passphrase));
|
||||
@@ -2525,11 +2527,12 @@ main(int argc, char **argv)
|
||||
}
|
||||
if (strcasecmp(optarg, "PKCS8") == 0) {
|
||||
convert_format = FMT_PKCS8;
|
||||
+ private_key_format = SSHKEY_PRIVATE_PKCS8;
|
||||
break;
|
||||
}
|
||||
if (strcasecmp(optarg, "PEM") == 0) {
|
||||
convert_format = FMT_PEM;
|
||||
- use_new_format = 0;
|
||||
+ private_key_format = SSHKEY_PRIVATE_PEM;
|
||||
break;
|
||||
}
|
||||
fatal("Unsupported conversion format \"%s\"", optarg);
|
||||
@@ -2567,7 +2570,7 @@ main(int argc, char **argv)
|
||||
add_cert_option(optarg);
|
||||
break;
|
||||
case 'Z':
|
||||
- new_format_cipher = optarg;
|
||||
+ openssh_format_cipher = optarg;
|
||||
break;
|
||||
case 'C':
|
||||
identity_comment = optarg;
|
||||
@@ -2912,7 +2915,7 @@ main(int argc, char **argv)
|
||||
|
||||
/* Save the key with the given passphrase and comment. */
|
||||
if ((r = sshkey_save_private(private, identity_file, passphrase1,
|
||||
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
||||
+ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
|
||||
error("Saving key \"%s\" failed: %s",
|
||||
identity_file, ssh_err(r));
|
||||
explicit_bzero(passphrase1, strlen(passphrase1));
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index b95ed0b1..1a271512 100644
|
||||
index 6b5ff0485..a0cea9257 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -3805,26 +3805,28 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
@@ -3975,10 +3975,10 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
|
||||
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
-/* convert SSH v2 key in OpenSSL PEM format */
|
||||
+/* convert SSH v2 key to PEM or PKCS#8 format */
|
||||
static int
|
||||
-sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
- const char *_passphrase, const char *comment)
|
||||
+sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *blob,
|
||||
+ int format, const char *_passphrase, const char *comment)
|
||||
{
|
||||
int success, r;
|
||||
int blen, len = strlen(_passphrase);
|
||||
@@ -3988,26 +3988,46 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
||||
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
|
||||
char *bptr;
|
||||
BIO *bio = NULL;
|
||||
@ -16,47 +178,68 @@ index b95ed0b1..1a271512 100644
|
||||
|
||||
if (len > 0 && len <= 4)
|
||||
return SSH_ERR_PASSPHRASE_TOO_SHORT;
|
||||
if ((bio = BIO_new(BIO_s_mem())) == NULL)
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL) {
|
||||
+ BIO_free(bio);
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
- if ((bio = BIO_new(BIO_s_mem())) == NULL)
|
||||
- return SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((bio = BIO_new(BIO_s_mem())) == NULL) {
|
||||
+ r = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
|
||||
+ r = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
switch (key->type) {
|
||||
case KEY_DSA:
|
||||
- success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
|
||||
- cipher, passphrase, len, NULL, NULL);
|
||||
+ if (format == SSHKEY_PRIVATE_PEM) {
|
||||
+ success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
|
||||
+ cipher, passphrase, len, NULL, NULL);
|
||||
+ } else {
|
||||
+ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
|
||||
+ }
|
||||
break;
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
case KEY_ECDSA:
|
||||
- success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
|
||||
- cipher, passphrase, len, NULL, NULL);
|
||||
+ if (format == SSHKEY_PRIVATE_PEM) {
|
||||
+ success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
|
||||
+ cipher, passphrase, len, NULL, NULL);
|
||||
+ } else {
|
||||
+ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
|
||||
+ }
|
||||
break;
|
||||
#endif
|
||||
case KEY_RSA:
|
||||
- success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
|
||||
- cipher, passphrase, len, NULL, NULL);
|
||||
+ if (format == SSHKEY_PRIVATE_PEM) {
|
||||
+ success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
