src/pki_crypto.c pki_publickey_to_blob() should not be used to export public key from

private keys for ecdsa keys. ssh_userauth_publickey() calls ssh_pki_export_pubkey_blob() and tries to export the the public key from private key if public keys are not already imported into pkcs #11 tokens. Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2025-11-29 01:03:57 +03:00 · 2020-05-14 16:18:03 +02:00
parent 641a80be74
commit 7de9722d23
1 changed files with 8 additions and 0 deletions
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -1330,6 +1330,14 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
                return NULL;
            }

+#ifdef WITH_PKCS11_URI
+            if (ssh_key_is_private(key) && !EC_KEY_get0_public_key(key->ecdsa)) {
+                SSH_LOG(SSH_LOG_INFO, "It is mandatory to have separate public"
+                        " ECDSA key objects in the PKCS #11 device. Unlike RSA,"
+                        " ECDSA public keys cannot be derived from their private keys.");
+                goto fail;
+            }
+#endif
            e = make_ecpoint_string(EC_KEY_get0_group(key->ecdsa),
                                    EC_KEY_get0_public_key(key->ecdsa));
            if (e == NULL) {