when loading PKCS#11 keys, include the key fingerprints and provider/slot

information in debug output.

1 files changed, 22 insertions, 3 deletions

diff --git a/usr.bin/ssh/ssh-pkcs11.c b/usr.bin/ssh/ssh-pkcs11.c
index 12de6dcd079..cc8ab3a5c9e 100644
--- a/usr.bin/ssh/ssh-pkcs11.c
+++ b/usr.bin/ssh/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.51 2020/10/18 11:32:02 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.52 2020/11/22 22:38:26 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -36,6 +36,7 @@
 #include "misc.h"
 #include "sshkey.h"
 #include "ssh-pkcs11.h"
+#include "digest.h"
 #include "xmalloc.h"
 
 struct pkcs11_slotinfo {
@@ -1057,6 +1058,22 @@ have_rsa_key(const RSA *rsa)
 }
 #endif
 
+static void
+note_key(struct pkcs11_provider *p, CK_ULONG slotidx, const char *context,
+    struct sshkey *key)
+{
+	char *fp;
+
+	if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+	    SSH_FP_DEFAULT)) == NULL) {
+		error_f("sshkey_fingerprint failed");
+		return;
+	}
+	debug2("%s: provider %s slot %lu: %s %s", context, p->name,
+	    (u_long)slotidx, sshkey_type(key), fp);
+	free(fp);
+}
+
 /*
  * lookup certificates for token in slot identified by slotidx,
  * add 'wrapped' public keys to the 'keysp' array and increment nkeys.
@@ -1132,8 +1149,9 @@ pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
 			    ck_cert_type);
 			continue;
 		}
-
+		note_key(p, slotidx, __func__, key);
 		if (pkcs11_key_included(keysp, nkeys, key)) {
+			debug2_f("key already included");;
 			sshkey_free(key);
 		} else {
 			/* expand key array and add key */
@@ -1243,8 +1261,9 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
 			error("failed to fetch key");
 			continue;
 		}
-
+		note_key(p, slotidx, __func__, key);
 		if (pkcs11_key_included(keysp, nkeys, key)) {
+			debug2_f("key already included");;
 			sshkey_free(key);
 		} else {
 			/* expand key array and add key */