1*1323ec57SEd Maste /* $OpenBSD: sshsig.h,v 1.11 2021/11/27 07:14:46 djm Exp $ */ 219261079SEd Maste /* 319261079SEd Maste * Copyright (c) 2019 Google LLC 419261079SEd Maste * 519261079SEd Maste * Permission to use, copy, modify, and distribute this software for any 619261079SEd Maste * purpose with or without fee is hereby granted, provided that the above 719261079SEd Maste * copyright notice and this permission notice appear in all copies. 819261079SEd Maste * 919261079SEd Maste * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1019261079SEd Maste * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1119261079SEd Maste * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1219261079SEd Maste * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1319261079SEd Maste * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1419261079SEd Maste * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1519261079SEd Maste * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1619261079SEd Maste */ 1719261079SEd Maste 1819261079SEd Maste #ifndef SSHSIG_H 1919261079SEd Maste #define SSHSIG_H 2019261079SEd Maste 2119261079SEd Maste struct sshbuf; 2219261079SEd Maste struct sshkey; 2319261079SEd Maste struct sshsigopt; 2419261079SEd Maste struct sshkey_sig_details; 2519261079SEd Maste 2619261079SEd Maste typedef int sshsig_signer(struct sshkey *, u_char **, size_t *, 2719261079SEd Maste const u_char *, size_t, const char *, const char *, const char *, 2819261079SEd Maste u_int, void *); 2919261079SEd Maste 3019261079SEd Maste /* Buffer-oriented API */ 3119261079SEd Maste 3219261079SEd Maste /* 3319261079SEd Maste * Creates a detached SSH signature for a given buffer. 3419261079SEd Maste * Returns 0 on success or a negative SSH_ERR_* error code on failure. 3519261079SEd Maste * out is populated with the detached signature, or NULL on failure. 3619261079SEd Maste */ 3719261079SEd Maste int sshsig_signb(struct sshkey *key, const char *hashalg, 3819261079SEd Maste const char *sk_provider, const char *sk_pin, const struct sshbuf *message, 3919261079SEd Maste const char *sig_namespace, struct sshbuf **out, 4019261079SEd Maste sshsig_signer *signer, void *signer_ctx); 4119261079SEd Maste 4219261079SEd Maste /* 4319261079SEd Maste * Verifies that a detached signature is valid and optionally returns key 4419261079SEd Maste * used to sign via argument. 4519261079SEd Maste * Returns 0 on success or a negative SSH_ERR_* error code on failure. 4619261079SEd Maste */ 4719261079SEd Maste int sshsig_verifyb(struct sshbuf *signature, 4819261079SEd Maste const struct sshbuf *message, const char *sig_namespace, 4919261079SEd Maste struct sshkey **sign_keyp, struct sshkey_sig_details **sig_details); 5019261079SEd Maste 5119261079SEd Maste /* File/FD-oriented API */ 5219261079SEd Maste 5319261079SEd Maste /* 5419261079SEd Maste * Creates a detached SSH signature for a given file. 5519261079SEd Maste * Returns 0 on success or a negative SSH_ERR_* error code on failure. 5619261079SEd Maste * out is populated with the detached signature, or NULL on failure. 5719261079SEd Maste */ 5819261079SEd Maste int sshsig_sign_fd(struct sshkey *key, const char *hashalg, 5919261079SEd Maste const char *sk_provider, const char *sk_pin, 6019261079SEd Maste int fd, const char *sig_namespace, 6119261079SEd Maste struct sshbuf **out, sshsig_signer *signer, void *signer_ctx); 6219261079SEd Maste 6319261079SEd Maste /* 6419261079SEd Maste * Verifies that a detached signature over a file is valid and optionally 6519261079SEd Maste * returns key used to sign via argument. 6619261079SEd Maste * Returns 0 on success or a negative SSH_ERR_* error code on failure. 6719261079SEd Maste */ 6819261079SEd Maste int sshsig_verify_fd(struct sshbuf *signature, int fd, 6919261079SEd Maste const char *sig_namespace, struct sshkey **sign_keyp, 7019261079SEd Maste struct sshkey_sig_details **sig_details); 7119261079SEd Maste 7219261079SEd Maste /* Utility functions */ 7319261079SEd Maste 7419261079SEd Maste /* 7519261079SEd Maste * Return a base64 encoded "ASCII armoured" version of a raw signature. 7619261079SEd Maste */ 7719261079SEd Maste int sshsig_armor(const struct sshbuf *blob, struct sshbuf **out); 7819261079SEd Maste 7919261079SEd Maste /* 8019261079SEd Maste * Decode a base64 encoded armoured signature to a raw signature. 8119261079SEd Maste */ 8219261079SEd Maste int sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out); 8319261079SEd Maste 8419261079SEd Maste /* 8519261079SEd Maste * Checks whether a particular key/principal/namespace is permitted by 8619261079SEd Maste * an allowed_keys file. Returns 0 on success. 8719261079SEd Maste */ 8819261079SEd Maste int sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, 8919261079SEd Maste const char *principal, const char *ns, uint64_t verify_time); 9019261079SEd Maste 9119261079SEd Maste /* Parse zero or more allowed_keys signature options */ 9219261079SEd Maste struct sshsigopt *sshsigopt_parse(const char *opts, 9319261079SEd Maste const char *path, u_long linenum, const char **errstrp); 9419261079SEd Maste 9519261079SEd Maste /* Free signature options */ 9619261079SEd Maste void sshsigopt_free(struct sshsigopt *opts); 9719261079SEd Maste 9819261079SEd Maste /* Get public key from signature */ 9919261079SEd Maste int sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey); 10019261079SEd Maste 10119261079SEd Maste /* Find principal in allowed_keys file, given a sshkey. Returns 10219261079SEd Maste * 0 on success. 10319261079SEd Maste */ 10419261079SEd Maste int sshsig_find_principals(const char *path, const struct sshkey *sign_key, 10519261079SEd Maste uint64_t verify_time, char **principal); 10619261079SEd Maste 107*1323ec57SEd Maste /* Find all principals in allowed_keys file matching *principal */ 108*1323ec57SEd Maste int sshsig_match_principals(const char *path, 109*1323ec57SEd Maste const char *principal, char ***principalsp, size_t *nprincipalsp); 110*1323ec57SEd Maste 11119261079SEd Maste #endif /* SSHSIG_H */ 112