=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.384 retrieving revision 1.393 diff -u -r1.384 -r1.393 --- src/usr.bin/ssh/ssh-keygen.c 2020/01/21 11:06:09 1.384 +++ src/usr.bin/ssh/ssh-keygen.c 2020/01/25 23:02:13 1.393 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.384 2020/01/21 11:06:09 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.393 2020/01/25 23:02:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -388,6 +388,14 @@ if (!PEM_write_RSAPublicKey(stdout, k->rsa)) fatal("PEM_write_RSAPublicKey failed"); break; + case KEY_DSA: + if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) + fatal("PEM_write_DSA_PUBKEY failed"); + break; + case KEY_ECDSA: + if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) + fatal("PEM_write_EC_PUBKEY failed"); + break; default: fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); } @@ -803,13 +811,13 @@ int i, nkeys; enum sshkey_fp_rep rep; int fptype; - char *fp, *ra; + char *fp, *ra, **comments = NULL; fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; pkcs11_init(1); - nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); + nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys, &comments); if (nkeys <= 0) fatal("cannot read public key from pkcs11"); for (i = 0; i < nkeys; i++) { @@ -827,10 +835,13 @@ free(fp); } else { (void) sshkey_write(keys[i], stdout); /* XXX check */ - fprintf(stdout, "\n"); + fprintf(stdout, "%s%s\n", + *(comments[i]) == '\0' ? "" : " ", comments[i]); } + free(comments[i]); sshkey_free(keys[i]); } + free(comments); free(keys); pkcs11_terminate(); exit(0); @@ -1241,8 +1252,10 @@ if (fp == NULL || ra == NULL) fatal("%s: sshkey_fingerprint failed", __func__); - mprintf("%s %s %s %s\n", ctx->host, - sshkey_type(l->key), fp, l->comment); + mprintf("%s %s %s%s%s\n", ctx->host, + sshkey_type(l->key), fp, + l->comment[0] ? " " : "", + l->comment); if (log_level_get() >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); free(ra); @@ -1673,7 +1686,8 @@ fatal("Couldn't load CA public key \"%s\": %s", path, ssh_err(r)); - nkeys = pkcs11_add_provider(pkcs11provider, identity_passphrase, &keys); + nkeys = pkcs11_add_provider(pkcs11provider, identity_passphrase, + &keys, NULL); debug3("%s: %d keys", __func__, nkeys); if (nkeys <= 0) fatal("cannot read public key from pkcs11"); @@ -1758,10 +1772,14 @@ } free(tmp); - if (key_type_name != NULL && - sshkey_type_from_name(key_type_name) != ca->type) { - fatal("CA key type %s doesn't match specified %s", - sshkey_ssh_name(ca), key_type_name); + if (key_type_name != NULL) { + if (sshkey_type_from_name(key_type_name) != ca->type) { + fatal("CA key type %s doesn't match specified %s", + sshkey_ssh_name(ca), key_type_name); + } + } else if (ca->type == KEY_RSA) { + /* Default to a good signature algorithm */ + key_type_name = "rsa-sha2-512"; } ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT); @@ -2149,15 +2167,10 @@ load_krl(const char *path, struct ssh_krl **krlp) { struct sshbuf *krlbuf; - int r, fd; + int r; - if ((krlbuf = sshbuf_new()) == NULL) - fatal("sshbuf_new failed"); - if ((fd = open(path, O_RDONLY)) == -1) - fatal("open %s: %s", path, strerror(errno)); - if ((r = sshkey_load_file(fd, krlbuf)) != 0) + if ((r = sshbuf_load_file(path, &krlbuf)) != 0) fatal("Unable to load KRL: %s", ssh_err(r)); - close(fd); /* XXX check sigs */ if ((r = ssh_krl_from_blob(krlbuf, krlp, NULL, 0)) != 0 || *krlp == NULL) @@ -2359,7 +2372,7 @@ struct ssh_krl *krl; struct stat sb; struct sshkey *ca = NULL; - int fd, i, r, wild_ca = 0; + int i, r, wild_ca = 0; char *tmp; struct sshbuf *kbuf; @@ -2401,12 +2414,8 @@ fatal("sshbuf_new failed"); if (ssh_krl_to_blob(krl, kbuf, NULL, 0) != 0) fatal("Couldn't generate KRL"); - if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) - fatal("open %s: %s", identity_file, strerror(errno)); - if (atomicio(vwrite, fd, sshbuf_mutable_ptr(kbuf), sshbuf_len(kbuf)) != - sshbuf_len(kbuf)) + if ((r = sshbuf_write_file(identity_file, kbuf)) != 0) fatal("write %s: %s", identity_file, strerror(errno)); - close(fd); sshbuf_free(kbuf); ssh_krl_free(krl); sshkey_free(ca); @@ -2577,7 +2586,7 @@ } static int -sign(const char *keypath, const char *sig_namespace, int argc, char **argv) +sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv) { int i, fd = -1, r, ret = -1; int agent_fd = -1; @@ -2648,31 +2657,24 @@ } static int -verify(const char *signature, const char *sig_namespace, const char *principal, - const char *allowed_keys, const char *revoked_keys) +sig_verify(const char *signature, const char *sig_namespace, + const char *principal, const char *allowed_keys, const char *revoked_keys) { - int r, ret = -1, sigfd = -1; + int r, ret = -1; struct sshbuf *sigbuf = NULL, *abuf = NULL; struct sshkey *sign_key = NULL; char *fp = NULL; struct sshkey_sig_details *sig_details = NULL; memset(&sig_details, 0, sizeof(sig_details)); - if ((abuf = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new() failed", __func__); - - if ((sigfd = open(signature, O_RDONLY)) < 0) { - error("Couldn't open signature file %s", signature); - goto done; - } - - if ((r = sshkey_load_file(sigfd, abuf)) != 0) { + if ((r = sshbuf_load_file(signature, &abuf)) != 0) { error("Couldn't read signature file: %s", ssh_err(r)); goto done; } + if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { error("%s: sshsig_armor: %s", __func__, ssh_err(r)); - return r; + goto done; } if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, &sign_key, &sig_details)) != 0) @@ -2725,8 +2727,6 @@ printf("Could not verify signature.\n"); } } - if (sigfd != -1) - close(sigfd); sshbuf_free(sigbuf); sshbuf_free(abuf); sshkey_free(sign_key); @@ -2735,6 +2735,49 @@ return ret; } +static int +sig_find_principals(const char *signature, const char *allowed_keys) { + int r, ret = -1; + struct sshbuf *sigbuf = NULL, *abuf = NULL; + struct sshkey *sign_key = NULL; + char *principals = NULL, *cp, *tmp; + + if ((r = sshbuf_load_file(signature, &abuf)) != 0) { + error("Couldn't read signature file: %s", ssh_err(r)); + goto done; + } + if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { + error("%s: sshsig_armor: %s", __func__, ssh_err(r)); + goto done; + } + if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) { + error("%s: sshsig_get_pubkey: %s", + __func__, ssh_err(r)); + goto done; + } + if ((r = sshsig_find_principals(allowed_keys, sign_key, + &principals)) != 0) { + error("%s: sshsig_get_principal: %s", + __func__, ssh_err(r)); + goto done; + } + ret = 0; +done: + if (ret == 0 ) { + /* Emit matching principals one per line */ + tmp = principals; + while ((cp = strsep(&tmp, ",")) != NULL && *cp != '\0') + puts(cp); + } else { + fprintf(stderr, "No principal matched.\n"); + } + sshbuf_free(sigbuf); + sshbuf_free(abuf); + sshkey_free(sign_key); + free(principals); + return ret; +} + static void do_moduli_gen(const char *out_file, char **opts, size_t nopts) { @@ -3020,6 +3063,7 @@ " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" " file ...\n" " ssh-keygen -Q -f krl_file file ...\n" + " ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n" " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" " ssh-keygen -Y sign -f key_file -n namespace file ...\n" " ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" @@ -3280,27 +3324,47 @@ argc -= optind; if (sign_op != NULL) { - if (cert_principals == NULL || *cert_principals == '\0') { - error("Too few arguments for sign/verify: " - "missing namespace"); - exit(1); - } - if (strncmp(sign_op, "sign", 4) == 0) { + if (strncmp(sign_op, "find-principals", 15) == 0) { + if (ca_key_path == NULL) { + error("Too few arguments for find-principals:" + "missing signature file"); + exit(1); + } if (!have_identity) { + error("Too few arguments for find-principals:" + "missing allowed keys file"); + exit(1); + } + return sig_find_principals(ca_key_path, identity_file); + } else if (strncmp(sign_op, "sign", 4) == 0) { + if (cert_principals == NULL || + *cert_principals == '\0') { error("Too few arguments for sign: " + "missing namespace"); + exit(1); + } + if (!have_identity) { + error("Too few arguments for sign: " "missing key"); exit(1); } - return sign(identity_file, cert_principals, argc, argv); + return sig_sign(identity_file, cert_principals, + argc, argv); } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { if (ca_key_path == NULL) { error("Too few arguments for check-novalidate: " "missing signature file"); exit(1); } - return verify(ca_key_path, cert_principals, - NULL, NULL, NULL); + return sig_verify(ca_key_path, cert_principals, + NULL, NULL, NULL); } else if (strncmp(sign_op, "verify", 6) == 0) { + if (cert_principals == NULL || + *cert_principals == '\0') { + error("Too few arguments for verify: " + "missing namespace"); + exit(1); + } if (ca_key_path == NULL) { error("Too few arguments for verify: " "missing signature file"); @@ -3316,9 +3380,10 @@ "missing principal ID"); exit(1); } - return verify(ca_key_path, cert_principals, + return sig_verify(ca_key_path, cert_principals, cert_key_id, identity_file, rr_hostname); } + error("Unsupported operation for -Y: \"%s\"", sign_op); usage(); /* NOTREACHED */ } @@ -3551,7 +3616,7 @@ sshkey_free(private); if (!quiet) { - printf("Your identification has been saved in %s.\n", + printf("Your identification has been saved in %s\n", identity_file); } @@ -3568,7 +3633,7 @@ SSH_FP_RANDOMART); if (fp == NULL || ra == NULL) fatal("sshkey_fingerprint failed"); - printf("Your public key has been saved in %s.\n", + printf("Your public key has been saved in %s\n", identity_file); printf("The key fingerprint is:\n"); printf("%s %s\n", fp, comment);