diff options
| author |   djm <djm@openbsd.org> | 2015-11-13 04:34:15 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2015-11-13 04:34:15 +0000 |
| commit | 231344ba966cee7853448685631ec45ed81b2225 (patch) | |
| tree | a6ecaee7e382d75e57bb2c1abf7b221af8e6fa36 | |
| parent | list a couple more options usable in Match blocks; bz#2489 (diff) | |
| download | wireguard-openbsd-231344ba966cee7853448685631ec45ed81b2225.tar.xz wireguard-openbsd-231344ba966cee7853448685631ec45ed81b2225.zip | |
support multiple certificates (one per line) and reading from
standard input (using "-f -") for "ssh-keygen -L";
ok dtucker@
| -rw-r--r-- | usr.bin/ssh/ssh-keygen.1 | 6 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 73 |
2 files changed, 59 insertions, 20 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1 index ffa946b385b..74b3124f57c 100644 --- a/usr.bin/ssh/ssh-keygen.1 +++ b/usr.bin/ssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.128 2015/11/05 09:48:05 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.129 2015/11/13 04:34:15 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 5 2015 $ +.Dd $Mdocdate: November 13 2015 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -376,7 +376,7 @@ using the format described in the .Sx KEY REVOCATION LISTS section. .It Fl L -Prints the contents of a certificate. +Prints the contents of one or more certificates. .It Fl l Show fingerprint of specified public key file. Private RSA1 keys are also supported. diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index dc84393f68e..1bd67217c30 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.278 2015/11/13 04:34:15 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1836,23 +1836,10 @@ show_options(struct sshbuf *optbuf, int in_critical) } static void -do_show_cert(struct passwd *pw) +print_cert(struct sshkey *key) { - struct sshkey *key; - struct stat st; char *key_fp, *ca_fp; u_int i; - int r; - - if (!have_identity) - ask_filename(pw, "Enter file in which the key is"); - if (stat(identity_file, &st) < 0) - fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); - if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0) - fatal("Cannot load public key \"%s\": %s", - identity_file, ssh_err(r)); - if (!sshkey_is_cert(key)) - fatal("%s is not a certificate", identity_file); key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = sshkey_fingerprint(key->cert->signature_key, @@ -1860,7 +1847,6 @@ do_show_cert(struct passwd *pw) if (key_fp == NULL || ca_fp == NULL) fatal("%s: sshkey_fingerprint fail", __func__); - printf("%s:\n", identity_file); printf(" Type: %s %s certificate\n", sshkey_ssh_name(key), sshkey_cert_type(key)); printf(" Public key: %s %s\n", sshkey_type(key), key_fp); @@ -1893,7 +1879,60 @@ do_show_cert(struct passwd *pw) printf("\n"); show_options(key->cert->extensions, 0); } - exit(0); +} + +static void +do_show_cert(struct passwd *pw) +{ + struct sshkey *key = NULL; + struct stat st; + int r, is_stdin = 0, ok = 0; + FILE *f; + char *cp, line[2048]; + const char *path; + long int lnum = 0; + + if (!have_identity) + ask_filename(pw, "Enter file in which the key is"); + if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + + path = identity_file; + if (strcmp(path, "-") == 0) { + f = stdin; + path = "(stdin)"; + is_stdin = 1; + } else if ((f = fopen(identity_file, "r")) == NULL) + fatal("fopen %s: %s", identity_file, strerror(errno)); + + while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) { + sshkey_free(key); + key = NULL; + /* Trim leading space and comments */ + cp = line + strspn(line, " \t"); + if (*cp == '#' || *cp == '\0') + continue; + if ((key = sshkey_new(KEY_UNSPEC)) == NULL) + fatal("key_new"); + if ((r = sshkey_read(key, &cp)) != 0) { + error("%s:%lu: invalid key: %s", path, + lnum, ssh_err(r)); + continue; + } + if (!sshkey_is_cert(key)) { + error("%s:%lu is not a certificate", path, lnum); + continue; + } + ok = 1; + if (!is_stdin && lnum == 1) + printf("%s:\n", path); + else + printf("%s:%lu:\n", path, lnum); + print_cert(key); + } + sshkey_free(key); + fclose(f); + exit(ok ? 0 : 1); } #ifdef WITH_OPENSSL |