pki: Support comparing keys with certificates

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2025-11-29 01:03:57 +03:00 · 2023-09-22 23:20:09 +02:00
parent 44de06e8db
commit de8f36c93c
4 changed files with 14 additions and 13 deletions
--- a/src/pki.c
+++ b/src/pki.c
@@ -664,7 +664,7 @@ int ssh_key_cmp(const ssh_key k1,
        return 1;
    }

-    if (k1->type != k2->type) {
+    if (ssh_key_type_plain(k1->type) != ssh_key_type_plain(k2->type)) {
        SSH_LOG(SSH_LOG_DEBUG, "key types don't match!");
        return 1;
    }
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -814,9 +814,10 @@ int pki_key_compare(const ssh_key k1,
                    enum ssh_keycmp_e what)
 {
    int rc;
+
    (void)what;

-    switch (k1->type) {
+    switch (ssh_key_type_plain(k1->type)) {
        case SSH_KEYTYPE_ECDSA_P256:
        case SSH_KEYTYPE_ECDSA_P384:
        case SSH_KEYTYPE_ECDSA_P521:
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1298,6 +1298,7 @@ int pki_key_compare(const ssh_key k1,
 {
    switch (k1->type) {
        case SSH_KEYTYPE_RSA:
+        case SSH_KEYTYPE_RSA_CERT01:
            if (_bignum_cmp(k1->rsa, k2->rsa, "e") != 0) {
                return 1;
            }
@@ -1325,13 +1326,19 @@ int pki_key_compare(const ssh_key k1,
            }
            break;
        case SSH_KEYTYPE_ED25519:
+        case SSH_KEYTYPE_ED25519_CERT01:
        case SSH_KEYTYPE_SK_ED25519:
+        case SSH_KEYTYPE_SK_ED25519_CERT01:
            /* ed25519 keys handled globally */
            return 0;
        case SSH_KEYTYPE_ECDSA_P256:
+        case SSH_KEYTYPE_ECDSA_P256_CERT01:
        case SSH_KEYTYPE_ECDSA_P384:
+        case SSH_KEYTYPE_ECDSA_P384_CERT01:
        case SSH_KEYTYPE_ECDSA_P521:
+        case SSH_KEYTYPE_ECDSA_P521_CERT01:
        case SSH_KEYTYPE_SK_ECDSA:
+        case SSH_KEYTYPE_SK_ECDSA_CERT01:
 #ifdef HAVE_GCRYPT_ECC
            if (k1->ecdsa_nid != k2->ecdsa_nid) {
                return 1;
@@ -1350,14 +1357,7 @@ int pki_key_compare(const ssh_key k1,
 #endif
        case SSH_KEYTYPE_DSS:        /* deprecated */
        case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
-        case SSH_KEYTYPE_RSA_CERT01:
-        case SSH_KEYTYPE_ECDSA:
-        case SSH_KEYTYPE_ECDSA_P256_CERT01:
-        case SSH_KEYTYPE_ECDSA_P384_CERT01:
-        case SSH_KEYTYPE_ECDSA_P521_CERT01:
-        case SSH_KEYTYPE_SK_ECDSA_CERT01:
-        case SSH_KEYTYPE_ED25519_CERT01:
-        case SSH_KEYTYPE_SK_ED25519_CERT01:
+        case SSH_KEYTYPE_ECDSA:      /* deprecated */
        case SSH_KEYTYPE_RSA1:
        case SSH_KEYTYPE_UNKNOWN:
            return 1;
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -638,7 +638,7 @@ int pki_key_compare(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what)
    mbedtls_mpi_init(&E2);
 #endif

-    switch (k1->type) {
+    switch (ssh_key_type_plain(k1->type)) {
        case SSH_KEYTYPE_RSA: {
            mbedtls_rsa_context *rsa1, *rsa2;
            if (!mbedtls_pk_can_do(k1->rsa, MBEDTLS_PK_RSA) ||