src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.275 and 1.302

version 1.275, 2015/07/03 03:43:18

version 1.302, 2017/04/30 23:18:44

Line 28

#include <string.h>

#include <unistd.h>

#include <limits.h>

#include <locale.h>

#include "xmalloc.h"

#include "sshkey.h"

Line 47

Line 48

#include "atomicio.h"

#include "krl.h"

#include "digest.h"

#include "utf8.h"

#ifdef ENABLE_PKCS11

#include "ssh-pkcs11.h"

Line 141

Line 143

char *certflags_command = NULL;

char *certflags_src_addr = NULL;

/* Arbitrary extensions specified by user */

struct cert_userext {

char *key;

char *val;

int crit;

};

struct cert_userext *cert_userext;

size_t ncert_userext;

/* Conversion to/from various formats */

int convert_to = 0;

int convert_from = 0;

Line 200

Line 211

*bitsp = sshkey_curve_nid_to_bits(nid);

if (*bitsp == 0)

*bitsp = DEFAULT_BITS_ECDSA;

}

} else

else

#endif

*bitsp = DEFAULT_BITS;

}

Line 212

Line 222

fatal("key bits exceeds maximum %d", maxbits);

if (type == KEY_DSA && *bitsp != 1024)

fatal("DSA keys must be 1024 bits");

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)

fatal("Key must at least be 768 bits");

fatal("Key must at least be 1024 bits");

else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

fatal("Invalid ECDSA key length - valid lengths are "

"256, 384 or 521 bits");

Line 230

Line 240

name = _PATH_SSH_CLIENT_ID_RSA;

else {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA1:

name = _PATH_SSH_CLIENT_IDENTITY;

break;

case KEY_DSA_CERT:

case KEY_DSA:

name = _PATH_SSH_CLIENT_ID_DSA;

Line 302

Line 309

char comment[61];

int r;

if (k->type == KEY_RSA1)

fatal("version 1 keys are not supported");

if ((r = sshkey_to_blob(k, &blob, &len)) != 0)

fatal("key_to_blob failed: %s", ssh_err(r));

/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */

Line 325

Line 330

do_convert_to_pkcs8(struct sshkey *k)

{

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))

fatal("PEM_write_RSA_PUBKEY failed");

Line 348

Line 352

do_convert_to_pem(struct sshkey *k)

{

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSAPublicKey(stdout, k->rsa))

fatal("PEM_write_RSAPublicKey failed");

Line 514

Line 517

sshbuf_free(b);

/* try the key */

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 ||

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 ||

sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) {

sshkey_free(key);

free(sig);

Line 795

Line 798

#endif /* ENABLE_PKCS11 */

}

static struct sshkey *

try_read_key(char **cpp)

{

struct sshkey *ret;

int r;

if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(ret, cpp)) == 0)

return ret;

/* Not a key */

sshkey_free(ret);

return NULL;

}

static void

do_fingerprint(struct passwd *pw)

fingerprint_one_key(const struct sshkey *public, const char *comment)

{

FILE *f;

char *fp = NULL, *ra = NULL;

struct sshkey *public;

char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;

int r, i, skip = 0, num = 0, invalid = 1;

enum sshkey_fp_rep rep;

int fptype;

struct stat st;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

if (!have_identity)

fp = sshkey_fingerprint(public, fptype, rep);

ask_filename(pw, "Enter file in which the key is");

ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint failed", __func__);

mprintf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

}

static void

fingerprint_private(const char *path)

{

struct stat st;

char *comment = NULL;

struct sshkey *public = NULL;

int r;

if (stat(identity_file, &st) < 0)

fatal("%s: %s", identity_file, strerror(errno));

fatal("%s: %s", path, strerror(errno));

if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0)

if ((r = sshkey_load_public(path, &public, &comment)) != 0) {

debug2("Error loading public key \"%s\": %s",

debug("load public \"%s\": %s", path, ssh_err(r));

identity_file, ssh_err(r));

if ((r = sshkey_load_private(path, NULL,

else {

&public, &comment)) != 0) {

fp = sshkey_fingerprint(public, fptype, rep);

debug("load private \"%s\": %s", path, ssh_err(r));

ra = sshkey_fingerprint(public, fingerprint_hash,

fatal("%s is not a key file.", path);

