From de8f36c93c22f4683bed4bb20037613a3a55bbd3 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 22 Sep 2023 23:20:09 +0200 Subject: [PATCH] pki: Support comparing keys with certificates Signed-off-by: Jakub Jelen Reviewed-by: Sahana Prasad --- src/pki.c | 2 +- src/pki_crypto.c | 5 +++-- src/pki_gcrypt.c | 18 +++++++++--------- src/pki_mbedcrypto.c | 2 +- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/pki.c b/src/pki.c index eed79f0c..96e128c2 100644 --- a/src/pki.c +++ b/src/pki.c @@ -664,7 +664,7 @@ int ssh_key_cmp(const ssh_key k1, return 1; } - if (k1->type != k2->type) { + if (ssh_key_type_plain(k1->type) != ssh_key_type_plain(k2->type)) { SSH_LOG(SSH_LOG_DEBUG, "key types don't match!"); return 1; } diff --git a/src/pki_crypto.c b/src/pki_crypto.c index c31ef928..dae1686b 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -814,9 +814,10 @@ int pki_key_compare(const ssh_key k1, enum ssh_keycmp_e what) { int rc; - (void) what; - switch (k1->type) { + (void)what; + + switch (ssh_key_type_plain(k1->type)) { case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P521: diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c index a1674900..0a864493 100644 --- a/src/pki_gcrypt.c +++ b/src/pki_gcrypt.c @@ -1298,6 +1298,7 @@ int pki_key_compare(const ssh_key k1, { switch (k1->type) { case SSH_KEYTYPE_RSA: + case SSH_KEYTYPE_RSA_CERT01: if (_bignum_cmp(k1->rsa, k2->rsa, "e") != 0) { return 1; } @@ -1325,13 +1326,19 @@ int pki_key_compare(const ssh_key k1, } break; case SSH_KEYTYPE_ED25519: + case SSH_KEYTYPE_ED25519_CERT01: case SSH_KEYTYPE_SK_ED25519: + case SSH_KEYTYPE_SK_ED25519_CERT01: /* ed25519 keys handled globally */ return 0; case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P256_CERT01: case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P384_CERT01: case SSH_KEYTYPE_ECDSA_P521: + case SSH_KEYTYPE_ECDSA_P521_CERT01: case SSH_KEYTYPE_SK_ECDSA: + case SSH_KEYTYPE_SK_ECDSA_CERT01: #ifdef HAVE_GCRYPT_ECC if (k1->ecdsa_nid != k2->ecdsa_nid) { return 1; @@ -1348,16 +1355,9 @@ int pki_key_compare(const ssh_key k1, } break; #endif - case SSH_KEYTYPE_DSS: /* deprecated */ + case SSH_KEYTYPE_DSS: /* deprecated */ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */ - case SSH_KEYTYPE_RSA_CERT01: - case SSH_KEYTYPE_ECDSA: - case SSH_KEYTYPE_ECDSA_P256_CERT01: - case SSH_KEYTYPE_ECDSA_P384_CERT01: - case SSH_KEYTYPE_ECDSA_P521_CERT01: - case SSH_KEYTYPE_SK_ECDSA_CERT01: - case SSH_KEYTYPE_ED25519_CERT01: - case SSH_KEYTYPE_SK_ED25519_CERT01: + case SSH_KEYTYPE_ECDSA: /* deprecated */ case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_UNKNOWN: return 1; diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c index 86717ca7..e047239e 100644 --- a/src/pki_mbedcrypto.c +++ b/src/pki_mbedcrypto.c @@ -638,7 +638,7 @@ int pki_key_compare(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what) mbedtls_mpi_init(&E2); #endif - switch (k1->type) { + switch (ssh_key_type_plain(k1->type)) { case SSH_KEYTYPE_RSA: { mbedtls_rsa_context *rsa1, *rsa2; if (!mbedtls_pk_can_do(k1->rsa, MBEDTLS_PK_RSA) ||