version 1.384, 2020/01/21 11:06:09 |
version 1.386, 2020/01/23 02:43:48 |
|
|
if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
fatal("%s: sshkey_fingerprint failed", |
fatal("%s: sshkey_fingerprint failed", |
__func__); |
__func__); |
mprintf("%s %s %s %s\n", ctx->host, |
mprintf("%s %s %s%s%s\n", ctx->host, |
sshkey_type(l->key), fp, l->comment); |
sshkey_type(l->key), fp, |
|
l->comment[0] ? " " : "", |
|
l->comment); |
if (log_level_get() >= SYSLOG_LEVEL_VERBOSE) |
if (log_level_get() >= SYSLOG_LEVEL_VERBOSE) |
printf("%s\n", ra); |
printf("%s\n", ra); |
free(ra); |
free(ra); |
|
|
} |
} |
|
|
static int |
static int |
sign(const char *keypath, const char *sig_namespace, int argc, char **argv) |
sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv) |
{ |
{ |
int i, fd = -1, r, ret = -1; |
int i, fd = -1, r, ret = -1; |
int agent_fd = -1; |
int agent_fd = -1; |
|
|
} |
} |
|
|
static int |
static int |
verify(const char *signature, const char *sig_namespace, const char *principal, |
sig_verify(const char *signature, const char *sig_namespace, |
const char *allowed_keys, const char *revoked_keys) |
const char *principal, const char *allowed_keys, const char *revoked_keys) |
{ |
{ |
int r, ret = -1, sigfd = -1; |
int r, ret = -1, sigfd = -1; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
|
|
} |
} |
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
return r; |
goto done; |
} |
} |
if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, |
if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, |
&sign_key, &sig_details)) != 0) |
&sign_key, &sig_details)) != 0) |
|
|
return ret; |
return ret; |
} |
} |
|
|
|
static int |
|
sig_find_principal(const char *signature, const char *allowed_keys) { |
|
int r, ret = -1, sigfd = -1; |
|
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
|
struct sshkey *sign_key = NULL; |
|
char *principal = NULL; |
|
|
|
if ((abuf = sshbuf_new()) == NULL) |
|
fatal("%s: sshbuf_new() failed", __func__); |
|
|
|
if ((sigfd = open(signature, O_RDONLY)) < 0) { |
|
error("Couldn't open signature file %s", signature); |
|
goto done; |
|
} |
|
|
|
if ((r = sshkey_load_file(sigfd, abuf)) != 0) { |
|
error("Couldn't read signature file: %s", ssh_err(r)); |
|
goto done; |
|
} |
|
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
|
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
|
goto done; |
|
} |
|
if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) { |
|
error("%s: sshsig_get_pubkey: %s", |
|
__func__, ssh_err(r)); |
|
goto done; |
|
} |
|
|
|
if ((r = sshsig_find_principal(allowed_keys, sign_key, |
|
&principal)) != 0) { |
|
error("%s: sshsig_get_principal: %s", |
|
__func__, ssh_err(r)); |
|
goto done; |
|
} |
|
ret = 0; |
|
done: |
|
if (ret == 0 ) { |
|
printf("Found matching principal: %s\n", principal); |
|
} else { |
|
printf("Could not find matching principal.\n"); |
|
} |
|
if (sigfd != -1) |
|
close(sigfd); |
|
sshbuf_free(sigbuf); |
|
sshbuf_free(abuf); |
|
sshkey_free(sign_key); |
|
free(principal); |
|
return ret; |
|
} |
|
|
static void |
static void |
do_moduli_gen(const char *out_file, char **opts, size_t nopts) |
do_moduli_gen(const char *out_file, char **opts, size_t nopts) |
{ |
{ |
|
|
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
" file ...\n" |
" file ...\n" |
" ssh-keygen -Q -f krl_file file ...\n" |
" ssh-keygen -Q -f krl_file file ...\n" |
|
" ssh-keygen -Y find-principal -s signature_file -f allowed_signers_file\n" |
" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" |
" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" |
" ssh-keygen -Y sign -f key_file -n namespace file ...\n" |
" ssh-keygen -Y sign -f key_file -n namespace file ...\n" |
" ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" |
" ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" |
|
|
argc -= optind; |
argc -= optind; |
|
|
if (sign_op != NULL) { |
if (sign_op != NULL) { |
|
if (strncmp(sign_op, "find-principal", 14) == 0) { |
|
if (ca_key_path == NULL) { |
|
error("Too few arguments for find-principal:" |
|
"missing signature file"); |
|
exit(1); |
|
} |
|
if (!have_identity) { |
|
error("Too few arguments for find-principal:" |
|
"missing allowed keys file"); |
|
exit(1); |
|
} |
|
return sig_find_principal(ca_key_path, identity_file); |
|
} |
if (cert_principals == NULL || *cert_principals == '\0') { |
if (cert_principals == NULL || *cert_principals == '\0') { |
error("Too few arguments for sign/verify: " |
error("Too few arguments for sign/verify: " |
"missing namespace"); |
"missing namespace"); |
|
|
"missing key"); |
"missing key"); |
exit(1); |
exit(1); |
} |
} |
return sign(identity_file, cert_principals, argc, argv); |
return sig_sign(identity_file, cert_principals, |
|
argc, argv); |
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) { |
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) { |
if (ca_key_path == NULL) { |
if (ca_key_path == NULL) { |
error("Too few arguments for check-novalidate: " |
error("Too few arguments for check-novalidate: " |
"missing signature file"); |
"missing signature file"); |
exit(1); |
exit(1); |
} |
} |
return verify(ca_key_path, cert_principals, |
return sig_verify(ca_key_path, cert_principals, |
NULL, NULL, NULL); |
NULL, NULL, NULL); |
} else if (strncmp(sign_op, "verify", 6) == 0) { |
} else if (strncmp(sign_op, "verify", 6) == 0) { |
if (ca_key_path == NULL) { |
if (ca_key_path == NULL) { |
error("Too few arguments for verify: " |
error("Too few arguments for verify: " |
|
|
"missing principal ID"); |
"missing principal ID"); |
exit(1); |
exit(1); |
} |
} |
return verify(ca_key_path, cert_principals, |
return sig_verify(ca_key_path, cert_principals, |
cert_key_id, identity_file, rr_hostname); |
cert_key_id, identity_file, rr_hostname); |
} |
} |
usage(); |
usage(); |