=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.445 retrieving revision 1.452 diff -u -r1.445 -r1.452 --- src/usr.bin/ssh/ssh-keygen.c 2022/01/05 04:50:11 1.445 +++ src/usr.bin/ssh/ssh-keygen.c 2022/05/09 03:09:53 1.452 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.445 2022/01/05 04:50:11 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.452 2022/05/09 03:09:53 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2437,9 +2437,10 @@ { size_t i, slen, plen = strlen(keypath); char *privpath = xstrdup(keypath); - const char *suffixes[] = { "-cert.pub", ".pub", NULL }; + static const char * const suffixes[] = { "-cert.pub", ".pub", NULL }; struct sshkey *ret = NULL, *privkey = NULL; - int r; + int r, waspub = 0; + struct stat st; /* * If passed a public key filename, then try to locate the corresponding @@ -2454,11 +2455,17 @@ privpath[plen - slen] = '\0'; debug_f("%s looks like a public key, using private key " "path %s instead", keypath, privpath); + waspub = 1; } - if ((privkey = load_identity(privpath, NULL)) == NULL) { - error("Couldn't load identity %s", keypath); - goto done; - } + if (waspub && stat(privpath, &st) != 0 && errno == ENOENT) + fatal("No private key found for public key \"%s\"", keypath); + if ((r = sshkey_load_private(privpath, "", &privkey, NULL)) != 0 && + (r != SSH_ERR_KEY_WRONG_PASSPHRASE)) { + debug_fr(r, "load private key \"%s\"", privpath); + fatal("No private key found for \"%s\"", privpath); + } else if (privkey == NULL) + privkey = load_identity(privpath, NULL); + if (!sshkey_equal_public(pubkey, privkey)) { error("Public key %s doesn't match private %s", keypath, privpath); @@ -2624,8 +2631,8 @@ static int -sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv, - char * const *opts, size_t nopts) +sig_sign(const char *keypath, const char *sig_namespace, int require_agent, + int argc, char **argv, char * const *opts, size_t nopts) { int i, fd = -1, r, ret = -1; int agent_fd = -1; @@ -2649,13 +2656,18 @@ goto done; } - if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) + if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { + if (require_agent) + fatal("Couldn't get agent socket"); debug_r(r, "Couldn't get agent socket"); - else { + } else { if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0) signer = agent_signer; - else + else { + if (require_agent) + fatal("Couldn't find key in agent"); debug_r(r, "Couldn't find key in agent"); + } } if (signer == NULL) { @@ -3497,6 +3509,7 @@ return sig_match_principals(identity_file, cert_key_id, opts, nopts); } else if (strncmp(sign_op, "sign", 4) == 0) { + /* NB. cert_principals is actually namespace, via -n */ if (cert_principals == NULL || *cert_principals == '\0') { error("Too few arguments for sign: " @@ -3509,8 +3522,15 @@ exit(1); } return sig_sign(identity_file, cert_principals, - argc, argv, opts, nopts); + prefer_agent, argc, argv, opts, nopts); } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { + /* NB. cert_principals is actually namespace, via -n */ + if (cert_principals == NULL || + *cert_principals == '\0') { + error("Too few arguments for check-novalidate: " + "missing namespace"); + exit(1); + } if (ca_key_path == NULL) { error("Too few arguments for check-novalidate: " "missing signature file"); @@ -3519,6 +3539,7 @@ return sig_verify(ca_key_path, cert_principals, NULL, NULL, NULL, opts, nopts); } else if (strncmp(sign_op, "verify", 6) == 0) { + /* NB. cert_principals is actually namespace, via -n */ if (cert_principals == NULL || *cert_principals == '\0') { error("Too few arguments for verify: " @@ -3537,7 +3558,7 @@ } if (cert_key_id == NULL) { error("Too few arguments for verify: " - "missing principal ID"); + "missing principal identity"); exit(1); } return sig_verify(ca_key_path, cert_principals,