Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / c28fc62d789d860c75e23a9fa9fb250eb2beca57^! / . / ssh-keygen.c
commitc28fc62d789d860c75e23a9fa9fb250eb2beca57[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Fri Jul 03 03:43:18 2015 +0000
committerDamien Miller <djm@mindrot.org>Wed Jul 15 15:35:09 2015 +1000
tree9b540db8aed167256bb61cd9df90dbedb31cc79d
parent564d63e1b4a9637a209d42a9d49646781fc9caef [diff] [blame]
upstream commit

delete support for legacy v00 certificates; "sure"
 markus@ dtucker@

Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8259d87..b546366 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -239,7 +239,6 @@
 			name = _PATH_SSH_CLIENT_IDENTITY;
 			break;
 		case KEY_DSA_CERT:
-		case KEY_DSA_CERT_V00:
 		case KEY_DSA:
 			name = _PATH_SSH_CLIENT_ID_DSA;
 			break;
@@ -250,7 +249,6 @@
 			break;
 #endif
 		case KEY_RSA_CERT:
-		case KEY_RSA_CERT_V00:
 		case KEY_RSA:
 			name = _PATH_SSH_CLIENT_ID_RSA;
 			break;
@@ -1575,25 +1573,6 @@
 	struct sshkey *ca, *public;
 	char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
 	FILE *f;
-	int v00 = 0; /* legacy keys */
-
-	if (key_type_name != NULL) {
-		switch (sshkey_type_from_name(key_type_name)) {
-		case KEY_RSA_CERT_V00:
-		case KEY_DSA_CERT_V00:
-			v00 = 1;
-			break;
-		case KEY_UNSPEC:
-			if (strcasecmp(key_type_name, "v00") == 0) {
-				v00 = 1;
-				break;
-			} else if (strcasecmp(key_type_name, "v01") == 0)
-				break;
-			/* FALLTHROUGH */
-		default:
-			fatal("unknown key type %s", key_type_name);
-		}
-	}
 
 #ifdef ENABLE_PKCS11
 	pkcs11_init(1);
@@ -1630,7 +1609,7 @@
 			    __func__, tmp, sshkey_type(public));
 
 		/* Prepare certificate to sign */
-		if ((r = sshkey_to_certified(public, v00)) != 0)
+		if ((r = sshkey_to_certified(public)) != 0)
 			fatal("Could not upgrade key %s to certificate: %s",
 			    tmp, ssh_err(r));
 		public->cert->type = cert_key_type;
@@ -1640,15 +1619,9 @@
 		public->cert->principals = plist;
 		public->cert->valid_after = cert_valid_from;
 		public->cert->valid_before = cert_valid_to;
-		if (v00) {
-			prepare_options_buf(public->cert->critical,
-			    OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
-		} else {
-			prepare_options_buf(public->cert->critical,
-			    OPTIONS_CRITICAL);
-			prepare_options_buf(public->cert->extensions,
-			    OPTIONS_EXTENSIONS);
-		}
+		prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
+		prepare_options_buf(public->cert->extensions,
+		    OPTIONS_EXTENSIONS);
 		if ((r = sshkey_from_private(ca,
 		    &public->cert->signature_key)) != 0)
 			fatal("key_from_private (ca key): %s", ssh_err(r));
@@ -1833,7 +1806,7 @@
 }
 
 static void
-show_options(struct sshbuf *optbuf, int v00, int in_critical)
+show_options(struct sshbuf *optbuf, int in_critical)
 {
 	char *name, *arg;
 	struct sshbuf *options, *option = NULL;
@@ -1848,14 +1821,14 @@
 		    (r = sshbuf_froms(options, &option)) != 0)
 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
 		printf("                %s", name);
-		if ((v00 || !in_critical) && 
+		if (!in_critical &&
 		    (strcmp(name, "permit-X11-forwarding") == 0 ||
 		    strcmp(name, "permit-agent-forwarding") == 0 ||
 		    strcmp(name, "permit-port-forwarding") == 0 ||
 		    strcmp(name, "permit-pty") == 0 ||
 		    strcmp(name, "permit-user-rc") == 0))
 			printf("\n");
-		else if ((v00 || in_critical) &&
+		else if (in_critical &&
 		    (strcmp(name, "force-command") == 0 ||
 		    strcmp(name, "source-address") == 0)) {
 			if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
@@ -1882,7 +1855,7 @@
 	struct sshkey *key;
 	struct stat st;
 	char *key_fp, *ca_fp;
-	u_int i, v00;
+	u_int i;
 	int r;
 
 	if (!have_identity)
@@ -1894,7 +1867,6 @@
 		    identity_file, ssh_err(r));
 	if (!sshkey_is_cert(key))
 		fatal("%s is not a certificate", identity_file);
-	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
 
 	key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
 	ca_fp = sshkey_fingerprint(key->cert->signature_key,
@@ -1909,10 +1881,7 @@
 	printf("        Signing CA: %s %s\n",
 	    sshkey_type(key->cert->signature_key), ca_fp);
 	printf("        Key ID: \"%s\"\n", key->cert->key_id);
-	if (!v00) {
-		printf("        Serial: %llu\n",
-		    (unsigned long long)key->cert->serial);
-	}
+	printf("        Serial: %llu\n", (unsigned long long)key->cert->serial);
 	printf("        Valid: %s\n",
 	    fmt_validity(key->cert->valid_after, key->cert->valid_before));
 	printf("        Principals: ");
@@ -1929,16 +1898,14 @@
 		printf("(none)\n");
 	else {
 		printf("\n");
-		show_options(key->cert->critical, v00, 1);
+		show_options(key->cert->critical, 1);
 	}
-	if (!v00) {
-		printf("        Extensions: ");
-		if (sshbuf_len(key->cert->extensions) == 0)
-			printf("(none)\n");
-		else {
-			printf("\n");
-			show_options(key->cert->extensions, v00, 0);
-		}
+	printf("        Extensions: ");
+	if (sshbuf_len(key->cert->extensions) == 0)
+		printf("(none)\n");
+	else {
+		printf("\n");
+		show_options(key->cert->extensions, 0);
 	}
 	exit(0);
 }