1 /* $OpenBSD: key.h,v 1.41 2014/01/09 23:20:00 djm Exp $ */ 2 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 #ifndef KEY_H 27 #define KEY_H 28 29 #include "buffer.h" 30 #include <openssl/rsa.h> 31 #include <openssl/dsa.h> 32 #ifdef OPENSSL_HAS_ECC 33 #include <openssl/ec.h> 34 #endif 35 36 typedef struct Key Key; 37 enum types { 38 KEY_RSA1, 39 KEY_RSA, 40 KEY_DSA, 41 KEY_ECDSA, 42 KEY_ED25519, 43 KEY_RSA_CERT, 44 KEY_DSA_CERT, 45 KEY_ECDSA_CERT, 46 KEY_ED25519_CERT, 47 KEY_RSA_CERT_V00, 48 KEY_DSA_CERT_V00, 49 KEY_UNSPEC 50 }; 51 enum fp_type { 52 SSH_FP_SHA1, 53 SSH_FP_MD5, 54 SSH_FP_SHA256 55 }; 56 enum fp_rep { 57 SSH_FP_HEX, 58 SSH_FP_BUBBLEBABBLE, 59 SSH_FP_RANDOMART 60 }; 61 62 /* key is stored in external hardware */ 63 #define KEY_FLAG_EXT 0x0001 64 65 #define CERT_MAX_PRINCIPALS 256 66 struct KeyCert { 67 Buffer certblob; /* Kept around for use on wire */ 68 u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */ 69 u_int64_t serial; 70 char *key_id; 71 u_int nprincipals; 72 char **principals; 73 u_int64_t valid_after, valid_before; 74 Buffer critical; 75 Buffer extensions; 76 Key *signature_key; 77 }; 78 79 struct Key { 80 int type; 81 int flags; 82 RSA *rsa; 83 DSA *dsa; 84 int ecdsa_nid; /* NID of curve */ 85 #ifdef OPENSSL_HAS_ECC 86 EC_KEY *ecdsa; 87 #else 88 void *ecdsa; 89 #endif 90 struct KeyCert *cert; 91 u_char *ed25519_sk; 92 u_char *ed25519_pk; 93 }; 94 95 #define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES 96 #define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES 97 98 Key *key_new(int); 99 void key_add_private(Key *); 100 Key *key_new_private(int); 101 void key_free(Key *); 102 Key *key_demote(const Key *); 103 int key_equal_public(const Key *, const Key *); 104 int key_equal(const Key *, const Key *); 105 char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); 106 u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); 107 const char *key_type(const Key *); 108 const char *key_cert_type(const Key *); 109 int key_write(const Key *, FILE *); 110 int key_read(Key *, char **); 111 u_int key_size(const Key *); 112 113 Key *key_generate(int, u_int); 114 Key *key_from_private(const Key *); 115 int key_type_from_name(char *); 116 int key_is_cert(const Key *); 117 int key_type_is_cert(int); 118 int key_type_plain(int); 119 int key_to_certified(Key *, int); 120 int key_drop_cert(Key *); 121 int key_certify(Key *, Key *); 122 void key_cert_copy(const Key *, struct Key *); 123 int key_cert_check_authority(const Key *, int, int, const char *, 124 const char **); 125 int key_cert_is_legacy(const Key *); 126 127 int key_ecdsa_nid_from_name(const char *); 128 int key_curve_name_to_nid(const char *); 129 const char *key_curve_nid_to_name(int); 130 u_int key_curve_nid_to_bits(int); 131 int key_ecdsa_bits_to_nid(int); 132 #ifdef OPENSSL_HAS_ECC 133 int key_ecdsa_key_to_nid(EC_KEY *); 134 int key_ec_nid_to_hash_alg(int nid); 135 int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); 136 int key_ec_validate_private(const EC_KEY *); 137 #endif 138 char *key_alg_list(int, int); 139 140 Key *key_from_blob(const u_char *, u_int); 141 int key_to_blob(const Key *, u_char **, u_int *); 142 const char *key_ssh_name(const Key *); 143 const char *key_ssh_name_plain(const Key *); 144 int key_names_valid2(const char *); 145 146 int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int); 147 int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); 148 149 int ssh_dss_sign(const Key *, u_char **, u_int *, const u_char *, u_int); 150 int ssh_dss_verify(const Key *, const u_char *, u_int, const u_char *, u_int); 151 int ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); 152 int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); 153 int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); 154 int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); 155 int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int); 156 int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int); 157 158 #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK)) 159 void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); 160 void key_dump_ec_key(const EC_KEY *); 161 #endif 162 163 void key_private_serialize(const Key *, Buffer *); 164 Key *key_private_deserialize(Buffer *); 165 166 #endif 167