Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(382)

Delta Between Two Patch Sets: ssh/certs.go

Issue 14540051: code review 14540051: go.crypto/ssh: Add certificate verification, step up su... (Closed)
Left Patch Set: diff -r 5ff5636e18c9 https://code.google.com/p/go.crypto Created 10 years, 5 months ago
Right Patch Set: diff -r 5ff5636e18c9 https://code.google.com/p/go.crypto Created 10 years, 5 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
Left: Side by side diff | Download
Right: Side by side diff | Download
« no previous file with change/comment | « no previous file | ssh/certs_test.go » ('j') | no next file with change/comment »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
LEFTRIGHT
1 // Copyright 2012 The Go Authors. All rights reserved. 1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style 2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file. 3 // license that can be found in the LICENSE file.
4 4
5 package ssh 5 package ssh
6 6
7 import ( 7 import (
8 "time" 8 "time"
9 ) 9 )
10 10
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
45 KeyId string 45 KeyId string
46 ValidPrincipals []string 46 ValidPrincipals []string
47 ValidAfter, ValidBefore time.Time 47 ValidAfter, ValidBefore time.Time
48 CriticalOptions []tuple 48 CriticalOptions []tuple
49 Extensions []tuple 49 Extensions []tuple
50 Reserved []byte 50 Reserved []byte
51 SignatureKey PublicKey 51 SignatureKey PublicKey
52 Signature *signature 52 Signature *signature
53 } 53 }
54 54
55 // validateOpenSSHCertV01Signature uses the cert's SignatureKey to verify that t he 55 // validateOpenSSHCertV01Signature uses the cert's SignatureKey to verify that
jpsugar 2013/10/22 17:01:45 Re-wrap comment please.
jmpittman 2013/10/22 18:52:17 Wrapped to 80.
56 // cert's Signature.Blob is the result of signing the cert bytes starting from 56 // the cert's Signature.Blob is the result of signing the cert bytes starting
57 // the algorithm string and going up to and including the SignatureKey. 57 // from the algorithm string and going up to and including the SignatureKey.
58 func validateOpenSSHCertV01Signature(cert *OpenSSHCertV01) bool { 58 func validateOpenSSHCertV01Signature(cert *OpenSSHCertV01) bool {
59 return cert.SignatureKey.Verify(cert.BytesForSigning(), cert.Signature.B lob) 59 return cert.SignatureKey.Verify(cert.BytesForSigning(), cert.Signature.B lob)
60 } 60 }
61 61
62 var certAlgoNames = map[string]string{ 62 var certAlgoNames = map[string]string{
63 KeyAlgoRSA: CertAlgoRSAv01, 63 KeyAlgoRSA: CertAlgoRSAv01,
64 KeyAlgoDSA: CertAlgoDSAv01, 64 KeyAlgoDSA: CertAlgoDSAv01,
65 KeyAlgoECDSA256: CertAlgoECDSA256v01, 65 KeyAlgoECDSA256: CertAlgoECDSA256v01,
66 KeyAlgoECDSA384: CertAlgoECDSA384v01, 66 KeyAlgoECDSA384: CertAlgoECDSA384v01,
67 KeyAlgoECDSA521: CertAlgoECDSA521v01, 67 KeyAlgoECDSA521: CertAlgoECDSA521v01,
68 } 68 }
69 69
70 // certToPrivAlgo returns the underlying algorithm for a certificate algorithm. 70 // certToPrivAlgo returns the underlying algorithm for a certificate algorithm.
71 // Panics if a non-certificate algorithm is passed. 71 // Panics if a non-certificate algorithm is passed.
72 func certToPrivAlgo(algo string) string { 72 func certToPrivAlgo(algo string) string {
73 for privAlgo, pubAlgo := range certAlgoNames { 73 for privAlgo, pubAlgo := range certAlgoNames {
74 if pubAlgo == algo { 74 if pubAlgo == algo {
75 return privAlgo 75 return privAlgo
76 } 76 }
77 } 77 }
78 panic("unknown cert algorithm") 78 panic("unknown cert algorithm")
79 } 79 }
80 80
81 func (cert *OpenSSHCertV01) marshal(includeAlgo, includeSig bool) []byte { 81 func (cert *OpenSSHCertV01) marshal(includeAlgo, includeSig bool) []byte {
82 algoName := cert.PublicKeyAlgo() 82 algoName := cert.PublicKeyAlgo()
83 pubKey := cert.Key.Marshal() 83 pubKey := cert.Key.Marshal()
84 sigKey := MarshalPublicKey(cert.SignatureKey) 84 sigKey := MarshalPublicKey(cert.SignatureKey)
85 85
86 » length := stringLength(len(cert.Nonce)) 86 » var length int
87 » if includeAlgo {
88 » » length += stringLength(len(algoName))
89 » }
90 » length += stringLength(len(cert.Nonce))
87 length += len(pubKey) 91 length += len(pubKey)
88 length += 8 // Length of Serial 92 length += 8 // Length of Serial
89 length += 4 // Length of Type 93 length += 4 // Length of Type
90 length += stringLength(len(cert.KeyId)) 94 length += stringLength(len(cert.KeyId))
91 length += lengthPrefixedNameListLength(cert.ValidPrincipals) 95 length += lengthPrefixedNameListLength(cert.ValidPrincipals)
92 length += 8 // Length of ValidAfter 96 length += 8 // Length of ValidAfter
93 length += 8 // Length of ValidBefore 97 length += 8 // Length of ValidBefore
94 length += tupleListLength(cert.CriticalOptions) 98 length += tupleListLength(cert.CriticalOptions)
95 length += tupleListLength(cert.Extensions) 99 length += tupleListLength(cert.Extensions)
96 length += stringLength(len(cert.Reserved)) 100 length += stringLength(len(cert.Reserved))
97 length += stringLength(len(sigKey)) 101 length += stringLength(len(sigKey))
98 if includeAlgo {
jpsugar 2013/10/22 17:01:45 I would prefer for this list to be in the same ord
jmpittman 2013/10/22 18:52:17 The order does not matter for the length, but it d
99 length += stringLength(len(algoName))
100 }
101 if includeSig { 102 if includeSig {
102 length += signatureLength(cert.Signature) 103 length += signatureLength(cert.Signature)
103 } 104 }
104 105
105 ret := make([]byte, length) 106 ret := make([]byte, length)
106 r := ret 107 r := ret
107 if includeAlgo { 108 if includeAlgo {
108 r = marshalString(r, []byte(algoName)) 109 r = marshalString(r, []byte(algoName))
109 } 110 }
110 r = marshalString(r, cert.Nonce) 111 r = marshalString(r, cert.Nonce)
(...skipping 235 matching lines...) Expand 10 before | Expand all | Expand 10 after
346 if sigBytes, rest, ok = parseString(in); !ok { 347 if sigBytes, rest, ok = parseString(in); !ok {
347 return 348 return
348 } 349 }
349 350
350 out, sigBytes, ok = parseSignatureBody(sigBytes) 351 out, sigBytes, ok = parseSignatureBody(sigBytes)
351 if !ok || len(sigBytes) > 0 { 352 if !ok || len(sigBytes) > 0 {
352 return nil, nil, false 353 return nil, nil, false
353 } 354 }
354 return 355 return
355 } 356 }
LEFTRIGHT
« no previous file | ssh/certs_test.go » ('j') | Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Toggle Comments ('s')

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b