libssh  0.10.6
The SSH library
pki.h
1 /*
2  * This file is part of the SSH Library
3  *
4  * Copyright (c) 2010 by Aris Adamantiadis
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
19  */
20 
21 #ifndef PKI_H_
22 #define PKI_H_
23 
24 #include <stdint.h>
25 #include "libssh/priv.h"
26 #ifdef HAVE_OPENSSL_EC_H
27 #include <openssl/ec.h>
28 #endif
29 #ifdef HAVE_OPENSSL_ECDSA_H
30 #include <openssl/ecdsa.h>
31 #endif
32 #ifdef HAVE_LIBCRYPTO
33 #include <openssl/evp.h>
34 #endif
35 #include "libssh/crypto.h"
36 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_ED25519)
37 /* If using OpenSSL implementation, define the signature length which would be
38  * defined in libssh/ed25519.h otherwise */
39 #define ED25519_SIG_LEN 64
40 #else
41 #include "libssh/ed25519.h"
42 #endif
43 /* This definition is used for both OpenSSL and internal implementations */
44 #define ED25519_KEY_LEN 32
45 
46 #define MAX_PUBKEY_SIZE 0x100000 /* 1M */
47 #define MAX_PRIVKEY_SIZE 0x400000 /* 4M */
48 
49 #define SSH_KEY_FLAG_EMPTY 0x0
50 #define SSH_KEY_FLAG_PUBLIC 0x0001
51 #define SSH_KEY_FLAG_PRIVATE 0x0002
52 #define SSH_KEY_FLAG_PKCS11_URI 0x0004
53 
55  enum ssh_keytypes_e type;
56  int flags;
57  const char *type_c; /* Don't free it ! it is static */
58  int ecdsa_nid;
59 #if defined(HAVE_LIBGCRYPT)
60  gcry_sexp_t dsa;
61  gcry_sexp_t rsa;
62  gcry_sexp_t ecdsa;
63 #elif defined(HAVE_LIBMBEDCRYPTO)
64  mbedtls_pk_context *rsa;
65  mbedtls_ecdsa_context *ecdsa;
66  void *dsa;
67 #elif defined(HAVE_LIBCRYPTO)
68 #if OPENSSL_VERSION_NUMBER < 0x30000000L
69  DSA *dsa;
70  RSA *rsa;
71 #endif /* OPENSSL_VERSION_NUMBER */
72 /* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
73  * https://github.com/openssl/openssl/pull/16624
74  * Move into the #if above
75  */
76 # if defined(HAVE_OPENSSL_ECC)
77  EC_KEY *ecdsa;
78 # else
79  void *ecdsa;
80 # endif /* HAVE_OPENSSL_EC_H */
81  /* This holds either ENGINE key for PKCS#11 support or just key in
82  * high-level format required by OpenSSL 3.0 */
83  EVP_PKEY *key;
84 #endif /* HAVE_LIBGCRYPT */
85 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_ED25519)
86  uint8_t *ed25519_pubkey;
87  uint8_t *ed25519_privkey;
88 #else
89  ed25519_pubkey *ed25519_pubkey;
90  ed25519_privkey *ed25519_privkey;
91 #endif
92  ssh_string sk_application;
93  void *cert;
94  enum ssh_keytypes_e cert_type;
95 };
96 
98  enum ssh_keytypes_e type;
99  enum ssh_digest_e hash_type;
100  const char *type_c;
101 #if defined(HAVE_LIBGCRYPT)
102  gcry_sexp_t dsa_sig;
103  gcry_sexp_t rsa_sig;
104  gcry_sexp_t ecdsa_sig;
105 #elif defined(HAVE_LIBMBEDCRYPTO)
106  ssh_string rsa_sig;
107  struct mbedtls_ecdsa_sig ecdsa_sig;
108 #endif /* HAVE_LIBGCRYPT */
109 #if !defined(HAVE_LIBCRYPTO) || !defined(HAVE_OPENSSL_ED25519)
110  ed25519_signature *ed25519_sig;
111 #endif
112  ssh_string raw_sig;
113 
114  /* Security Key specific additions */
115  uint8_t sk_flags;
116  uint32_t sk_counter;
117 };
118 
119 typedef struct ssh_signature_struct *ssh_signature;
120 
121 #ifdef __cplusplus
122 extern "C" {
123 #endif
124 
125 /* SSH Key Functions */
126 void ssh_key_clean (ssh_key key);
127 
128 const char *
130  enum ssh_keytypes_e type);
131 enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name);
132 enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type);
133 enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
134  enum ssh_keytypes_e type);
135 enum ssh_digest_e ssh_key_hash_from_name(const char *name);
136 
137 #define is_ecdsa_key_type(t) \
138  ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521)
139 
140 #define is_cert_type(kt)\
141  ((kt) == SSH_KEYTYPE_DSS_CERT01 ||\
142  (kt) == SSH_KEYTYPE_RSA_CERT01 ||\
143  (kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\
