From ace8a2f80fe5bb755512e4a7281146ce4fe311a6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 15 Jul 2015 09:40:00 +0200
Subject: [PATCH 36/37] ssh: generate public keys from certificate
Resolves: https://fedorahosted.org/sssd/ticket/2711
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 7 +-
src/confdb/confdb.h | 2 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 13 ++++
src/responder/ssh/sshsrv.c | 9 +++
src/responder/ssh/sshsrv_cmd.c | 54 ++++++++++++---
src/responder/ssh/sshsrv_private.h | 1 +
src/tests/cmocka/test_cert_utils.c | 62 +++++++++++++++++
src/util/cert.h | 4 ++
src/util/cert/libcrypto/cert.c | 93 +++++++++++++++++++++++++
src/util/cert/nss/cert.c | 130 +++++++++++++++++++++++++++++++++++
12 files changed, 364 insertions(+), 13 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index fd78c1bb770b98adee9a6c1ead3b0d6f4345fb9b..5345d90d22cd285a5268ac50a6b527645acdb351 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1129,10 +1129,13 @@ sssd_ssh_SOURCES = \
src/responder/ssh/sshsrv.c \
src/responder/ssh/sshsrv_dp.c \
src/responder/ssh/sshsrv_cmd.c \
- $(SSSD_RESPONDER_OBJ)
+ $(SSSD_RESPONDER_OBJ) \
+ $(NULL)
sssd_ssh_LDADD = \
$(SSSD_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
+ $(SSSD_INTERNAL_LTLIBS) \
+ libsss_cert.la \
+ $(NULL)
endif
sssd_pac_SOURCES = \
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c3cdf49e08d10367e9e98c093a4aa2569b985170..df454337ab4d89c5857e73ee0e5392c2b4bba8b4 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -135,6 +135,8 @@
#define CONFDB_DEFAULT_SSH_HASH_KNOWN_HOSTS true
#define CONFDB_SSH_KNOWN_HOSTS_TIMEOUT "ssh_known_hosts_timeout"
#define CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT 180
+#define CONFDB_SSH_CA_DB "ca_db"
+#define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/pki/nssdb"
/* PAC */
#define CONFDB_PAC_CONF_ENTRY "config/pac"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 4b519eddd04cde83c209f5a1940832cc7f41c736..7d361026c09ce8fd8d6a69f6bb3f3817bc3d68ba 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -99,6 +99,7 @@ option_strings = {
# [ssh]
'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys were requested'),
+ 'ca_db': _('Path to storage of trusted CA certificates'),
# [pac]
'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 29fd896ccd7a3aa5ff81e15b771746a80ffc01af..cf6ce63012176d49f757afbc8a343b24aef869e8 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -72,6 +72,7 @@ autofs_negative_timeout = int, None, false
# ssh service
ssh_hash_known_hosts = bool, None, false
ssh_known_hosts_timeout = int, None, false
+ca_db = str, None, false
[pac]
# PAC responder
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7d3a57b0eadec48d64cc9ddcb226b89a1600b432..37e73515fbfcae0da492533de72ad3208c870e9b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1082,6 +1082,19 @@ pam_account_expired_message = Account expired, please call help desk.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ca_db (string)</term>
+ <listitem>
+ <para>
+ Path to a storage of trusted CA certificates. The
+ option is used to validate user certificates before
+ deriving public ssh keys from them.
