You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
108 lines
3.3 KiB
108 lines
3.3 KiB
9 months ago
|
From 4a41d245d6b13bd3882c8dc058dbd2e2b39a9f67 Mon Sep 17 00:00:00 2001
|
||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||
|
Date: Fri, 24 Jan 2020 00:27:04 +0000
|
||
|
Subject: [PATCH] upstream: when signing a certificate with an RSA key, default
|
||
|
to
|
||
|
|
||
|
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
|
||
|
the user; ok markus@
|
||
|
|
||
|
OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
|
||
|
---
|
||
|
ssh-keygen.c | 14 +++++++++-----
|
||
|
1 file changed, 9 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||
|
index 564c3c481..f2192edb9 100644
|
||
|
--- a/ssh-keygen.c
|
||
|
+++ b/ssh-keygen.c
|
||
|
@@ -1788,10 +1788,14 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
|
||
|
}
|
||
|
free(tmp);
|
||
|
|
||
|
- if (key_type_name != NULL &&
|
||
|
- sshkey_type_from_name(key_type_name) != ca->type) {
|
||
|
- fatal("CA key type %s doesn't match specified %s",
|
||
|
- sshkey_ssh_name(ca), key_type_name);
|
||
|
+ if (key_type_name != NULL) {
|
||
|
+ if (sshkey_type_from_name(key_type_name) != ca->type) {
|
||
|
+ fatal("CA key type %s doesn't match specified %s",
|
||
|
+ sshkey_ssh_name(ca), key_type_name);
|
||
|
+ }
|
||
|
+ } else if (ca->type == KEY_RSA) {
|
||
|
+ /* Default to a good signature algorithm */
|
||
|
+ key_type_name = "rsa-sha2-512";
|
||
|
}
|
||
|
|
||
|
for (i = 0; i < argc; i++) {
|
||
|
|
||
|
From 476e3551b2952ef73acc43d995e832539bf9bc4d Mon Sep 17 00:00:00 2001
|
||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||
|
Date: Mon, 20 May 2019 00:20:35 +0000
|
||
|
Subject: [PATCH] upstream: When signing certificates with an RSA key, default
|
||
|
to
|
||
|
|
||
|
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
|
||
|
will therefore be incompatible with OpenSSH < 7.2 unless the default is
|
||
|
overridden.
|
||
|
|
||
|
Document the ability of the ssh-keygen -t flag to override the
|
||
|
signature algorithm when signing certificates, and the new default.
|
||
|
|
||
|
ok deraadt@
|
||
|
|
||
|
OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
|
||
|
---
|
||
|
ssh-keygen.1 | 13 +++++++++++--
|
||
|
sshkey.c | 9 ++++++++-
|
||
|
2 files changed, 19 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||
|
index f29774249..673bf6e2f 100644
|
||
|
--- a/ssh-keygen.1
|
||
|
+++ b/ssh-keygen.1
|
||
|
@@ -35,7 +35,7 @@
|
||
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
.\"
|
||
|
-.Dd $Mdocdate: March 5 2019 $
|
||
|
+.Dd $Mdocdate: May 20 2019 $
|
||
|
.Dt SSH-KEYGEN 1
|
||
|
.Os
|
||
|
.Sh NAME
|
||
|
@@ -577,6 +577,15 @@ The possible values are
|
||
|
.Dq ed25519 ,
|
||
|
or
|
||
|
.Dq rsa .
|
||
|
+.Pp
|
||
|
+This flag may also be used to specify the desired signature type when
|
||
|
+signing certificates using a RSA CA key.
|
||
|
+The available RSA signature variants are
|
||
|
+.Dq ssh-rsa
|
||
|
+(SHA1 signatures, not recommended),
|
||
|
+.Dq rsa-sha2-256
|
||
|
+.Dq rsa-sha2-512
|
||
|
+(the default).
|
||
|
.It Fl U
|
||
|
When used in combination with
|
||
|
.Fl s ,
|
||
|
diff --git a/sshkey.c b/sshkey.c
|
||
|
index 9849cb237..379a579cf 100644
|
||
|
--- a/sshkey.c
|
||
|
+++ b/sshkey.c
|
||
|
@@ -2528,6 +2528,13 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
|
||
|
strcmp(alg, k->cert->signature_type) != 0)
|
||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||
|
|
||
|
+ /*
|
||
|
+ * If no signing algorithm or signature_type was specified and we're
|
||
|
+ * using a RSA key, then default to a good signature algorithm.
|
||
|
+ */
|
||
|
+ if (alg == NULL && ca->type == KEY_RSA)
|
||
|
+ alg = "rsa-sha2-512";
|
||
|
+
|
||
|
if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
|
||
|
return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
|
||
|
|
||
|
|