144  (kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\
145  ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
146  (kt) <= SSH_KEYTYPE_ED25519_CERT01))
147 
148 /* SSH Signature Functions */
149 ssh_signature ssh_signature_new(void);
150 void ssh_signature_free(ssh_signature sign);
151 #define SSH_SIGNATURE_FREE(x) \
152  do { ssh_signature_free(x); x = NULL; } while(0)
153 
154 int ssh_pki_export_signature_blob(const ssh_signature sign,
155  ssh_string *sign_blob);
156 int ssh_pki_import_signature_blob(const ssh_string sig_blob,
157  const ssh_key pubkey,
158  ssh_signature *psig);
159 int ssh_pki_signature_verify(ssh_session session,
160  ssh_signature sig,
161  const ssh_key key,
162  const unsigned char *digest,
163  size_t dlen);
164 
165 /* SSH Public Key Functions */
166 int ssh_pki_export_pubkey_blob(const ssh_key key,
167  ssh_string *pblob);
168 int ssh_pki_import_pubkey_blob(const ssh_string key_blob,
169  ssh_key *pkey);
170 
171 int ssh_pki_import_cert_blob(const ssh_string cert_blob,
172  ssh_key *pkey);
173 
174 
175 /* SSH Signing Functions */
176 ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf,
177  const ssh_key privatekey, enum ssh_digest_e hash_type);
178 ssh_string ssh_pki_do_sign_agent(ssh_session session,
179  struct ssh_buffer_struct *buf,
180  const ssh_key pubkey);
181 ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
182  const ssh_key privkey,
183  const enum ssh_digest_e digest);
184 
185 /* Temporary functions, to be removed after migration to ssh_key */
186 ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key);
187 ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key);
188 
189 int ssh_key_algorithm_allowed(ssh_session session, const char *type);
190 bool ssh_key_size_allowed(ssh_session session, ssh_key key);
191 
192 /* Return the key size in bits */
193 int ssh_key_size(ssh_key key);
194 
195 /* PKCS11 URI function to check if filename is a path or a PKCS11 URI */
196 #ifdef WITH_PKCS11_URI
197 bool ssh_pki_is_uri(const char *filename);
198 char *ssh_pki_export_pub_uri_from_priv_uri(const char *priv_uri);
199 #endif /* WITH_PKCS11_URI */
200 
201 #ifdef __cplusplus
202 }
203 #endif
204 
205 #endif /* PKI_H_ */
ssh_private_key_struct
Definition: keys.h:47
ssh_key_type_from_signature_name
enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name)
Convert a ssh key algorithm name to a ssh key algorithm type.
Definition: pki.c:550
ssh_key_struct
Definition: pki.h:54
ssh_key_type_to_hash
enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, enum ssh_keytypes_e type)
Convert a key type to a hash type. This is usually unambiguous for all the key types,...
Definition: pki.c:449
ssh_key_size_allowed
bool ssh_key_size_allowed(ssh_session session, ssh_key key)
Check the given key is acceptable in regards to the key size policy specified by the configuration.
Definition: pki.c:424
ssh_buffer_struct
Definition: buffer.c:48
ssh_session_struct
Definition: session.h:127
ssh_signature_struct
Definition: pki.h:97
ssh_key_get_signature_algorithm
const char * ssh_key_get_signature_algorithm(ssh_session session, enum ssh_keytypes_e type)
Gets signature algorithm name to be used with the given key type.
Definition: pki.c:518
ssh_string_struct
Definition: string.h:33
ssh_key_clean
void ssh_key_clean(ssh_key key)
clean up the key and deallocate all existing keys
Definition: pki.c:160
ssh_public_key_struct
Definition: keys.h:28
ssh_key_type_plain
enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type)
Get the pubic key type corresponding to a certificate type.
Definition: pki.c:627
ssh_key_algorithm_allowed
int ssh_key_algorithm_allowed(ssh_session session, const char *type)
Checks the given key against the configured allowed public key algorithm types.
Definition: pki.c:370