+ </para>
+ <para>
+ Default: /etc/pki/nssdb
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 9439b9d89ae47dc66d392f0c434f4de1c1c0b4ea..d4e202d87f520f1bdcd521733592027773a821d6 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -163,6 +163,15 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
+ ret = confdb_get_string(ssh_ctx->rctx->cdb, ssh_ctx,
+ CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_CA_DB,
+ CONFDB_DEFAULT_SSH_CA_DB, &ssh_ctx->ca_db);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Error reading CA DB from confdb (%d) [%s]\n",
+ ret, strerror(ret));
+ goto fail;
+ }
+
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 4833587910cade32ecb0b5f65b417d58a498b01e..f630e5f0311dadc69bee59afb672720f7018169d 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -27,6 +27,7 @@
#include "util/util.h"
#include "util/crypto/sss_crypto.h"
#include "util/sss_ssh.h"
+#include "util/cert.h"
#include "db/sysdb.h"
#include "db/sysdb_ssh.h"
#include "providers/data_provider.h"
@@ -219,7 +220,8 @@ static errno_t
ssh_user_pubkeys_search_next(struct ssh_cmd_ctx *cmd_ctx)
{
errno_t ret;
- const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, NULL };
+ const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, SYSDB_USER_CERT,
+ NULL };
struct ldb_result *res;
DEBUG(SSSDBG_TRACE_FUNC,
@@ -794,6 +796,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx,
struct ldb_message_element *el,
+ bool cert_data,
+ struct ssh_ctx *ssh_ctx,
size_t fqname_len,
const char *fqname,
size_t *c)
@@ -819,12 +823,22 @@ static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx,
}
for (d = 0; d < el->num_values; d++) {
- key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data,
- &key_len);
- if (key == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n");
- ret = ENOMEM;
- goto done;
+ if (cert_data) {
+ ret = cert_to_ssh_key(tmp_ctx, ssh_ctx->ca_db,
+ el->values[d].data, el->values[d].length,
+ &key, &key_len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key failed.\n");
+ return ret;
+ }
+ } else {
+ key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data,
+ &key_len);
+ if (key == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
}
ret = sss_packet_grow(cctx->creq->out,
@@ -862,10 +876,13 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
struct ldb_message_element *el = NULL;
struct ldb_message_element *el_override = NULL;
struct ldb_message_element *el_orig = NULL;
+ struct ldb_message_element *el_user_cert = NULL;
uint32_t count = 0;
const char *name;
char *fqname;
uint32_t fqname_len;
+ struct ssh_ctx *ssh_ctx = talloc_get_type(cctx->rctx->pvt_ctx,
+ struct ssh_ctx);
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
@@ -893,6 +910,12 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
}
}
+ el_user_cert = ldb_msg_find_element(cmd_ctx->result, SYSDB_USER_CERT);
+ if (el_user_cert) {
+ /* TODO check if cert is valid */
+ count += el_user_cert->num_values;
+ }
+
ret = sss_packet_grow(cctx->creq->out, 2*sizeof(uint32_t));
if (ret != EOK) {
return ret;
@@ -922,20 +945,29 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
fqname_len = strlen(fqname)+1;
- ret = decode_and_add_base64_data(cmd_ctx, el, fqname_len, fqname, &c);
+ ret = decode_and_add_base64_data(cmd_ctx, el, false, ssh_ctx,
+ fqname_len, fqname, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
return ret;
}
- ret = decode_and_add_base64_data(cmd_ctx, el_orig, fqname_len, fqname, &c);
+ ret = decode_and_add_base64_data(cmd_ctx, el_orig, false, ssh_ctx,
+ fqname_len, fqname, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
return ret;
}
- ret = decode_and_add_base64_data(cmd_ctx, el_override, fqname_len, fqname,
- &c);
+ ret = decode_and_add_base64_data(cmd_ctx, el_override, false, ssh_ctx,
+ fqname_len, fqname, &c);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
