Blame SOURCES/0071-utils-refactor-ssh-key-extraction-OpenSSL.patch

71e593
From ad3356d105835718f57edb7844e1fed911770610 Mon Sep 17 00:00:00 2001
71e593
From: Sumit Bose <sbose@redhat.com>
71e593
Date: Wed, 14 Nov 2018 15:02:33 +0100
71e593
Subject: [PATCH 71/74] utils: refactor ssh key extraction (OpenSSL)
71e593
71e593
Prepare the current code to allow adding other key types.
71e593
71e593
Related to https://pagure.io/SSSD/sssd/issue/3887
71e593
71e593
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593
---
71e593
 src/util/cert/libcrypto/cert.c | 87 +++++++++++++++++++++-------------
71e593
 1 file changed, 53 insertions(+), 34 deletions(-)
71e593
71e593
diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c
71e593
index c8e07837f..d925c5c5b 100644
71e593
--- a/src/util/cert/libcrypto/cert.c
71e593
+++ b/src/util/cert/libcrypto/cert.c
71e593
@@ -171,17 +171,13 @@ done:
71e593
 #define SSH_RSA_HEADER "ssh-rsa"
71e593
 #define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1)
71e593
 
71e593
-errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx,
71e593
-                              const uint8_t *der_blob, size_t der_size,
71e593
-                              uint8_t **key_blob, size_t *key_size)
71e593
+static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key,
71e593
+                                  uint8_t **key_blob, size_t *key_size)
71e593
 {
71e593
     int ret;
71e593
+    size_t c;
71e593
     size_t size;
71e593
-    const unsigned char *d;
71e593
     uint8_t *buf = NULL;
71e593
-    size_t c;
71e593
-    X509 *cert = NULL;
71e593
-    EVP_PKEY *cert_pub_key = NULL;
71e593
     const BIGNUM *n;
71e593
     const BIGNUM *e;
71e593
     int modulus_len;
71e593
@@ -189,33 +185,6 @@ errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx,
71e593
     int exponent_len;
71e593
     unsigned char exponent[OPENSSL_RSA_MAX_PUBEXP_BITS/8];
71e593
 
71e593
-    if (der_blob == NULL || der_size == 0) {
71e593
-        return EINVAL;
71e593
-    }
71e593
-
71e593
-    d = (const unsigned char *) der_blob;
71e593
-
71e593
-    cert = d2i_X509(NULL, &d, (int) der_size);
71e593
-    if (cert == NULL) {
71e593
-        DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n");
71e593
-        return EINVAL;
71e593
-    }
71e593
-
71e593
-    cert_pub_key = X509_get_pubkey(cert);
71e593
-    if (cert_pub_key == NULL) {
71e593
-        DEBUG(SSSDBG_OP_FAILURE, "X509_get_pubkey failed.\n");
71e593
-        ret = EIO;
71e593
-        goto done;
71e593
-    }
71e593
-
71e593
-    if (EVP_PKEY_base_id(cert_pub_key) != EVP_PKEY_RSA) {
71e593
-        DEBUG(SSSDBG_CRIT_FAILURE,
71e593
-              "Expected RSA public key, found unsupported [%d].\n",
71e593
-              EVP_PKEY_base_id(cert_pub_key));
71e593
-        ret = EINVAL;
71e593
-        goto done;
71e593
-    }
71e593
-
71e593
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
71e593
     RSA *rsa_pub_key = NULL;
71e593
     rsa_pub_key = EVP_PKEY_get0_RSA(cert_pub_key);
71e593
@@ -268,6 +237,56 @@ done:
71e593
     if (ret != EOK)  {
71e593
         talloc_free(buf);
71e593
     }
71e593
+
71e593
+    return ret;
71e593
+}
71e593
+
71e593
+errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx,
71e593
+                              const uint8_t *der_blob, size_t der_size,
71e593
+                              uint8_t **key_blob, size_t *key_size)
71e593
+{
71e593
+    int ret;
71e593
+    const unsigned char *d;
71e593
+    X509 *cert = NULL;
71e593
+    EVP_PKEY *cert_pub_key = NULL;
71e593
+
71e593
+    if (der_blob == NULL || der_size == 0) {
71e593
+        return EINVAL;
71e593
+    }
71e593
+
71e593
+    d = (const unsigned char *) der_blob;
71e593
+
71e593
+    cert = d2i_X509(NULL, &d, (int) der_size);
71e593
+    if (cert == NULL) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n");
71e593
+        return EINVAL;
71e593
+    }
71e593
+
71e593
+    cert_pub_key = X509_get_pubkey(cert);
71e593
+    if (cert_pub_key == NULL) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "X509_get_pubkey failed.\n");
71e593
+        ret = EIO;
71e593
+        goto done;
71e593
+    }
71e593
+
71e593
+    switch (EVP_PKEY_base_id(cert_pub_key)) {
71e593
+    case EVP_PKEY_RSA:
71e593
+        ret = rsa_pub_key_to_ssh(mem_ctx, cert_pub_key, key_blob, key_size);
71e593
+        if (ret != EOK) {
71e593
+            DEBUG(SSSDBG_OP_FAILURE, "rsa_pub_key_to_ssh failed.\n");
71e593
+            goto done;
71e593
+        }
71e593
+        break;
71e593
+    default:
71e593
+        DEBUG(SSSDBG_CRIT_FAILURE,
71e593
+              "Expected RSA public key, found unsupported [%d].\n",
71e593
+              EVP_PKEY_base_id(cert_pub_key));
71e593
+        ret = EINVAL;
71e593
+        goto done;
71e593
+    }
71e593
+
71e593
+done:
71e593
+
71e593
     EVP_PKEY_free(cert_pub_key);
71e593
     X509_free(cert);
71e593
 
71e593
-- 
71e593
2.19.1
71e593