SSH_FP_RANDOMART);

}

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,

sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

sshkey_free(public);

free(comment);

free(ra);

free(fp);

exit(0);

}

if (comment) {

free(comment);

comment = NULL;

}

if ((f = fopen(identity_file, "r")) == NULL)

fingerprint_one_key(public, comment);

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

sshkey_free(public);

free(comment);

}

while (fgets(line, sizeof(line), f)) {

static void

if ((cp = strchr(line, '\n')) == NULL) {

do_fingerprint(struct passwd *pw)

error("line %d too long: %.40s...",

{

num + 1, line);

FILE *f;

skip = 1;

struct sshkey *public = NULL;

char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];

int i, invalid = 1;

const char *path;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

path = identity_file;

if (strcmp(identity_file, "-") == 0) {

f = stdin;

path = "(stdin)";

} else if ((f = fopen(path, "r")) == NULL)

fatal("%s: %s: %s", __progname, path, strerror(errno));

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

cp = line;

cp[strcspn(cp, "\n")] = '\0';

/* Trim leading space and comments */

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

* Input may be plain keys, private keys, authorized_keys

* or known_hosts.

* Try private keys first. Assume a key is private if

* "SSH PRIVATE KEY" appears on the first line and we're

* not reading from stdin (XXX support private keys on stdin).

if (lnum == 1 && strcmp(identity_file, "-") != 0 &&

strstr(cp, "PRIVATE KEY") != NULL) {

fclose(f);

fingerprint_private(path);

exit(0);

}

num++;

if (skip) {

skip = 0;

* If it's not a private key, then this must be prepared to

* accept a public key prefixed with a hostname or options.

* Try a bare key first, otherwise skip the leading stuff.

if ((public = try_read_key(&cp)) == NULL) {

i = strtol(cp, &ep, 10);

if (i == 0 || ep == NULL ||

(*ep != ' ' && *ep != '\t')) {

int quoted = 0;

comment = cp;

for (; *cp && (quoted || (*cp != ' ' &&

*cp != '\t')); cp++) {

if (*cp == '\\' && cp[1] == '"')

cp++; /* Skip both */

else if (*cp == '"')

quoted = !quoted;

}

if (!*cp)

continue;

*cp++ = '\0';

}

/* Retry after parsing leading hostname/key options */

if (public == NULL && (public = try_read_key(&cp)) == NULL) {

debug("%s:%lu: not a public key", path, lnum);

continue;

}

*cp = '\0';

/* Skip leading whitespace, empty and comment lines. */

/* Find trailing comment, if any */

for (cp = line; *cp == ' ' || *cp == '\t'; cp++)

for (; *cp == ' ' || *cp == '\t'; cp++)

;

if (!*cp || *cp == '\n' || *cp == '#')

if (*cp != '\0' && *cp != '#')

continue;

i = strtol(cp, &ep, 10);

if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {

int quoted = 0;

comment = cp;

for (; *cp && (quoted || (*cp != ' ' &&

*cp != '\t')); cp++) {

fingerprint_one_key(public, comment);

if (*cp == '\\' && cp[1] == '"')

cp++; /* Skip both */

else if (*cp == '"')

quoted = !quoted;

}

if (!*cp)

continue;

*cp++ = '\0';

}

ep = cp;

if ((public = sshkey_new(KEY_RSA1)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

cp = ep;

sshkey_free(public);

if ((public = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

sshkey_free(public);

continue;

}

comment = *cp ? cp : comment;

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

sshkey_free(public);

invalid = 0;

invalid = 0; /* One good key in the file is sufficient */

}

fclose(f);

if (invalid)

fatal("%s is not a public key file.", identity_file);

fatal("%s is not a public key file.", path);

exit(0);

}

Line 917

Line 959

char *path;

} key_types[] = {

#ifdef WITH_OPENSSL

#ifdef WITH_SSH1

{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },

#endif /* WITH_SSH1 */

{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },

{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },

{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },

Line 1021

Line 1060

struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;

char *hashed, *cp, *hosts, *ohosts;

int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);

int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM;

switch (l->status) {

case HKF_STATUS_OK:

Line 1029

Line 1069

* Don't hash hosts already already hashed, with wildcard

* characters or a CA/revocation marker.

if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||

if (was_hashed || has_wild || l->marker != MRK_NONE) {

has_wild || l->marker != MRK_NONE) {

fprintf(ctx->out, "%s\n", l->line);

if (has_wild && !find_host) {

logit("%s:%ld: ignoring host name "

logit("%s:%lu: ignoring host name "

"with wildcard: %.64s", l->path,

l->linenum, l->hosts);

}

Line 1045

Line 1084

ohosts = hosts = xstrdup(l->hosts);

while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {

lowercase(cp);

if ((hashed = host_hash(cp, NULL, 0)) == NULL)

fatal("hash_host failed");

fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);

Line 1055

Line 1095

case HKF_STATUS_INVALID:

/* Retain invalid lines, but mark file as invalid. */

ctx->invalid = 1;

logit("%s:%ld: invalid line", l->path, l->linenum);

logit("%s:%lu: invalid line", l->path, l->linenum);

/* FALLTHROUGH */

default:

fprintf(ctx->out, "%s\n", l->line);

Line 1089

Line 1129

ctx->found_key = 1;

if (!quiet)

printf("# Host %s found: line %ld\n",

printf("# Host %s found: line %lu\n",

ctx->host, l->linenum);

}

return 0;

} else if (find_host) {

ctx->found_key = 1;

if (!quiet) {

printf("# Host %s found: line %ld %s\n",

printf("# Host %s found: line %lu %s\n",

ctx->host,

l->linenum, l->marker == MRK_CA ? "CA" :

(l->marker == MRK_REVOKE ? "REVOKED" : ""));

Line 1105

Line 1145

known_hosts_hash(l, ctx);

else if (print_fingerprint) {

fp = sshkey_fingerprint(l->key, fptype, rep);

printf("%s %s %s %s\n", ctx->host,

mprintf("%s %s %s %s\n", ctx->host,

sshkey_type(l->key), fp, l->comment);

free(fp);

} else

Line 1116

Line 1156

/* Retain non-matching hosts when deleting */

if (l->status == HKF_STATUS_INVALID) {

ctx->invalid = 1;

logit("%s:%ld: invalid line", l->path, l->linenum);

logit("%s:%lu: invalid line", l->path, l->linenum);

}

fprintf(ctx->out, "%s\n", l->line);

}

Line 1170

Line 1210

foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;

if ((r = hostkeys_foreach(identity_file,

hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,

name, NULL, foreach_options)) != 0)

name, NULL, foreach_options)) != 0) {

if (inplace)

unlink(tmp);

fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));

}

if (inplace)

fclose(ctx.out);

Line 1186

Line 1229

exit(1);

} else if (delete_host && !ctx.found_key) {

logit("Host %s not found in %s", name, identity_file);

unlink(tmp);

if (inplace)

unlink(tmp);

} else if (inplace) {

/* Backup existing file */

if (unlink(old) == -1 && errno != ENOENT)

Line 1252

Line 1296

fatal("Failed to load key %s: %s", identity_file, ssh_err(r));

}

if (comment)

printf("Key has comment '%s'\n", comment);

mprintf("Key has comment '%s'\n", comment);

/* Ask the new passphrase (twice). */

if (identity_new_passphrase) {

Line 1367

Line 1411

identity_file, ssh_err(r));

}

/* XXX what about new-format keys? */

if (private->type != KEY_RSA1) {

if (private->type != KEY_ED25519 && !use_new_format) {

error("Comments are only supported for RSA1 keys.");

error("Comments are only supported for keys stored in "

"the new format (-o).");

explicit_bzero(passphrase, strlen(passphrase));

sshkey_free(private);

exit(1);

}

printf("Key now has comment '%s'\n", comment);

if (comment)

printf("Key now has comment '%s'\n", comment);

else

printf("Key now has no comment\n");

if (identity_comment) {

strlcpy(new_comment, identity_comment, sizeof(new_comment));