+ return ret;
+ }
+
+ ret = decode_and_add_base64_data(cmd_ctx, el_user_cert, true, ssh_ctx,
+ fqname_len, fqname, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
return ret;
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
index ebb30ce7cbc982bb29b73592d5873e7d3652228a..beb8e18db77d8224e49df141748484ce61b11dac 100644
--- a/src/responder/ssh/sshsrv_private.h
+++ b/src/responder/ssh/sshsrv_private.h
@@ -32,6 +32,7 @@ struct ssh_ctx {
bool hash_known_hosts;
int known_hosts_timeout;
+ char *ca_db;
};
struct ssh_cmd_ctx {
diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
index 8063b1a65e8692142cbb3cf82fe41afa6567bc91..7bd8cf2344003421e9ec84dc5e1b2305a861ab38 100644
--- a/src/tests/cmocka/test_cert_utils.c
+++ b/src/tests/cmocka/test_cert_utils.c
@@ -21,15 +21,18 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
#include <popt.h>
#ifdef HAVE_LIBCRYPTO
#include <openssl/objects.h>
+#include <openssl/crypto.h>
#endif
#include "util/cert.h"
#include "tests/cmocka/common_mock.h"
#include "util/crypto/nss/nss_util.h"
+#include "util/crypto/sss_crypto.h"
/* TODO: create a certificate for this test */
@@ -306,6 +309,63 @@ void test_sss_cert_derb64_to_ldap_filter(void **state)
talloc_free(filter);
}
+
+#define SSH_TEST_CERT \
+"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
+"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \
+"NjMyMDdaFw0xNzA2MjMxNjMyMDdaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \
+"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \
+"ADCCAQoCggEBALXUq56VlY+Z0aWLLpFAjFfbElPBXGQsbZb85J3cGyPjaMHC9wS+" \
+"wjB6Ve4HmQyPLx8hbINdDmbawMHYQvTScLYfsqLtj0Lqw20sUUmedk+Es5Oh9VHo" \
+"nd8MavYx25Du2u+T0iSgNIDikXguiwCmtAj8VC49ebbgITcjJGzMmiiuJkV3o93Y" \
+"vvYF0VjLGDQbQWOy7IxzYJeNVJnZWKo67CHdok6qOrm9rxQt81rzwV/mGLbCMUbr" \
+"+N4M8URtd7EmzaYZQmNm//s2owFrCYMxpLiURPj+URZVuB72504/Ix7X0HCbA/AV" \
+"26J27fPY5nc8DMwfhUDCbTqPH/JEjd3mvY8CAwEAAaOCASYwggEiMB8GA1UdIwQY" \
+"MBaAFJOq+KAQmPEnNp8Wok23eGTdE7aDMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \
+"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \
+"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \
+"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \
+"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \
+"IEF1dGhvcml0eTAdBgNVHQ4EFgQUFaDNd5a53QGpaw5m63hnwXicMQ8wDQYJKoZI" \
+"hvcNAQELBQADggEBADH7Nj00qqGhGJeXJQAsepqSskz/wooqXh8vgVyb8SS4N0/c" \
+"0aQtVmY81xamlXE12ZFpwDX43d+EufBkwCUKFX/+8JFDd2doAyeJxv1xM22kKRpc" \
+"AqITPgMsa9ToGMWxjbVpc/X/5YfZixWPF0/eZUTotBj9oaR039UrhGfyN7OguF/G" \
+"rzmxtB5y4ZrMpcD/Oe90mkd9HY7sA/fB8OWOUgeRfQoh97HNS0UiDWsPtfxmjQG5" \
+"zotpoBIZmdH+ipYsu58HohHVlM9Wi5H4QmiiXl+Soldkq7eXYlafcmT7wv8+cKwz" \
+"Nz0Tm3+eYpFqRo3skr6QzXi525Jkg3r6r+kkhxU="
+
+#define SSH_PUB_KEY "AAAAB3NzaC1yc2EAAAADAQABAAABAQC11KuelZWPmdGliy6RQIxX2xJTwVxkLG2W/OSd3Bsj42jBwvcEvsIwelXuB5kMjy8fIWyDXQ5m2sDB2EL00nC2H7Ki7Y9C6sNtLFFJnnZPhLOTofVR6J3fDGr2MduQ7trvk9IkoDSA4pF4LosAprQI/FQuPXm24CE3IyRszJooriZFd6Pd2L72BdFYyxg0G0FjsuyMc2CXjVSZ2ViqOuwh3aJOqjq5va8ULfNa88Ff5hi2wjFG6/jeDPFEbXexJs2mGUJjZv/7NqMBawmDMaS4lET4/lEWVbge9udOPyMe19BwmwPwFduidu3z2OZ3PAzMH4VAwm06jx/yRI3d5r2P"
+
+void test_cert_to_ssh_key(void **state)
+{
+ int ret;
+ uint8_t *key;
+ size_t key_size;
+ uint8_t *exp_key;
+ size_t exp_key_size;
+ uint8_t *der;
+ size_t der_size;
+
+ struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
+ assert_non_null(ts);
+
+ der = sss_base64_decode(ts, SSH_TEST_CERT, &der_size);
+ assert_non_null(der);
+
+ exp_key = sss_base64_decode(ts, SSH_PUB_KEY, &exp_key_size);
+ assert_non_null(exp_key);
+
+ ret = cert_to_ssh_key(ts, "sql:" ABS_SRC_DIR "/src/tests/cmocka/p11_nssdb",
+ der, der_size, &key, &key_size);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(key_size, exp_key_size);
+ assert_memory_equal(key, exp_key, exp_key_size);
