diff options
author | Simon Tatham <anakin@pobox.com> | 2022-08-05 20:08:59 +0300 |
---|---|---|
committer | Simon Tatham <anakin@pobox.com> | 2022-08-05 20:08:59 +0300 |
commit | cd7f6c4407ff0df2ee7c9ced4e0ffea3c3dff969 (patch) | |
tree | cbcfc4dcd121455a5f907ab0d0f503ead4f4f32e /unix | |
parent | e711a08dafa678f800a2d70846ef5d36f770f48b (diff) |
Certificate-aware handling of key fingerprints.
OpenSSH, when called on to give the fingerprint of a certified public
key, will in many circumstances generate the hash of the public blob
of the _underlying_ key, rather than the hash of the full certificate.
I think the hash of the certificate is also potentially useful (if
nothing else, it provides a way to tell apart multiple certificates on
the same key). But I can also see that it's useful to be able to
recognise a key as the same one 'really' (since all certificates on
the same key share a private key, so they're unavoidably related).
So I've dealt with this by introducing an extra pair of fingerprint
types, giving the cross product of {MD5, SHA-256} x {base key only,
full certificate}. You can manually select which one you want to see
in some circumstances (notably PuTTYgen), and in others (such as
diagnostics) both fingerprints will be emitted side by side via the
new functions ssh2_double_fingerprint[_blob].
The default, following OpenSSH, is to just fingerprint the base key.
Diffstat (limited to 'unix')
-rw-r--r-- | unix/pageant.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/unix/pageant.c b/unix/pageant.c index 5db797a8..cef57b5b 100644 --- a/unix/pageant.c +++ b/unix/pageant.c @@ -612,6 +612,7 @@ static bool match_fingerprint_string( switch (fptype) { case SSH_FPTYPE_MD5: + case SSH_FPTYPE_MD5_CERT: /* MD5 fingerprints are in hex, so disregard case differences. */ case_sensitive = false; /* And we don't really need to force the user to type the @@ -620,6 +621,7 @@ static bool match_fingerprint_string( ignore_chars = ":"; break; case SSH_FPTYPE_SHA256: + case SSH_FPTYPE_SHA256_CERT: /* Skip over the "SHA256:" prefix, which we don't really * want to force the user to type. On the other hand, * tolerate it on the input string. */ @@ -713,6 +715,18 @@ struct pageant_pubkey *find_key(const char *string, char **retstr) try_comment = false; try_all_fptypes = false; fptype = SSH_FPTYPE_SHA256; + } else if (!strnicmp(string, "md5-cert:", 9)) { + string += 9; + try_file = false; + try_comment = false; + try_all_fptypes = false; + fptype = SSH_FPTYPE_MD5_CERT; + } else if (!strncmp(string, "sha256-cert:", 12)) { + string += 12; + try_file = false; + try_comment = false; + try_all_fptypes = false; + fptype = SSH_FPTYPE_SHA256_CERT; } /* @@ -1402,6 +1416,10 @@ int main(int argc, char **argv) key_list_fptype = SSH_FPTYPE_MD5; else if (!strcmp(keyword, "sha256")) key_list_fptype = SSH_FPTYPE_SHA256; + else if (!strcmp(keyword, "md5-cert")) + key_list_fptype = SSH_FPTYPE_MD5_CERT; + else if (!strcmp(keyword, "sha256-cert")) + key_list_fptype = SSH_FPTYPE_SHA256_CERT; else { fprintf(stderr, "pageant: unknown fingerprint type `%s'\n", keyword); |