Line 1425

Line 1473

exit(0);

}

static const char *

fmt_validity(u_int64_t valid_from, u_int64_t valid_to)

{

char from[32], to[32];

static char ret[64];

time_t tt;

struct tm *tm;

*from = *to = '\0';

if (valid_from == 0 && valid_to == 0xffffffffffffffffULL)

return "forever";

if (valid_from != 0) {

/* XXX revisit INT_MAX in 2038 :) */

tt = valid_from > INT_MAX ? INT_MAX : valid_from;

tm = localtime(&tt);

strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);

}

if (valid_to != 0xffffffffffffffffULL) {

/* XXX revisit INT_MAX in 2038 :) */

tt = valid_to > INT_MAX ? INT_MAX : valid_to;

tm = localtime(&tt);

strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);

}

if (valid_from == 0) {

snprintf(ret, sizeof(ret), "before %s", to);

return ret;

}

if (valid_to == 0xffffffffffffffffULL) {

snprintf(ret, sizeof(ret), "after %s", from);

return ret;

}

snprintf(ret, sizeof(ret), "from %s to %s", from, to);

return ret;

}

static void

add_flag_option(struct sshbuf *c, const char *name)

{

Line 1496

Line 1506

static void

prepare_options_buf(struct sshbuf *c, int which)

{

size_t i;

sshbuf_reset(c);

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_command != NULL)

Line 1518

Line 1530

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_src_addr != NULL)

add_string_option(c, "source-address", certflags_src_addr);

for (i = 0; i < ncert_userext; i++) {

if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) ||

(!cert_userext[i].crit && (which & OPTIONS_CRITICAL)))

continue;

if (cert_userext[i].val == NULL)

add_flag_option(c, cert_userext[i].key);

else {

add_string_option(c, cert_userext[i].key,

cert_userext[i].val);

}

static struct sshkey *

Line 1556

Line 1579

int r, i, fd;

u_int n;

struct sshkey *ca, *public;

char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

FILE *f;

#ifdef ENABLE_PKCS11

Line 1570

Line 1593

ca = load_identity(tmp);

free(tmp);

if (key_type_name != NULL &&

sshkey_type_from_name(key_type_name) != ca->type) {

fatal("CA key type %s doesn't match specified %s",

sshkey_ssh_name(ca), key_type_name);

}

for (i = 0; i < argc; i++) {

/* Split list of principals */

n = 0;

Line 1611

Line 1640

&public->cert->signature_key)) != 0)

fatal("key_from_private (ca key): %s", ssh_err(r));

if (sshkey_certify(public, ca) != 0)

if ((r = sshkey_certify(public, ca, key_type_name)) != 0)

fatal("Couldn't not certify key %s", tmp);

fatal("Couldn't certify key %s: %s", tmp, ssh_err(r));

if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)

*cp = '\0';

Line 1631

Line 1660

fclose(f);

if (!quiet) {

sshkey_format_cert_validity(public->cert,

valid, sizeof(valid));

logit("Signed %s key %s: id \"%s\" serial %llu%s%s "

"valid %s", sshkey_cert_type(public),

out, public->cert->key_id,

(unsigned long long)public->cert->serial,

cert_principals != NULL ? " for " : "",

cert_principals != NULL ? cert_principals : "",

fmt_validity(cert_valid_from, cert_valid_to));

valid);

}

sshkey_free(public);

Line 1671

Line 1702

char buf[32], *fmt;

* POSIX strptime says "The application shall ensure that there

* is white-space or other non-alphanumeric characters between

* any two conversion specifications" so arrange things this way.

Line 1746

Line 1777

static void

add_cert_option(char *opt)

{

char *val;

char *val, *cp;

int iscrit = 0;

if (strcasecmp(opt, "clear") == 0)

certflags_flags = 0;

Line 1786

Line 1818

if (addr_match_cidr_list(NULL, val) != 0)

fatal("Invalid source-address list");

certflags_src_addr = xstrdup(val);

} else if (strncasecmp(opt, "extension:", 10) == 0 ||

(iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {

val = xstrdup(strchr(opt, ':') + 1);

if ((cp = strchr(val, '=')) != NULL)

*cp++ = '\0';

cert_userext = xreallocarray(cert_userext, ncert_userext + 1,

sizeof(*cert_userext));

cert_userext[ncert_userext].key = val;

cert_userext[ncert_userext].val = cp == NULL ?

