===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshkey.c,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- src/usr.bin/ssh/sshkey.c	2019/10/31 21:15:14	1.85
+++ src/usr.bin/ssh/sshkey.c	2019/10/31 21:23:19	1.86
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.85 2019/10/31 21:15:14 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.86 2019/10/31 21:23:19 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -52,6 +52,7 @@
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
 #include "match.h"
+#include "ssh-sk.h"
 
 #ifdef WITH_XMSS
 #include "sshkey-xmss.h"
@@ -2611,7 +2612,8 @@
 int
 sshkey_sign(struct sshkey *key,
     u_char **sigp, size_t *lenp,
-    const u_char *data, size_t datalen, const char *alg, u_int compat)
+    const u_char *data, size_t datalen,
+    const char *alg, const char *sk_provider, u_int compat)
 {
 	int was_shielded = sshkey_is_shielded(key);
 	int r2, r = SSH_ERR_INTERNAL_ERROR;
@@ -2634,6 +2636,11 @@
 	case KEY_ECDSA:
 		r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
 		break;
+	case KEY_ECDSA_SK_CERT:
+	case KEY_ECDSA_SK:
+		r = sshsk_ecdsa_sign(sk_provider, key, sigp, lenp,
+		    data, datalen, compat);
+		break;
 	case KEY_RSA_CERT:
 	case KEY_RSA:
 		r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
@@ -2751,7 +2758,7 @@
 /* Sign a certified key, (re-)generating the signed certblob. */
 int
 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
-    sshkey_certify_signer *signer, void *signer_ctx)
+    const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx)
 {
 	struct sshbuf *principals = NULL;
 	u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
@@ -2881,7 +2888,7 @@
 
 	/* Sign the whole mess */
 	if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
-	    sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
+	    sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0)
 		goto out;
 	/* Check and update signature_type against what was actually used */
 	if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
@@ -2911,17 +2918,20 @@
 static int
 default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
     const u_char *data, size_t datalen,
-    const char *alg, u_int compat, void *ctx)
+    const char *alg, const char *sk_provider, u_int compat, void *ctx)
 {
 	if (ctx != NULL)
 		return SSH_ERR_INVALID_ARGUMENT;
-	return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat);
+	return sshkey_sign(key, sigp, lenp, data, datalen, alg,
+	    sk_provider, compat);
 }
 
 int
-sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
+sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg,
+    const char *sk_provider)
 {
-	return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL);
+	return sshkey_certify_custom(k, ca, alg, sk_provider,
+	    default_key_sign, NULL);
 }
 
 int