/* * Set options from critical certificate options. These supersede user key * options so this must be called after auth_parse_options(). */ int auth_cert_options(struct sshkey *k, struct passwd *pw) { int cert_no_port_forwarding_flag = 1; int cert_no_agent_forwarding_flag = 1; int cert_no_x11_forwarding_flag = 1; int cert_no_pty_flag = 1; int cert_no_user_rc = 1; char *cert_forced_command = NULL; int cert_source_address_done = 0; if (sshkey_cert_is_legacy(k)) { /* All options are in the one field for v00 certs */ if (parse_option_list(buffer_ptr(k->cert->critical), buffer_len(k->cert->critical), pw, OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, &cert_no_port_forwarding_flag, &cert_no_agent_forwarding_flag, &cert_no_x11_forwarding_flag, &cert_no_pty_flag, &cert_no_user_rc, &cert_forced_command, &cert_source_address_done) == -1) return -1; } else { /* Separate options and extensions for v01 certs */ if (parse_option_list(buffer_ptr(k->cert->critical), buffer_len(k->cert->critical), pw, OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, &cert_forced_command, &cert_source_address_done) == -1) return -1; if (parse_option_list(buffer_ptr(k->cert->extensions), buffer_len(k->cert->extensions), pw, OPTIONS_EXTENSIONS, 1, &cert_no_port_forwarding_flag, &cert_no_agent_forwarding_flag, &cert_no_x11_forwarding_flag, &cert_no_pty_flag, &cert_no_user_rc, NULL, NULL) == -1) return -1; } no_port_forwarding_flag |= cert_no_port_forwarding_flag; no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; no_x11_forwarding_flag |= cert_no_x11_forwarding_flag; no_pty_flag |= cert_no_pty_flag; no_user_rc |= cert_no_user_rc; /* CA-specified forced command supersedes key option */ if (cert_forced_command != NULL) { if (forced_command != NULL) xfree(forced_command); forced_command = cert_forced_command; } return 0; }
/* Load private key and certificate */ int sshkey_load_private_cert(int type, const char *filename, const char *passphrase, struct sshkey **keyp, int *perm_ok) { struct sshkey *key = NULL, *cert = NULL; int r; *keyp = NULL; switch (type) { #ifdef WITH_OPENSSL case KEY_RSA: case KEY_DSA: case KEY_ECDSA: case KEY_ED25519: #endif /* WITH_OPENSSL */ case KEY_UNSPEC: break; default: return SSH_ERR_KEY_TYPE_UNKNOWN; } if ((r = sshkey_load_private_type(type, filename, passphrase, &key, NULL, perm_ok)) != 0 || (r = sshkey_load_cert(filename, &cert)) != 0) goto out; /* Make sure the private key matches the certificate */ if (sshkey_equal_public(key, cert) == 0) { r = SSH_ERR_KEY_CERT_MISMATCH; goto out; } if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 || (r = sshkey_cert_copy(cert, key)) != 0) goto out; r = 0; *keyp = key; key = NULL; out: if (key != NULL) sshkey_free(key); if (cert != NULL) sshkey_free(cert); return r; }