NULL : xstrdup(cp);

cert_userext[ncert_userext].crit = iscrit;

ncert_userext++;

} else

fatal("Unsupported certificate option \"%s\"", opt);

}

Line 1835

Line 1879

}

static void

do_show_cert(struct passwd *pw)

print_cert(struct sshkey *key)

{

struct sshkey *key;

char valid[64], *key_fp, *ca_fp;

struct stat st;

char *key_fp, *ca_fp;

u_int i;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)

fatal("Cannot load public key \"%s\": %s",

identity_file, ssh_err(r));

if (!sshkey_is_cert(key))

fatal("%s is not a certificate", identity_file);

key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);

ca_fp = sshkey_fingerprint(key->cert->signature_key,

fingerprint_hash, SSH_FP_DEFAULT);

if (key_fp == NULL || ca_fp == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

sshkey_format_cert_validity(key->cert, valid, sizeof(valid));

printf("%s:\n", identity_file);

printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),

sshkey_cert_type(key));

printf(" Public key: %s %s\n", sshkey_type(key), key_fp);

Line 1867

Line 1898

sshkey_type(key->cert->signature_key), ca_fp);

printf(" Key ID: \"%s\"\n", key->cert->key_id);

printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);

printf(" Valid: %s\n",

printf(" Valid: %s\n", valid);

fmt_validity(key->cert->valid_after, key->cert->valid_before));

printf(" Principals: ");

if (key->cert->nprincipals == 0)

printf("(none)\n");

Line 1892

Line 1922

printf("\n");

show_options(key->cert->extensions, 0);

}

exit(0);

}

static void

do_show_cert(struct passwd *pw)

{

struct sshkey *key = NULL;

struct stat st;

int r, is_stdin = 0, ok = 0;

FILE *f;

char *cp, line[SSH_MAX_PUBKEY_BYTES];

const char *path;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

path = identity_file;

if (strcmp(path, "-") == 0) {

f = stdin;

path = "(stdin)";

is_stdin = 1;

} else if ((f = fopen(identity_file, "r")) == NULL)

fatal("fopen %s: %s", identity_file, strerror(errno));

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

sshkey_free(key);

key = NULL;

/* Trim leading space and comments */

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

if ((r = sshkey_read(key, &cp)) != 0) {

error("%s:%lu: invalid key: %s", path,

lnum, ssh_err(r));

continue;

}

if (!sshkey_is_cert(key)) {

error("%s:%lu is not a certificate", path, lnum);

continue;

}

ok = 1;

if (!is_stdin && lnum == 1)

printf("%s:\n", path);

else

printf("%s:%lu:\n", path, lnum);

print_cert(key);

}

sshkey_free(key);

fclose(f);

exit(ok ? 0 : 1);

}

#ifdef WITH_OPENSSL

static void

load_krl(const char *path, struct ssh_krl **krlp)

Line 2097

Line 2180

close(fd);

sshbuf_free(kbuf);

ssh_krl_free(krl);

if (ca != NULL)

sshkey_free(ca);

}

static void

Line 2134

Line 2216

usage(void)

{

fprintf(stderr,

"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"

"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n"

" [-N new_passphrase] [-C comment] [-f output_keyfile]\n"

" ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"

" ssh-keygen -i [-m key_format] [-f input_keyfile]\n"

Line 2194

Line 2276

extern int optind;

extern char *optarg;

ssh_malloc_init(); /* must be called before any mallocs */

/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */

sanitise_stdfd();

OpenSSL_add_all_algorithms();

log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);

setlocale(LC_CTYPE, "");

/* we need this for the home * directory. */

pw = getpwuid(getuid());

if (!pw)

Line 2376

Line 2461

break;

case 'J':

lines_to_process = strtoul(optarg, NULL, 10);

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'K':

if (strlen(optarg) >= PATH_MAX)

fatal("Checkpoint filename too long");