Bugzilla – Attachment 2677 Details for
Bug 2432
ssh-keygen and tools should be able to get public part directly from private key (portability)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
read public part from private key in (not only in ssh-keygen).
file_2432.txt (text/plain), 5.82 KB, created by
Jakub Jelen
on 2015-07-23 17:28:24 AEST
(
hide
)
Description:
read public part from private key in (not only in ssh-keygen).
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2015-07-23 17:28:24 AEST
Size:
5.82 KB
patch
obsolete
>diff --git a/ssh-keygen.c b/ssh-keygen.c >index 8259d87..ef6e611 100644 >--- a/ssh-keygen.c >+++ b/ssh-keygen.c >@@ -779,7 +779,7 @@ do_download(struct passwd *pw) > fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; > rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; > >- pkcs11_init(0); >+ pkcs11_init(1); > nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); > if (nkeys <= 0) > fatal("cannot read public key from pkcs11"); >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index 7c38d9e..8cc8f50 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -216,6 +216,41 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, > return (ret); > } > >+static int >+pkcs11_do_login(CK_FUNCTION_LIST *f, struct pkcs11_slotinfo *si) >+{ >+ char *pin = NULL, prompt[1024]; >+ CK_RV rv; >+ >+ if (!pkcs11_interactive) { >+ error("need pin entry%s", (si->token.flags & >+ CKF_PROTECTED_AUTHENTICATION_PATH) ? >+ " on reader keypad" : ""); >+ return (-1); >+ } >+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >+ verbose("Deferring PIN entry to reader keypad."); >+ else { >+ snprintf(prompt, sizeof(prompt), >+ "Enter PIN for '%s': ", si->token.label); >+ pin = read_passphrase(prompt, RP_ALLOW_EOF); >+ if (pin == NULL) >+ return (-1); /* bail out */ >+ } >+ rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, >+ (pin != NULL) ? strlen(pin) : 0); >+ if (pin != NULL) { >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ } >+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >+ error("C_Login failed: %lu", rv); >+ return (-1); >+ } >+ si->logged_in = 1; >+ return 0; >+} >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >@@ -237,7 +272,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > {CKA_ID, NULL, 0}, > {CKA_SIGN, NULL, sizeof(true_val) } > }; >- char *pin = NULL, prompt[1024]; > int rval = -1; > > key_filter[0].pValue = &private_key_class; >@@ -254,32 +288,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > f = k11->provider->function_list; > si = &k11->provider->slotinfo[k11->slotidx]; > if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { >- if (!pkcs11_interactive) { >- error("need pin entry%s", (si->token.flags & >- CKF_PROTECTED_AUTHENTICATION_PATH) ? >- " on reader keypad" : ""); >+ if (pkcs11_do_login(f, si) != 0) > return (-1); >- } >- if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >- verbose("Deferring PIN entry to reader keypad."); >- else { >- snprintf(prompt, sizeof(prompt), >- "Enter PIN for '%s': ", si->token.label); >- pin = read_passphrase(prompt, RP_ALLOW_EOF); >- if (pin == NULL) >- return (-1); /* bail out */ >- } >- rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, >- (pin != NULL) ? strlen(pin) : 0); >- if (pin != NULL) { >- explicit_bzero(pin, strlen(pin)); >- free(pin); >- } >- if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >- error("C_Login failed: %lu", rv); >- return (-1); >- } >- si->logged_in = 1; > } > key_filter[1].pValue = k11->keyid; > key_filter[1].ulValueLen = k11->keyid_len; >@@ -375,16 +385,22 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) > error("C_OpenSession failed: %lu", rv); > return (-1); > } >- if (login_required && pin) { >- rv = f->C_Login(session, CKU_USER, >- (u_char *)pin, strlen(pin)); >- if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >- error("C_Login failed: %lu", rv); >- if ((rv = f->C_CloseSession(session)) != CKR_OK) >- error("C_CloseSession failed: %lu", rv); >- return (-1); >+ if (login_required) { >+ if (pin) { >+ rv = f->C_Login(session, CKU_USER, >+ (u_char *)pin, strlen(pin)); >+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >+ error("C_Login failed: %lu", rv); >+ if ((rv = f->C_CloseSession(session)) != CKR_OK) >+ error("C_CloseSession failed: %lu", rv); >+ return (-1); >+ } >+ p->slotinfo[slotidx].logged_in = 1; >+ } else if (pkcs11_interactive) { >+ p->slotinfo[slotidx].session = session; >+ if (pkcs11_do_login(f, &(p->slotinfo[slotidx])) != 0) >+ return (0); // do not treat failed login as fatal > } >- p->slotinfo[slotidx].logged_in = 1; > } > p->slotinfo[slotidx].session = session; > return (0); >@@ -404,10 +420,14 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, > struct sshkey ***keysp, int *nkeys) > { > CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; >+ CK_OBJECT_CLASS private_class = CKO_PRIVATE_KEY; > CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; > CK_ATTRIBUTE pubkey_filter[] = { > { CKA_CLASS, NULL, sizeof(pubkey_class) } > }; >+ CK_ATTRIBUTE private_filter[] = { >+ { CKA_CLASS, NULL, sizeof(private_class) } >+ }; > CK_ATTRIBUTE cert_filter[] = { > { CKA_CLASS, NULL, sizeof(cert_class) } > }; >@@ -416,17 +436,25 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, > { CKA_MODULUS, NULL, 0 }, > { CKA_PUBLIC_EXPONENT, NULL, 0 } > }; >+ CK_ATTRIBUTE *private_attribs = { >+ { CKA_ID, NULL, 0 }, >+ { CKA_MODULUS, NULL, 0 }, >+ { CKA_PUBLIC_EXPONENT, NULL, 0 } >+ }; > CK_ATTRIBUTE cert_attribs[] = { > { CKA_ID, NULL, 0 }, > { CKA_SUBJECT, NULL, 0 }, > { CKA_VALUE, NULL, 0 } > }; > pubkey_filter[0].pValue = &pubkey_class; >+ private_filter[0].pValue = &private_class; > cert_filter[0].pValue = &cert_class; > > if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, > keysp, nkeys) < 0 || > pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, >+ keysp, nkeys) < 0 || >+ pkcs11_fetch_keys_filter(p, slotidx, private_filter, private_attribs, > keysp, nkeys) < 0) > return (-1); > return (0);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2432
: 2677 |
3278