forked from google/hiba
-
Notifications
You must be signed in to change notification settings - Fork 0
/
certificates.c
201 lines (175 loc) · 5.11 KB
/
certificates.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
/*
* Copyright 2021 The HIBA Authors
*
* Use of this source code is governed by a BSD-style
* license that can be found in the LICENSE file or at
* https://developers.google.com/open-source/licenses/bsd
*/
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include "certificates.h"
#include "errors.h"
#include "log.h"
#include "ssh2.h"
#include "sshbuf.h"
#include "ssherr.h"
#include "xmalloc.h"
struct hibacert {
struct sshkey *key;
struct hibaext **exts;
int nexts;
};
struct hibacert*
hibacert_new() {
struct hibacert *cert = calloc(sizeof(struct hibacert), 1);
return cert;
}
void
hibacert_free(struct hibacert *cert) {
int i;
if (cert == NULL)
return;
for (i = 0; i < cert->nexts; ++i)
hibaext_free(cert->exts[i]);
sshkey_free(cert->key);
free(cert->exts);
free(cert);
}
int
hibacert_from_ext(struct hibacert *cert, struct hibaext *ext,
const char *principal, u_int64_t validity,
u_int64_t serial) {
if (cert == NULL || ext == NULL)
return HIBA_BAD_PARAMS;
// Create a dummy SSH certificate to support standalone HIBA extensions.
// The KEY_RSA_CERT type is picked at random and doesn't matter.
cert->key = sshkey_new(KEY_RSA_CERT);
cert->key->cert->serial = serial;
cert->key->cert->valid_after = validity;
if (principal != NULL) {
cert->key->cert->nprincipals = 1;
cert->key->cert->principals = calloc(sizeof(char*), 1);
cert->key->cert->principals[0] = strdup(principal);
}
cert->nexts = 1;
cert->exts = calloc(sizeof(struct hibaext*), 1);
cert->exts[0] = ext;
return HIBA_OK;
}
int
hibacert_load_extensions(struct hibacert *cert, struct sshbuf *extensions) {
int pos = 0;
int ret = 0;
size_t i = 0;
size_t len = 0;
u_int32_t magic;
const char *data = NULL;
if ((ret = sshbuf_peek_u32(extensions, 0, &magic)) < 0) {
debug3("hibacert_load_extensions: sshbuf_peek_u32 returned %d: %s", ret, ssh_err(ret));
return HIBA_INTERNAL_ERROR;
}
if ((ret = sshbuf_get_string_direct(extensions, (const unsigned char**)&data, &len)) < 0) {
debug3("hibacert_load_extensions: sshbuf_get_string_direct returned %d: %s", ret, ssh_err(ret));
return HIBA_INTERNAL_ERROR;
}
debug3("hibacert_load_extensions: total extension len %zu", len);
while (i < len) {
int extension_len = 0;
if ((i == 0) && (magic == HIBA_MAGIC)) {
// there is a chance we have a single extension in
// the raw serialized format.
extension_len = len;
i = len - 1;
} else if (data[i] == ',') {
extension_len = i - pos;
} else if (i == len - 1) {
extension_len = len - pos;
}
if (extension_len > 0) {
struct sshbuf *blob = sshbuf_new();
debug3("hibacert_load_extensions: found extension [%d, %zu]: %.*s", pos, i, extension_len, data+pos);
sshbuf_put(blob, data+pos, extension_len);
cert->exts = xreallocarray(cert->exts, cert->nexts + 1, sizeof(struct hibaext*));
cert->nexts++;
cert->exts[cert->nexts - 1] = hibaext_new();
ret = hibaext_decode(cert->exts[cert->nexts - 1], blob);
sshbuf_free(blob);
if (ret < 0) {
break;
}
pos = i+1;
}
++i;
};
return ret;
}
int
hibacert_parse(struct hibacert *cert, struct sshkey *key) {
int ret = HIBA_OK;
char *expected_hiba_ext = NULL;
struct sshbuf *extensions = NULL;
if (key == NULL || cert == NULL)
return HIBA_BAD_PARAMS;
if (!sshkey_is_cert(key))
return HIBA_BAD_PARAMS;
cert->key = key;
if (sshbuf_len(cert->key->cert->extensions) == 0)
return HIBA_OK;
if ((extensions = sshbuf_fromb(cert->key->cert->extensions)) == NULL)
return HIBA_INTERNAL_ERROR;
// Look for HIBA extensions
debug2("hibacert_parse: looking for HIBA extensions for cert type %d", cert->key->cert->type);
if (cert->key->cert->type == SSH2_CERT_TYPE_HOST) {
expected_hiba_ext = HIBA_IDENTITY_ID;
} else if (cert->key->cert->type == SSH2_CERT_TYPE_USER) {
expected_hiba_ext = HIBA_GRANT_ID;
} else {
ret = HIBA_BAD_PARAMS;
goto err;
}
while (sshbuf_len(extensions) != 0) {
size_t len = 0;
const char *name = NULL;
if ((ret = sshbuf_get_string_direct(extensions, (const unsigned char**)&name, &len)) < 0) {
debug3("hibacert_parse: sshbuf_get_string_direct returned %d: %s", ret, ssh_err(ret));
ret = HIBA_INTERNAL_ERROR;
goto err;
}
debug2("hibacert_parse: found extension %s (%zu) vs %s (%zu)", name, len, expected_hiba_ext, strlen(expected_hiba_ext));
if (strncmp(name, expected_hiba_ext, len) == 0) {
struct sshbuf *extension;
if ((ret = sshbuf_froms(extensions, &extension)) < 0) {
debug3("hibacert_parse: sshbuf_froms returned %d: %s", ret, ssh_err(ret));
ret = HIBA_INTERNAL_ERROR;
goto err;
}
if ((ret = hibacert_load_extensions(cert, extension)) < 0) {
sshbuf_free(extension);
goto err;
}
sshbuf_free(extension);
} else {
sshbuf_skip_string(extensions);
}
}
err:
sshbuf_free(extensions);
return ret;
}
struct sshkey_cert*
hibacert_cert(const struct hibacert *cert) {
if (cert == NULL)
return NULL;
return cert->key->cert;
}
int
hibacert_hibaexts(const struct hibacert *cert, struct hibaext ***exts, int *len) {
if (cert == NULL)
return HIBA_BAD_PARAMS;
if (exts != NULL)
*exts = cert->exts;
if (len != NULL)
*len = cert->nexts;
return HIBA_OK;
}