Permit configuring RSA signature types in certificates.

As distinct from the type of signature generated by the SSH server itself from the host key, this lets you exclude (and by default does exclude) the old "ssh-rsa" SHA-1 signature type from the signature of the CA on the certificate.
2025-07-04 13:02:47 -05:00 · 2022-05-02 10:18:16 +01:00
parent e34e0220ab
commit dc7ba12253
12 changed files with 215 additions and 47 deletions
--- a/defs.h
+++ b/defs.h
@ -177,6 +177,7 @@ typedef struct dlgcontrol dlgcontrol;
 typedef struct settings_w settings_w;
 typedef struct settings_r settings_r;
 typedef struct settings_e settings_e;
+typedef struct ca_options ca_options;
 typedef struct host_ca host_ca;
 typedef struct host_ca_enum host_ca_enum;

@ -247,4 +248,14 @@ struct unicode_data;
 #define CAT_INNER(x,y) x ## y
 #define CAT(x,y) CAT_INNER(x,y)

+/*
+ * Structure shared between ssh.h and storage.h, giving strictness
+ * options relating to checking of an OpenSSH certificate. It's a bit
+ * cheaty to put something so specific in here, but more painful to
+ * put it in putty.h.
+ */
+struct ca_options {
+    bool permit_rsa_sha1, permit_rsa_sha256, permit_rsa_sha512;
+};
+
 #endif /* PUTTY_DEFS_H */