src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.384 and 1.390

version 1.384, 2020/01/21 11:06:09

version 1.390, 2020/01/24 00:27:04

Line 388

if (!PEM_write_RSAPublicKey(stdout, k->rsa))

fatal("PEM_write_RSAPublicKey failed");

break;

case KEY_DSA:

if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))

fatal("PEM_write_DSA_PUBKEY failed");

break;

case KEY_ECDSA:

if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))

fatal("PEM_write_EC_PUBKEY failed");

break;

default:

fatal("%s: unsupported key type %s", __func__, sshkey_type(k));

}

Line 1241

Line 1249

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint failed",

__func__);

mprintf("%s %s %s %s\n", ctx->host,

mprintf("%s %s %s%s%s\n", ctx->host,

sshkey_type(l->key), fp, l->comment);

sshkey_type(l->key), fp,

l->comment[0] ? " " : "",

l->comment);

if (log_level_get() >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

Line 1758

Line 1768

}

free(tmp);

if (key_type_name != NULL &&

if (key_type_name != NULL) {

sshkey_type_from_name(key_type_name) != ca->type) {

if (sshkey_type_from_name(key_type_name) != ca->type) {

fatal("CA key type %s doesn't match specified %s",

sshkey_ssh_name(ca), key_type_name);

}

} else if (ca->type == KEY_RSA) {

/* Default to a good signature algorithm */

key_type_name = "rsa-sha2-512";

}

ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT);

Line 2577

Line 2591

}

static int

sign(const char *keypath, const char *sig_namespace, int argc, char **argv)

sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv)

{

int i, fd = -1, r, ret = -1;

int agent_fd = -1;

Line 2648

Line 2662

}

static int

verify(const char *signature, const char *sig_namespace, const char *principal,

sig_verify(const char *signature, const char *sig_namespace,

const char *allowed_keys, const char *revoked_keys)

const char *principal, const char *allowed_keys, const char *revoked_keys)

{

int r, ret = -1, sigfd = -1;

struct sshbuf *sigbuf = NULL, *abuf = NULL;

Line 2672

Line 2686

}

if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) {

error("%s: sshsig_armor: %s", __func__, ssh_err(r));

return r;

goto done;

}

if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace,

&sign_key, &sig_details)) != 0)

Line 2735

Line 2749

return ret;

}

static int

sig_find_principals(const char *signature, const char *allowed_keys) {

int r, ret = -1, sigfd = -1;

struct sshbuf *sigbuf = NULL, *abuf = NULL;

struct sshkey *sign_key = NULL;

char *principals = NULL;

if ((abuf = sshbuf_new()) == NULL)

fatal("%s: sshbuf_new() failed", __func__);

if ((sigfd = open(signature, O_RDONLY)) < 0) {

error("Couldn't open signature file %s", signature);

goto done;

}

if ((r = sshkey_load_file(sigfd, abuf)) != 0) {

error("Couldn't read signature file: %s", ssh_err(r));

goto done;

}

if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) {

error("%s: sshsig_armor: %s", __func__, ssh_err(r));

goto done;

}

if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) {

error("%s: sshsig_get_pubkey: %s",

__func__, ssh_err(r));

goto done;

}

if ((r = sshsig_find_principals(allowed_keys, sign_key,

&principals)) != 0) {

error("%s: sshsig_get_principal: %s",

__func__, ssh_err(r));

goto done;

}

ret = 0;

done:

if (ret == 0 ) {

printf("Found matching principal: %s\n", principals);

} else {

printf("Could not find matching principal.\n");

}

if (sigfd != -1)

close(sigfd);

sshbuf_free(sigbuf);

sshbuf_free(abuf);

sshkey_free(sign_key);

free(principals);

return ret;

}

static void

do_moduli_gen(const char *out_file, char **opts, size_t nopts)

{

Line 3020

Line 3084

" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"

" file ...\n"

" ssh-keygen -Q -f krl_file file ...\n"

" ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"

" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"

" ssh-keygen -Y sign -f key_file -n namespace file ...\n"

" ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n"

Line 3280

Line 3345

argc -= optind;

if (sign_op != NULL) {

if (strncmp(sign_op, "find-principals", 15) == 0) {

if (ca_key_path == NULL) {

error("Too few arguments for find-principals:"

"missing signature file");

exit(1);

}

if (!have_identity) {

error("Too few arguments for find-principals:"

"missing allowed keys file");

exit(1);

}

return sig_find_principals(ca_key_path, identity_file);

}

if (cert_principals == NULL || *cert_principals == '\0') {

error("Too few arguments for sign/verify: "

"missing namespace");

Line 3291

Line 3369

"missing key");

exit(1);

}

return sign(identity_file, cert_principals, argc, argv);

return sig_sign(identity_file, cert_principals,

argc, argv);

} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {

if (ca_key_path == NULL) {

error("Too few arguments for check-novalidate: "

"missing signature file");

exit(1);

}

return verify(ca_key_path, cert_principals,

return sig_verify(ca_key_path, cert_principals,

NULL, NULL, NULL);

} else if (strncmp(sign_op, "verify", 6) == 0) {

if (ca_key_path == NULL) {

error("Too few arguments for verify: "

Line 3316

Line 3395

"missing principal ID");

exit(1);

}

return verify(ca_key_path, cert_principals,

return sig_verify(ca_key_path, cert_principals,

cert_key_id, identity_file, rr_hostname);

}

usage();

Line 3551

Line 3630

sshkey_free(private);

if (!quiet) {

printf("Your identification has been saved in %s.\n",

printf("Your identification has been saved in %s\n",

identity_file);

}

Line 3568

Line 3647

SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("sshkey_fingerprint failed");

printf("Your public key has been saved in %s.\n",

printf("Your public key has been saved in %s\n",

identity_file);

printf("The key fingerprint is:\n");

printf("%s %s\n", fp, comment);