| version 1.384, 2020/01/21 11:06:09 |
version 1.386, 2020/01/23 02:43:48 |
|
|
| if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
| fatal("%s: sshkey_fingerprint failed", |
fatal("%s: sshkey_fingerprint failed", |
| __func__); |
__func__); |
| mprintf("%s %s %s %s\n", ctx->host, |
mprintf("%s %s %s%s%s\n", ctx->host, |
| sshkey_type(l->key), fp, l->comment); |
sshkey_type(l->key), fp, |
| |
l->comment[0] ? " " : "", |
| |
l->comment); |
| if (log_level_get() >= SYSLOG_LEVEL_VERBOSE) |
if (log_level_get() >= SYSLOG_LEVEL_VERBOSE) |
| printf("%s\n", ra); |
printf("%s\n", ra); |
| free(ra); |
free(ra); |
|
|
| } |
} |
| |
|
| static int |
static int |
| sign(const char *keypath, const char *sig_namespace, int argc, char **argv) |
sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv) |
| { |
{ |
| int i, fd = -1, r, ret = -1; |
int i, fd = -1, r, ret = -1; |
| int agent_fd = -1; |
int agent_fd = -1; |
|
|
| } |
} |
| |
|
| static int |
static int |
| verify(const char *signature, const char *sig_namespace, const char *principal, |
sig_verify(const char *signature, const char *sig_namespace, |
| const char *allowed_keys, const char *revoked_keys) |
const char *principal, const char *allowed_keys, const char *revoked_keys) |
| { |
{ |
| int r, ret = -1, sigfd = -1; |
int r, ret = -1, sigfd = -1; |
| struct sshbuf *sigbuf = NULL, *abuf = NULL; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
|
|
| } |
} |
| if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
| error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
| return r; |
goto done; |
| } |
} |
| if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, |
if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, |
| &sign_key, &sig_details)) != 0) |
&sign_key, &sig_details)) != 0) |
|
|
| return ret; |
return ret; |
| } |
} |
| |
|
| |
static int |
| |
sig_find_principal(const char *signature, const char *allowed_keys) { |
| |
int r, ret = -1, sigfd = -1; |
| |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
| |
struct sshkey *sign_key = NULL; |
| |
char *principal = NULL; |
| |
|
| |
if ((abuf = sshbuf_new()) == NULL) |
| |
fatal("%s: sshbuf_new() failed", __func__); |
| |
|
| |
if ((sigfd = open(signature, O_RDONLY)) < 0) { |
| |
error("Couldn't open signature file %s", signature); |
| |
goto done; |
| |
} |
| |
|
| |
if ((r = sshkey_load_file(sigfd, abuf)) != 0) { |
| |
error("Couldn't read signature file: %s", ssh_err(r)); |
| |
goto done; |
| |
} |
| |
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
| |
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
| |
goto done; |
| |
} |
| |
if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) { |
| |
error("%s: sshsig_get_pubkey: %s", |
| |
__func__, ssh_err(r)); |
| |
goto done; |
| |
} |
| |
|
| |
if ((r = sshsig_find_principal(allowed_keys, sign_key, |
| |
&principal)) != 0) { |
| |
error("%s: sshsig_get_principal: %s", |
| |
__func__, ssh_err(r)); |
| |
goto done; |
| |
} |
| |
ret = 0; |
| |
done: |
| |
if (ret == 0 ) { |
| |
printf("Found matching principal: %s\n", principal); |
| |
} else { |
| |
printf("Could not find matching principal.\n"); |
| |
} |
| |
if (sigfd != -1) |
| |
close(sigfd); |
| |
sshbuf_free(sigbuf); |
| |
sshbuf_free(abuf); |
| |
sshkey_free(sign_key); |
| |
free(principal); |
| |
return ret; |
| |
} |
| |
|
| static void |
static void |
| do_moduli_gen(const char *out_file, char **opts, size_t nopts) |
do_moduli_gen(const char *out_file, char **opts, size_t nopts) |
| { |
{ |
|
|
| " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
| " file ...\n" |
" file ...\n" |
| " ssh-keygen -Q -f krl_file file ...\n" |
" ssh-keygen -Q -f krl_file file ...\n" |
| |
" ssh-keygen -Y find-principal -s signature_file -f allowed_signers_file\n" |
| " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" |
" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" |
| " ssh-keygen -Y sign -f key_file -n namespace file ...\n" |
" ssh-keygen -Y sign -f key_file -n namespace file ...\n" |
| " ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" |
" ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" |
|
|
| argc -= optind; |
argc -= optind; |
| |
|
| if (sign_op != NULL) { |
if (sign_op != NULL) { |
| |
if (strncmp(sign_op, "find-principal", 14) == 0) { |
| |
if (ca_key_path == NULL) { |
| |
error("Too few arguments for find-principal:" |
| |
"missing signature file"); |
| |
exit(1); |
| |
} |
| |
if (!have_identity) { |
| |
error("Too few arguments for find-principal:" |
| |
"missing allowed keys file"); |
| |
exit(1); |
| |
} |
| |
return sig_find_principal(ca_key_path, identity_file); |
| |
} |
| if (cert_principals == NULL || *cert_principals == '\0') { |
if (cert_principals == NULL || *cert_principals == '\0') { |
| error("Too few arguments for sign/verify: " |
error("Too few arguments for sign/verify: " |
| "missing namespace"); |
"missing namespace"); |
|
|
| "missing key"); |
"missing key"); |
| exit(1); |
exit(1); |
| } |
} |
| return sign(identity_file, cert_principals, argc, argv); |
return sig_sign(identity_file, cert_principals, |
| |
argc, argv); |
| } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { |
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) { |
| if (ca_key_path == NULL) { |
if (ca_key_path == NULL) { |
| error("Too few arguments for check-novalidate: " |
error("Too few arguments for check-novalidate: " |
| "missing signature file"); |
"missing signature file"); |
| exit(1); |
exit(1); |
| } |
} |
| return verify(ca_key_path, cert_principals, |
return sig_verify(ca_key_path, cert_principals, |
| NULL, NULL, NULL); |
NULL, NULL, NULL); |
| } else if (strncmp(sign_op, "verify", 6) == 0) { |
} else if (strncmp(sign_op, "verify", 6) == 0) { |
| if (ca_key_path == NULL) { |
if (ca_key_path == NULL) { |
| error("Too few arguments for verify: " |
error("Too few arguments for verify: " |
|
|
| "missing principal ID"); |
"missing principal ID"); |
| exit(1); |
exit(1); |
| } |
} |
| return verify(ca_key_path, cert_principals, |
return sig_verify(ca_key_path, cert_principals, |
| cert_key_id, identity_file, rr_hostname); |
cert_key_id, identity_file, rr_hostname); |
| } |
} |
| usage(); |
usage(); |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh