diff options
| author | lhchavez <[email protected]> | 2021-09-05 19:00:59 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2021-09-05 19:00:59 -0700 |
| commit | dcc9331226b5ec340fe4cf7fa3f6b5188d8779e9 (patch) | |
| tree | 553b1a41625ed6ae7ea8bbfcb2b2d9203b2d93e4 | |
| parent | 018647fd481a7eb4af97d5f61afc0fddfe76fc24 (diff) | |
Expose the ssh.PublicKey into the CertificateCheckCallback (#818)
This change exposes the raw SSH hostkey and the ssh.PublicKey into the
CertificateCheckCallback, so that callers can do better validations.
| -rw-r--r-- | remote.go | 15 | ||||
| -rw-r--r-- | transport.go | 12 |
2 files changed, 24 insertions, 3 deletions
@@ -252,7 +252,7 @@ const ( // Certificate represents the two possible certificates which libgit2 // knows it might find. If Kind is CertficateX509 then the X509 field // will be filled. If Kind is CertificateHostkey then the Hostkey -// field will be fille.d +// field will be filled. type Certificate struct { Kind CertificateKind X509 *x509.Certificate @@ -266,7 +266,7 @@ const ( HostkeyMD5 HostkeyKind = C.GIT_CERT_SSH_MD5 HostkeySHA1 HostkeyKind = C.GIT_CERT_SSH_SHA1 HostkeySHA256 HostkeyKind = C.GIT_CERT_SSH_SHA256 - HostkeyRaw HostkeyKind = 1 << 3 + HostkeyRaw HostkeyKind = C.GIT_CERT_SSH_RAW ) // Server host key information. A bitmask containing the available fields. @@ -476,6 +476,17 @@ func certificateCheckCallback( C.memcpy(unsafe.Pointer(&cert.Hostkey.HashMD5[0]), unsafe.Pointer(&ccert.hash_md5[0]), C.size_t(len(cert.Hostkey.HashMD5))) C.memcpy(unsafe.Pointer(&cert.Hostkey.HashSHA1[0]), unsafe.Pointer(&ccert.hash_sha1[0]), C.size_t(len(cert.Hostkey.HashSHA1))) C.memcpy(unsafe.Pointer(&cert.Hostkey.HashSHA256[0]), unsafe.Pointer(&ccert.hash_sha256[0]), C.size_t(len(cert.Hostkey.HashSHA256))) + if (cert.Hostkey.Kind & HostkeyRaw) == HostkeyRaw { + cert.Hostkey.Hostkey = C.GoBytes(unsafe.Pointer(ccert.hostkey), C.int(ccert.hostkey_len)) + var err error + cert.Hostkey.SSHPublicKey, err = ssh.ParsePublicKey(cert.Hostkey.Hostkey) + if err != nil { + if data.errorTarget != nil { + *data.errorTarget = err + } + return setCallbackError(errorMessage, err) + } + } } else { err := errors.New("unsupported certificate type") if data.errorTarget != nil { diff --git a/transport.go b/transport.go index cf43acc..1afa6f4 100644 --- a/transport.go +++ b/transport.go @@ -128,11 +128,21 @@ func (t *Transport) SmartCertificateCheck(cert *Certificate, valid bool, hostnam parent: C.git_cert{ cert_type: C.GIT_CERT_HOSTKEY_LIBSSH2, }, - _type: C.git_cert_ssh_t(cert.Kind), + _type: C.git_cert_ssh_t(cert.Kind), + hostkey: (*C.char)(C.CBytes(cert.Hostkey.Hostkey)), + hostkey_len: C.size_t(len(cert.Hostkey.Hostkey)), } + defer C.free(unsafe.Pointer(chostkeyCert.hostkey)) C.memcpy(unsafe.Pointer(&chostkeyCert.hash_md5[0]), unsafe.Pointer(&cert.Hostkey.HashMD5[0]), C.size_t(len(cert.Hostkey.HashMD5))) C.memcpy(unsafe.Pointer(&chostkeyCert.hash_sha1[0]), unsafe.Pointer(&cert.Hostkey.HashSHA1[0]), C.size_t(len(cert.Hostkey.HashSHA1))) C.memcpy(unsafe.Pointer(&chostkeyCert.hash_sha256[0]), unsafe.Pointer(&cert.Hostkey.HashSHA256[0]), C.size_t(len(cert.Hostkey.HashSHA256))) + if cert.Hostkey.SSHPublicKey.Type() == "ssh-rsa" { + chostkeyCert.raw_type = C.GIT_CERT_SSH_RAW_TYPE_RSA + } else if cert.Hostkey.SSHPublicKey.Type() == "ssh-dss" { + chostkeyCert.raw_type = C.GIT_CERT_SSH_RAW_TYPE_DSS + } else { + chostkeyCert.raw_type = C.GIT_CERT_SSH_RAW_TYPE_UNKNOWN + } ccert = (*C.git_cert)(unsafe.Pointer(&chostkeyCert)) case CertificateX509: |