|
||||
+ cipher, passphrase, len, NULL, NULL);
|
||||
+ } else {
|
||||
+ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
success = 0;
|
||||
@@ -3834,6 +3836,12 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
@@ -4023,6 +4040,13 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
||||
r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
+ success = PEM_write_bio_PrivateKey(bio, pkey,
|
||||
+ cipher, passphrase, len, NULL, NULL);
|
||||
+ if (success == 0) {
|
||||
+ if (format == SSHKEY_PRIVATE_PKCS8) {
|
||||
+ if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
|
||||
+ passphrase, len, NULL, NULL)) == 0) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
|
||||
r = SSH_ERR_INTERNAL_ERROR;
|
||||
goto out;
|
||||
@@ -3842,6 +3850,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
@@ -4035,6 +4059,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
||||
goto out;
|
||||
r = 0;
|
||||
out:
|
||||
@ -64,4 +247,78 @@ index b95ed0b1..1a271512 100644
|
||||
BIO_free(bio);
|
||||
return r;
|
||||
}
|
||||
@@ -4046,29 +4071,38 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
||||
int
|
||||
sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
|
||||
const char *passphrase, const char *comment,
|
||||
- int force_new_format, const char *new_format_cipher, int new_format_rounds)
|
||||
+ int format, const char *openssh_format_cipher, int openssh_format_rounds)
|
||||
{
|
||||
switch (key->type) {
|
||||
#ifdef WITH_OPENSSL
|
||||
case KEY_DSA:
|
||||
case KEY_ECDSA:
|
||||
case KEY_RSA:
|
||||
- if (force_new_format) {
|
||||
- return sshkey_private_to_blob2(key, blob, passphrase,
|
||||
- comment, new_format_cipher, new_format_rounds);
|
||||
- }
|
||||
- return sshkey_private_pem_to_blob(key, blob,
|
||||
- passphrase, comment);
|
||||
+ break; /* see below */
|
||||
#endif /* WITH_OPENSSL */
|
||||
case KEY_ED25519:
|
||||
#ifdef WITH_XMSS
|
||||
case KEY_XMSS:
|
||||
#endif /* WITH_XMSS */
|
||||
return sshkey_private_to_blob2(key, blob, passphrase,
|
||||
- comment, new_format_cipher, new_format_rounds);
|
||||
+ comment, openssh_format_cipher, openssh_format_rounds);
|
||||
default:
|
||||
return SSH_ERR_KEY_TYPE_UNKNOWN;
|
||||
}
|
||||
+
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ switch (format) {
|
||||
+ case SSHKEY_PRIVATE_OPENSSH:
|
||||
+ return sshkey_private_to_blob2(key, blob, passphrase,
|
||||
+ comment, openssh_format_cipher, openssh_format_rounds);
|
||||
+ case SSHKEY_PRIVATE_PEM:
|
||||
+ case SSHKEY_PRIVATE_PKCS8:
|
||||
+ return sshkey_private_to_blob_pem_pkcs8(key, blob,
|
||||
+ format, passphrase, comment);
|
||||
+ default:
|
||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||
+ }
|
||||
+#endif /* WITH_OPENSSL */
|
||||
}
|
||||
|
||||
|
||||
diff --git a/sshkey.h b/sshkey.h
|
||||
index 41d159a1b..d30a69cc9 100644
|
||||
--- a/sshkey.h
|
||||
+++ b/sshkey.h
|
||||
@@ -88,6 +88,13 @@ enum sshkey_serialize_rep {
|
||||
SSHKEY_SERIALIZE_INFO = 254,
|
||||
};
|
||||
|
||||
+/* Private key disk formats */
|
||||
+enum sshkey_private_format {
|
||||
+ SSHKEY_PRIVATE_OPENSSH = 0,
|
||||
+ SSHKEY_PRIVATE_PEM = 1,
|
||||
+ SSHKEY_PRIVATE_PKCS8 = 2,
|
||||
+};
|
||||
+
|
||||
/* key is stored in external hardware */
|
||||
#define SSHKEY_FLAG_EXT 0x0001
|
||||
|
||||
@@ -221,7 +228,7 @@ int sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **keyp);
|
||||
/* private key file format parsing and serialisation */
|
||||
int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
|
||||
const char *passphrase, const char *comment,
|
||||
- int force_new_format, const char *new_format_cipher, int new_format_rounds);
|
||||
+ int format, const char *openssh_format_cipher, int openssh_format_rounds);
|
||||
int sshkey_parse_private_fileblob(struct sshbuf *buffer,
|
||||
const char *passphrase, struct sshkey **keyp, char **commentp);
|
||||
int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user