diff options
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh/certs.go')
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/certs.go | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go index 67600e240..2fc8af1b1 100644 --- a/vendor/golang.org/x/crypto/ssh/certs.go +++ b/vendor/golang.org/x/crypto/ssh/certs.go @@ -251,10 +251,18 @@ type CertChecker struct { // for user certificates. SupportedCriticalOptions []string - // IsAuthority should return true if the key is recognized as - // an authority. This allows for certificates to be signed by other - // certificates. - IsAuthority func(auth PublicKey) bool + // IsUserAuthority should return true if the key is recognized as an + // authority for the given user certificate. This allows for + // certificates to be signed by other certificates. This must be set + // if this CertChecker will be checking user certificates. + IsUserAuthority func(auth PublicKey) bool + + // IsHostAuthority should report whether the key is recognized as + // an authority for this host. This allows for certificates to be + // signed by other keys, and for those other keys to only be valid + // signers for particular hostnames. This must be set if this + // CertChecker will be checking host certificates. + IsHostAuthority func(auth PublicKey, address string) bool // Clock is used for verifying time stamps. If nil, time.Now // is used. @@ -356,7 +364,13 @@ func (c *CertChecker) CheckCert(principal string, cert *Certificate) error { } } - if !c.IsAuthority(cert.SignatureKey) { + // if this is a host cert, principal is the remote hostname as passed + // to CheckHostCert. + if cert.CertType == HostCert && !c.IsHostAuthority(cert.SignatureKey, principal) { + return fmt.Errorf("ssh: no authorities for hostname: %v", principal) + } + + if cert.CertType == UserCert && !c.IsUserAuthority(cert.SignatureKey) { return fmt.Errorf("ssh: certificate signed by unrecognized authority") } |