From 3906e5f41a00063127e07f5ca696a25eea2e8bb7 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 16 Nov 2018 18:15:32 +0100

Subject: [PATCH 74/74] utils: add ec_pub_key_to_ssh() (NSS)

Add EC key support for the NSS version of the ssh key extraction code.

Related to https://pagure.io/SSSD/sssd/issue/3887

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 src/util/cert/nss/cert.c | 121 ++++++++++++++++++++++++++++++++++++++-

 1 file changed, 120 insertions(+), 1 deletion(-)

diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c

index b5c4769a8..ad90da0da 100644

--- a/src/util/cert/nss/cert.c

+++ b/src/util/cert/nss/cert.c

@@ -220,6 +220,118 @@ done:

     return ret;

 }

+/* taken from NSS's lib/cryptohi/seckey.c */

+static SECOidTag

+sss_SECKEY_GetECCOid(const SECKEYECParams *params)

+{

+    SECItem oid = { siBuffer, NULL, 0 };

+    SECOidData *oidData = NULL;

+

+    /*

+     * params->data needs to contain the ASN encoding of an object ID (OID)

+     * representing a named curve. Here, we strip away everything

+     * before the actual OID and use the OID to look up a named curve.

+     */

+    if (params->data[0] != SEC_ASN1_OBJECT_ID)

+        return 0;

+    oid.len = params->len - 2;

+    oid.data = params->data + 2;

+    if ((oidData = SECOID_FindOID(&oid)) == NULL)

+        return 0;

+

+    return oidData->offset;

+}

+

+/* SSH EC keys are defined in https://tools.ietf.org/html/rfc5656 */

+#define ECDSA_SHA2_HEADER "ecdsa-sha2-"

+/* Looks like OpenSSH currently only supports the following 3 required

+ * curves. */

+#define IDENTIFIER_NISTP256 "nistp256"

+#define IDENTIFIER_NISTP384 "nistp384"

+#define IDENTIFIER_NISTP521 "nistp521"

+

+static errno_t ec_pub_key_to_ssh(TALLOC_CTX *mem_ctx,

+                                 SECKEYPublicKey *cert_pub_key,

+                                 uint8_t **key_blob, size_t *key_size)

+{

+    int ret;

+    size_t c;

+    uint8_t *buf = NULL;

+    size_t buf_len;

+    SECOidTag curve_tag;

+    int key_len;

+    const char *identifier = NULL;

+    int identifier_len;

+    const char *header = NULL;

+    int header_len;

+    SECItem *ec_public_key;

+

+    curve_tag = sss_SECKEY_GetECCOid(&cert_pub_key->u.ec.DEREncodedParams);

+    switch(curve_tag) {

+    case SEC_OID_ANSIX962_EC_PRIME256V1:

+        identifier = IDENTIFIER_NISTP256;

+        header = ECDSA_SHA2_HEADER IDENTIFIER_NISTP256;

+        break;

+    case SEC_OID_SECG_EC_SECP384R1:

+        identifier = IDENTIFIER_NISTP384;

+        header = ECDSA_SHA2_HEADER IDENTIFIER_NISTP384;

+        break;

+    case SEC_OID_SECG_EC_SECP521R1:

+        identifier = IDENTIFIER_NISTP521;

+        header = ECDSA_SHA2_HEADER IDENTIFIER_NISTP521;

+        break;

+    default:

+        DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported curve [%s]\n",

+              SECOID_FindOIDTagDescription(curve_tag));

+        ret = EINVAL;

+        goto done;

+    }

+

+    header_len = strlen(header);

+    identifier_len = strlen(identifier);

+

+    ec_public_key = &cert_pub_key->u.ec.publicValue;

+

+    key_len = ec_public_key->len;

+    if (key_len == 0) {

+        DEBUG(SSSDBG_OP_FAILURE, "EC_POINT_point2oct failed.\n");

+        ret = EINVAL;

+        goto done;

+    }

+

+    buf_len = header_len + identifier_len + key_len + 3 * sizeof(uint32_t);

+    buf = talloc_size(mem_ctx, buf_len * sizeof(uint8_t));

+    if (buf == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");

+        ret = ENOMEM;

+        goto done;

+    }

+

+    c = 0;

+

+    SAFEALIGN_SET_UINT32(buf, htobe32(header_len), &c);

+    safealign_memcpy(&buf[c], header, header_len, &c);

+

+    SAFEALIGN_SET_UINT32(&buf[c], htobe32(identifier_len), &c);

+    safealign_memcpy(&buf[c], identifier , identifier_len, &c);

+

+    SAFEALIGN_SET_UINT32(&buf[c], htobe32(key_len), &c);

+

+    safealign_memcpy(&buf[c], ec_public_key->data, key_len, &c);

+

+    *key_size = buf_len;

+    *key_blob = buf;

+

+    ret = EOK;

+

+done:

+    if (ret != EOK) {

+        talloc_free(buf);

+    }

+

+    return ret;

+}

+

 #define SSH_RSA_HEADER "ssh-rsa"

 #define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1)

@@ -340,9 +452,16 @@ errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx,

             goto done;

         }

         break;

+    case ecKey:

+        ret = ec_pub_key_to_ssh(mem_ctx, cert_pub_key, key_blob, key_size);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "rsa_pub_key_to_ssh failed.\n");

+            goto done;

+        }

+        break;

     default:

         DEBUG(SSSDBG_CRIT_FAILURE,

-              "Expected RSA public key, found unsupported [%d].\n",

+              "Expected RSA or EC public key, found unsupported [%d].\n",

               cert_pub_key->keyType);

         ret = EINVAL;

         goto done;

-- 

2.19.1