1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00
Commit Graph

12 Commits

Author SHA1 Message Date
Simon Tatham
e52087719c Documentation for OpenSSH certificates.
Also I've filled in the help contexts in all the new GUI controls.
2022-08-07 18:44:11 +01:00
Simon Tatham
f579b3c01e Certificate trust scope: change to a boolean-expression system.
This replaces the previous placeholder scheme of having a list of
hostname wildcards with implicit logical-OR semantics (if any wildcard
matched then the certificate would be trusted to sign for that host).
That scheme didn't allow for exceptions within a domain ('everything
in example.com except extra-high-security-machine.example.com'), and
also had no way to specify port numbers.

In the new system, you can still write a hostname wildcard by itself
in the simple case, but now those are just atomic subexpressions in a
boolean-logic domain-specific language I've made up. So if you want
multiple wildcards, you can separate them with || in a single longer
expression, and also you can use && and ! to impose exceptions on top
of that.

Full details of the expression language are in the comment at the top
of utils/cert-expr.c. It'll need documenting properly before release,
of course.

For the sake of backwards compatibility for early adopters who've
already set up configuration in the old system, I've put in some code
that will read the old MatchHosts configuration and automatically
translate it into the equivalent boolean expression (by simply
stringing together the list of wildcards with || between them).
2022-06-25 14:32:23 +01:00
Simon Tatham
4b0e54c22a CA config box: fully validate the CA public key.
Now we check that we can actually make an ssh_key out of it, and
moreover, that the key is of a sensible kind (i.e. not a certificate
in turn). If that's not true, we report something about the problem in
a new CTRL_TEXT below the public key input box. If the key _is_ valid,
that same text control is used to show its type, length and
fingerprint.

On Windows, I've widened the dialog box a little to make fingerprints
fit sensibly in it.
2022-05-07 12:02:23 +01:00
Simon Tatham
5ca78237ed CA config box: add some align_next_to.
Now the RSA signature-type checkboxes should be aligned with their
label; the 'Add' and 'Remove' buttons for wildcards should align with
the edit box for entering a wildcard; and the 'Load from file' button
for a public key aligns with the edit box for that.
2022-05-05 19:04:34 +01:00
Simon Tatham
8c4524aa91 Fix null-pointer dereferences in CA config.
Introduced in dc7ba12253 earlier today. On GTK these caused no
problems worse than a GTK warning, but I'd better fix them before they
(potentially) do worse on Windows!
2022-05-02 19:01:03 +01:00
Simon Tatham
c6e40f6785 Add some blank lines in setup_ca_config_box.
It's becoming hard to see what's going on in all that control setup.
2022-05-02 11:17:58 +01:00
Simon Tatham
dc7ba12253 Permit configuring RSA signature types in certificates.
As distinct from the type of signature generated by the SSH server
itself from the host key, this lets you exclude (and by default does
exclude) the old "ssh-rsa" SHA-1 signature type from the signature of
the CA on the certificate.
2022-05-02 11:17:58 +01:00
Simon Tatham
8d2c643fcb CA config: protect against saving a key with no wildcards. 2022-05-01 11:29:54 +01:00
Simon Tatham
6472b5ded7 CA config: permit pasting a whole OpenSSH public key.
Now, we try putting the contents of the public-key edit box through
ppk_load_s if it isn't a plain base64-encoded string.
2022-05-01 11:27:46 +01:00
Simon Tatham
2a44b6354f CA config: make the 'Done' button cancel and not default.
This means that, on the one hand, an absentminded press of Return
doesn't dismiss the entire CA config box, which would be pretty
annoying if you were half way through entering a load of fiddly stuff.

And on the other hand, you _can_ press Escape to dismiss the box,
which is less likely to happen by accident.
2022-05-01 10:38:50 +01:00
Simon Tatham
ddcd93ab12 CA config box: add a 'Read from file' button.
This allows you to load a CA public key from a disk file (in any
format acceptable to ppk_load_pub, which means OpenSSH one-line public
keys and also RFC4716 ones).
2022-05-01 10:16:19 +01:00
Simon Tatham
4fcb3bbe81 Move host CA config box out into its own source file.
In the course of polishing up this dialog box, I'm going to want it to
actually do cryptographic things (such as checking validity of a
public key blob and printing its fingerprint), which means it will
need to link against SSH utility functions.

So I've moved the dialog-box setup and handling code out of config.c
into a new file in the ssh subdirectory and in the ssh library, where
those facilities will be conveniently available.

This also means that dialog-box setup code _won't_ be linked into
PuTTYtel or pterm (on either platform), so I've added a stub source
file to provide its entry-point function in those tools. Also,
provided a const bool to indicate whether that dialog is available,
which we use to decide whether to recognise that command-line option.
2022-05-01 10:16:19 +01:00