sshsig.h 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
  1. /* $OpenBSD: sshsig.h,v 1.9 2020/08/31 00:17:41 djm Exp $ */
  2. /*
  3. * Copyright (c) 2019 Google LLC
  4. *
  5. * Permission to use, copy, modify, and distribute this software for any
  6. * purpose with or without fee is hereby granted, provided that the above
  7. * copyright notice and this permission notice appear in all copies.
  8. *
  9. * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10. * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11. * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12. * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13. * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14. * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15. * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16. */
  17. #ifndef SSHSIG_H
  18. #define SSHSIG_H
  19. struct sshbuf;
  20. struct sshkey;
  21. struct sshsigopt;
  22. struct sshkey_sig_details;
  23. typedef int sshsig_signer(struct sshkey *, u_char **, size_t *,
  24. const u_char *, size_t, const char *, const char *, const char *,
  25. u_int, void *);
  26. /* Buffer-oriented API */
  27. /*
  28. * Creates a detached SSH signature for a given buffer.
  29. * Returns 0 on success or a negative SSH_ERR_* error code on failure.
  30. * out is populated with the detached signature, or NULL on failure.
  31. */
  32. int sshsig_signb(struct sshkey *key, const char *hashalg,
  33. const char *sk_provider, const char *sk_pin, const struct sshbuf *message,
  34. const char *sig_namespace, struct sshbuf **out,
  35. sshsig_signer *signer, void *signer_ctx);
  36. /*
  37. * Verifies that a detached signature is valid and optionally returns key
  38. * used to sign via argument.
  39. * Returns 0 on success or a negative SSH_ERR_* error code on failure.
  40. */
  41. int sshsig_verifyb(struct sshbuf *signature,
  42. const struct sshbuf *message, const char *sig_namespace,
  43. struct sshkey **sign_keyp, struct sshkey_sig_details **sig_details);
  44. /* File/FD-oriented API */
  45. /*
  46. * Creates a detached SSH signature for a given file.
  47. * Returns 0 on success or a negative SSH_ERR_* error code on failure.
  48. * out is populated with the detached signature, or NULL on failure.
  49. */
  50. int sshsig_sign_fd(struct sshkey *key, const char *hashalg,
  51. const char *sk_provider, const char *sk_pin,
  52. int fd, const char *sig_namespace,
  53. struct sshbuf **out, sshsig_signer *signer, void *signer_ctx);
  54. /*
  55. * Verifies that a detached signature over a file is valid and optionally
  56. * returns key used to sign via argument.
  57. * Returns 0 on success or a negative SSH_ERR_* error code on failure.
  58. */
  59. int sshsig_verify_fd(struct sshbuf *signature, int fd,
  60. const char *sig_namespace, struct sshkey **sign_keyp,
  61. struct sshkey_sig_details **sig_details);
  62. /* Utility functions */
  63. /*
  64. * Return a base64 encoded "ASCII armoured" version of a raw signature.
  65. */
  66. int sshsig_armor(const struct sshbuf *blob, struct sshbuf **out);
  67. /*
  68. * Decode a base64 encoded armoured signature to a raw signature.
  69. */
  70. int sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out);
  71. /*
  72. * Checks whether a particular key/principal/namespace is permitted by
  73. * an allowed_keys file. Returns 0 on success.
  74. */
  75. int sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key,
  76. const char *principal, const char *ns);
  77. /* Parse zero or more allowed_keys signature options */
  78. struct sshsigopt *sshsigopt_parse(const char *opts,
  79. const char *path, u_long linenum, const char **errstrp);
  80. /* Free signature options */
  81. void sshsigopt_free(struct sshsigopt *opts);
  82. /* Get public key from signature */
  83. int sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey);
  84. /* Find principal in allowed_keys file, given a sshkey. Returns
  85. * 0 on success.
  86. */
  87. int sshsig_find_principals(const char *path, const struct sshkey *sign_key,
  88. char **principal);
  89. #endif /* SSHSIG_H */