=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.449 retrieving revision 1.451 diff -u -r1.449 -r1.451 --- src/usr.bin/ssh/ssh-keygen.c 2022/03/18 02:31:25 1.449 +++ src/usr.bin/ssh/ssh-keygen.c 2022/05/08 22:58:35 1.451 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.449 2022/03/18 02:31:25 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.451 2022/05/08 22:58:35 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2439,7 +2439,8 @@ char *privpath = xstrdup(keypath); static const char * const suffixes[] = { "-cert.pub", ".pub", NULL }; struct sshkey *ret = NULL, *privkey = NULL; - int r; + int r, waspub = 0; + struct stat st; /* * If passed a public key filename, then try to locate the corresponding @@ -2454,11 +2455,17 @@ privpath[plen - slen] = '\0'; debug_f("%s looks like a public key, using private key " "path %s instead", keypath, privpath); + waspub = 1; } - if ((privkey = load_identity(privpath, NULL)) == NULL) { - error("Couldn't load identity %s", keypath); - goto done; - } + if (waspub && stat(privpath, &st) != 0 && errno == ENOENT) + fatal("No private key found for public key \"%s\"", keypath); + if ((r = sshkey_load_private(privpath, "", &privkey, NULL)) != 0 && + (r != SSH_ERR_KEY_WRONG_PASSPHRASE)) { + debug_fr(r, "load private key \"%s\"", privpath); + fatal("No private key found for \"%s\"", privpath); + } else if (privkey == NULL) + privkey = load_identity(privpath, NULL); + if (!sshkey_equal_public(pubkey, privkey)) { error("Public key %s doesn't match private %s", keypath, privpath); @@ -3512,6 +3519,7 @@ return sig_sign(identity_file, cert_principals, argc, argv, opts, nopts); } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { + /* NB. cert_principals is actually namespace, via -n */ if (cert_principals == NULL || *cert_principals == '\0') { error("Too few arguments for check-novalidate: "