+
+ talloc_free(der);
+ talloc_free(key);
+ talloc_free(exp_key);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -330,6 +390,8 @@ int main(int argc, const char *argv[])
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_ldap_filter,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_cert_to_ssh_key,
+ setup, teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
diff --git a/src/util/cert.h b/src/util/cert.h
index 79ea1a4ab58149a312bece265798ab3a3f459114..edbafc492a1ed42ad616d0bf2fae882046711746 100644
--- a/src/util/cert.h
+++ b/src/util/cert.h
@@ -44,4 +44,8 @@ errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64,
errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx,
const uint8_t *blob, size_t blob_size,
char **_str);
+
+errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
+ const uint8_t *der_blob, size_t der_size,
+ uint8_t **key, size_t *key_size);
#endif /* __CERT_H__ */
diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c
index 1a250f60d1a7dfd5c883ec7e9b1f9491fb74c9b0..01f9554b990d6a139bb9a1d8d558c1c3f6bb745c 100644
--- a/src/util/cert/libcrypto/cert.c
+++ b/src/util/cert/libcrypto/cert.c
@@ -166,3 +166,96 @@ done:
return ret;
}
+
+#define SSH_RSA_HEADER "ssh-rsa"
+#define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1)
+
+errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
+ const uint8_t *der_blob, size_t der_size,
+ uint8_t **key, size_t *key_size)
+{
+ int ret;
+ size_t size;
+ const unsigned char *d;
+ uint8_t *buf = NULL;
+ size_t c;
+ X509 *cert = NULL;
+ EVP_PKEY *cert_pub_key = NULL;
+ int modulus_len;
+ unsigned char modulus[OPENSSL_RSA_MAX_MODULUS_BITS/8];
+ int exponent_len;
+ unsigned char exponent[OPENSSL_RSA_MAX_PUBEXP_BITS/8];
+
+ if (der_blob == NULL || der_size == 0) {
+ return EINVAL;
+ }
+
+ d = (const unsigned char *) der_blob;
+
+ cert = d2i_X509(NULL, &d, (int) der_size);
+ if (cert == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n");
+ return EINVAL;
+ }
+
+ /* TODO: verify certificate !!!!! */
+
+ cert_pub_key = X509_get_pubkey(cert);
+ if (cert_pub_key == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "X509_get_pubkey failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (cert_pub_key->type != EVP_PKEY_RSA) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Expected RSA public key, found unsupported [%d].\n",
+ cert_pub_key->type);
+ ret = EINVAL;
+ goto done;
+ }
+
+ modulus_len = BN_bn2bin(cert_pub_key->pkey.rsa->n, modulus);
+ exponent_len = BN_bn2bin(cert_pub_key->pkey.rsa->e, exponent);
+
+ size = SSH_RSA_HEADER_LEN + 3 * sizeof(uint32_t)
+ + modulus_len
+ + exponent_len
+ + 1; /* see comment about missing 00 below */
+
+ buf = talloc_size(mem_ctx, size);
+ if (buf == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ c = 0;
+
+ SAFEALIGN_SET_UINT32(buf, htobe32(SSH_RSA_HEADER_LEN), &c);
+ safealign_memcpy(&buf[c], SSH_RSA_HEADER, SSH_RSA_HEADER_LEN, &c);
+ SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len), &c);
+ safealign_memcpy(&buf[c], exponent, exponent_len, &c);
+
+ /* Adding missing 00 which afaik is added to make sure
+ * the bigint is handled as positive number */
+ /* TODO: make a better check if 00 must be added or not, e.g. ... & 0x80)
+ */
+ SAFEALIGN_SET_UINT32(&buf[c], htobe32(modulus_len + 1), &c);
+ SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c);
+ safealign_memcpy(&buf[c], modulus, modulus_len, &c);
+
+ *key = buf;
+ *key_size = size;
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ talloc_free(buf);
+ }
+ EVP_PKEY_free(cert_pub_key);
+ X509_free(cert);
+
+ return ret;
+}
diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c
index a20abf63a10de9a5e9810f1c7d56686d063d60c7..1ada35b6321b9e0f3daf87b3412cf7a124cbf2c7 100644
--- a/src/util/cert/nss/cert.c
+++ b/src/util/cert/nss/cert.c
@@ -20,9 +20,13 @@
