Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(58)

Side by Side Diff: ssh/certs.go

Issue 13272055: code review 13272055: go.crypto/ssh: fix certificate parsing/marshaling. (Closed)
Patch Set: diff -r 2cd6b3b93cdb https://code.google.com/p/go.crypto Created 10 years, 5 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « ssh/agent.go ('k') | ssh/common.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 The Go Authors. All rights reserved. 1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style 2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file. 3 // license that can be found in the LICENSE file.
4 4
5 package ssh 5 package ssh
6 6
7 import ( 7 import (
8 "time" 8 "time"
9 ) 9 )
10 10
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
53 } 53 }
54 54
55 var certAlgoNames = map[string]string{ 55 var certAlgoNames = map[string]string{
56 KeyAlgoRSA: CertAlgoRSAv01, 56 KeyAlgoRSA: CertAlgoRSAv01,
57 KeyAlgoDSA: CertAlgoDSAv01, 57 KeyAlgoDSA: CertAlgoDSAv01,
58 KeyAlgoECDSA256: CertAlgoECDSA256v01, 58 KeyAlgoECDSA256: CertAlgoECDSA256v01,
59 KeyAlgoECDSA384: CertAlgoECDSA384v01, 59 KeyAlgoECDSA384: CertAlgoECDSA384v01,
60 KeyAlgoECDSA521: CertAlgoECDSA521v01, 60 KeyAlgoECDSA521: CertAlgoECDSA521v01,
61 } 61 }
62 62
63 // certToPrivAlgo returns the underlying algorithm for a certificate algorithm.
64 // Panics if a non-certificate algorithm is passed.
65 func certToPrivAlgo(algo string) string {
66 for privAlgo, pubAlgo := range certAlgoNames {
67 if pubAlgo == algo {
68 return privAlgo
69 }
70 }
71 panic("unknown cert algorithm")
72 }
73
63 func (c *OpenSSHCertV01) PublicKeyAlgo() string { 74 func (c *OpenSSHCertV01) PublicKeyAlgo() string {
64 algo, ok := certAlgoNames[c.Key.PublicKeyAlgo()] 75 algo, ok := certAlgoNames[c.Key.PublicKeyAlgo()]
65 if !ok { 76 if !ok {
66 panic("unknown cert key type") 77 panic("unknown cert key type")
67 } 78 }
68 return algo 79 return algo
69 } 80 }
70 81
71 func (c *OpenSSHCertV01) PrivateKeyAlgo() string { 82 func (c *OpenSSHCertV01) PrivateKeyAlgo() string {
72 return c.Key.PrivateKeyAlgo() 83 return c.Key.PrivateKeyAlgo()
73 } 84 }
74 85
75 func (c *OpenSSHCertV01) Verify(data []byte, sig []byte) bool { 86 func (c *OpenSSHCertV01) Verify(data []byte, sig []byte) bool {
76 return c.Key.Verify(data, sig) 87 return c.Key.Verify(data, sig)
77 } 88 }
78 89
79 func parseOpenSSHCertV01(in []byte, algo string) (out *OpenSSHCertV01, rest []by te, ok bool) { 90 func parseOpenSSHCertV01(in []byte, algo string) (out *OpenSSHCertV01, rest []by te, ok bool) {
80 cert := new(OpenSSHCertV01) 91 cert := new(OpenSSHCertV01)
81 92
82 if cert.Nonce, in, ok = parseString(in); !ok { 93 if cert.Nonce, in, ok = parseString(in); !ok {
83 return 94 return
84 } 95 }
85 96
86 » cert.Key, in, ok = ParsePublicKey(in) 97 » privAlgo := certToPrivAlgo(algo)
98 » cert.Key, in, ok = parsePubKey(in, privAlgo)
87 if !ok { 99 if !ok {
88 return 100 return
89 } 101 }
90 102
91 » if cert.Key.PrivateKeyAlgo() != algo { 103 » // We test PublicKeyAlgo to make sure we don't use some weird sub-cert.
104 » if cert.Key.PublicKeyAlgo() != privAlgo {
92 ok = false 105 ok = false
93 return 106 return
94 } 107 }
95 108
96 if cert.Serial, in, ok = parseUint64(in); !ok { 109 if cert.Serial, in, ok = parseUint64(in); !ok {
97 return 110 return
98 } 111 }
99 112
100 if cert.Type, in, ok = parseUint32(in); !ok || cert.Type != UserCert && cert.Type != HostCert { 113 if cert.Type, in, ok = parseUint32(in); !ok || cert.Type != UserCert && cert.Type != HostCert {
101 return 114 return
(...skipping 30 matching lines...) Expand all
132 } 145 }
133 146
134 if cert.Reserved, in, ok = parseString(in); !ok { 147 if cert.Reserved, in, ok = parseString(in); !ok {
135 return 148 return
136 } 149 }
137 150
138 sigKey, in, ok := parseString(in) 151 sigKey, in, ok := parseString(in)
139 if !ok { 152 if !ok {
140 return 153 return
141 } 154 }
142 » if cert.SignatureKey, _, ok = parsePubKey(sigKey); !ok { 155 » if cert.SignatureKey, _, ok = ParsePublicKey(sigKey); !ok {
143 return 156 return
144 } 157 }
145 158
146 if cert.Signature, in, ok = parseSignature(in); !ok { 159 if cert.Signature, in, ok = parseSignature(in); !ok {
147 return 160 return
148 } 161 }
149 162
150 ok = true 163 ok = true
151 return cert, in, ok 164 return cert, in, ok
152 } 165 }
153 166
154 func (cert *OpenSSHCertV01) Marshal() []byte { 167 func (cert *OpenSSHCertV01) Marshal() []byte {
155 » pubKey := MarshalPublicKey(cert.Key) 168 » pubKey := cert.Key.Marshal()
156
157 sigKey := MarshalPublicKey(cert.SignatureKey) 169 sigKey := MarshalPublicKey(cert.SignatureKey)
158 170
159 length := stringLength(len(cert.Nonce)) 171 length := stringLength(len(cert.Nonce))
160 length += len(pubKey) 172 length += len(pubKey)
161 length += 8 // Length of Serial 173 length += 8 // Length of Serial
162 length += 4 // Length of Type 174 length += 4 // Length of Type
163 length += stringLength(len(cert.KeyId)) 175 length += stringLength(len(cert.KeyId))
164 length += lengthPrefixedNameListLength(cert.ValidPrincipals) 176 length += lengthPrefixedNameListLength(cert.ValidPrincipals)
165 length += 8 // Length of ValidAfter 177 length += 8 // Length of ValidAfter
166 length += 8 // Length of ValidBefore 178 length += 8 // Length of ValidBefore
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
304 316
305 func parseSignature(in []byte) (out *signature, rest []byte, ok bool) { 317 func parseSignature(in []byte) (out *signature, rest []byte, ok bool) {
306 var sigBytes []byte 318 var sigBytes []byte
307 if sigBytes, rest, ok = parseString(in); !ok { 319 if sigBytes, rest, ok = parseString(in); !ok {
308 return 320 return
309 } 321 }
310 322
311 // TODO(hanwen): this is a bug; 'rest' gets swallowed. 323 // TODO(hanwen): this is a bug; 'rest' gets swallowed.
312 return parseSignatureBody(sigBytes) 324 return parseSignatureBody(sigBytes)
313 } 325 }
OLDNEW
« no previous file with comments | « ssh/agent.go ('k') | ssh/common.go » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b