#include "util/util.h"
+#include <nss.h>
#include <cert.h>
#include <base64.h>
+#include <key.h>
+#include <prerror.h>
+#include "util/crypto/sss_crypto.h"
#include "util/crypto/nss/nss_util.h"
#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
@@ -210,3 +214,129 @@ done:
return ret;
}
+
+#define SSH_RSA_HEADER "ssh-rsa"
+#define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1)
+
+errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
+ const uint8_t *der_blob, size_t der_size,
+ uint8_t **key, size_t *key_size)
+{
+ CERTCertDBHandle *handle;
+ CERTCertificate *cert = NULL;
+ SECItem der_item;
+ SECKEYPublicKey *cert_pub_key = NULL;
+ int ret;
+ size_t size;
+ uint8_t *buf = NULL;
+ size_t c;
+ NSSInitContext *nss_ctx;
+ NSSInitParameters parameters = { 0 };
+ parameters.length = sizeof (parameters);
+ SECStatus rv;
+
+ if (der_blob == NULL || der_size == 0) {
+ return EINVAL;
+ }
+
+ /* initialize NSS with context, we might have already called
+ * NSS_NoDB_Init() but for validation we need to have access to a DB with
+ * the trusted issuer cert. Only NSS_InitContext will really open the DB
+ * in this case. I'm not sure about how long validation might need e.g. if
+ * CRLs or OSCP is enabled, maybe it would be better to run validation in
+ * p11_child ? */
+ nss_ctx = NSS_InitContext(ca_db, "", "", SECMOD_DB, ¶meters,
+ NSS_INIT_READONLY);
+ if (nss_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n",
+ PR_GetError());
+ return EIO;
+ }
+
+ handle = CERT_GetDefaultCertDB();
+
+ der_item.len = der_size;
+ der_item.data = discard_const(der_blob);
+
+ cert = CERT_NewTempCertificate(handle, &der_item, NULL, PR_FALSE, PR_TRUE);
+ if (cert == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_NewTempCertificate failed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE,
+ certificateUsageSSLClient, NULL, NULL);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "CERT_VerifyCertificateNow failed [%d].\n",
+ PR_GetError());
+ ret = EACCES;
+ goto done;
+ }
+
+ cert_pub_key = CERT_ExtractPublicKey(cert);
+ if (cert_pub_key == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_ExtractPublicKey failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (cert_pub_key->keyType != rsaKey) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Expected RSA public key, found unsupported [%d].\n",
+ cert_pub_key->keyType);
+ ret = EINVAL;
+ goto done;
+ }
+
+ size = SSH_RSA_HEADER_LEN + 3 * sizeof(uint32_t)
+ + cert_pub_key->u.rsa.modulus.len
+ + cert_pub_key->u.rsa.publicExponent.len
+ + 1; /* see comment about missing 00 below */
+
+ buf = talloc_size(mem_ctx, size);
+ if (buf == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ c = 0;
+
+ SAFEALIGN_SET_UINT32(buf, htobe32(SSH_RSA_HEADER_LEN), &c);
+ safealign_memcpy(&buf[c], SSH_RSA_HEADER, SSH_RSA_HEADER_LEN, &c);
+ SAFEALIGN_SET_UINT32(&buf[c],
+ htobe32(cert_pub_key->u.rsa.publicExponent.len), &c);
+ safealign_memcpy(&buf[c], cert_pub_key->u.rsa.publicExponent.data,
+ cert_pub_key->u.rsa.publicExponent.len, &c);
+
+ /* Looks like nss drops the leading 00 which afaik is added to make sure
+ * the bigint is handled as positive number */
+ /* TODO: make a better check if 00 must be added or not, e.g. ... & 0x80)
+ */
+ SAFEALIGN_SET_UINT32(&buf[c],
+ htobe32(cert_pub_key->u.rsa.modulus.len + 1 ), &c);
+ SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c);
+ safealign_memcpy(&buf[c], cert_pub_key->u.rsa.modulus.data,
+ cert_pub_key->u.rsa.modulus.len, &c);
+
+ *key = buf;
+ *key_size = size;
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ talloc_free(buf);
+ }
+ SECKEY_DestroyPublicKey(cert_pub_key);
+ CERT_DestroyCertificate(cert);
+
+ rv = NSS_ShutdownContext(nss_ctx);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n",
+ PR_GetError());
+ }
+
+ return ret;
+}
--
2.4.3