upstream commit

support multiple certificates (one per line) and
 reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@

Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db

ssh-keygen.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.128 2015/11/05 09:48:05 jmc Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.129 2015/11/13 04:34:15 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 5 2015 $
+.Dd $Mdocdate: November 13 2015 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -376,7 +376,7 @@ using the format described in the
 .Sx KEY REVOCATION LISTS
 section.
 .It Fl L
-Prints the contents of a certificate.
+Prints the contents of one or more certificates.
 .It Fl l
 Show fingerprint of specified public key file.
 Private RSA1 keys are also supported.

ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.278 2015/11/13 04:34:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1851,23 +1851,10 @@ show_options(struct sshbuf *optbuf, int in_critical)
 }
 
 static void
-do_show_cert(struct passwd *pw)
+print_cert(struct sshkey *key)
 {
-	struct sshkey *key;
-	struct stat st;
 	char *key_fp, *ca_fp;
 	u_int i;
-	int r;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0)
-		fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
-	if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)
-		fatal("Cannot load public key \"%s\": %s",
-		    identity_file, ssh_err(r));
-	if (!sshkey_is_cert(key))
-		fatal("%s is not a certificate", identity_file);
 
 	key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
 	ca_fp = sshkey_fingerprint(key->cert->signature_key,
@@ -1875,7 +1862,6 @@ do_show_cert(struct passwd *pw)
 	if (key_fp == NULL || ca_fp == NULL)
 		fatal("%s: sshkey_fingerprint fail", __func__);
 
-	printf("%s:\n", identity_file);
 	printf("        Type: %s %s certificate\n", sshkey_ssh_name(key),
 	    sshkey_cert_type(key));
 	printf("        Public key: %s %s\n", sshkey_type(key), key_fp);
@@ -1908,7 +1894,60 @@ do_show_cert(struct passwd *pw)
 		printf("\n");
 		show_options(key->cert->extensions, 0);
 	}
-	exit(0);
+}
+
+static void
+do_show_cert(struct passwd *pw)
+{
+	struct sshkey *key = NULL;
+	struct stat st;
+	int r, is_stdin = 0, ok = 0;
+	FILE *f;
+	char *cp, line[2048];
+	const char *path;
+	long int lnum = 0;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0)
+		fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
+
+	path = identity_file;
+	if (strcmp(path, "-") == 0) {
+		f = stdin;
+		path = "(stdin)";
+		is_stdin = 1;
+	} else if ((f = fopen(identity_file, "r")) == NULL)
+		fatal("fopen %s: %s", identity_file, strerror(errno));
+
+	while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {
+		sshkey_free(key);
+		key = NULL;
+		/* Trim leading space and comments */
+		cp = line + strspn(line, " \t");
+		if (*cp == '#' || *cp == '\0')
+			continue;
+		if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
+			fatal("key_new");
+		if ((r = sshkey_read(key, &cp)) != 0) {
+			error("%s:%lu: invalid key: %s", path,
+			    lnum, ssh_err(r));
+			continue;
+		}
+		if (!sshkey_is_cert(key)) {
+			error("%s:%lu is not a certificate", path, lnum);
+			continue;
+		}
+		ok = 1;
+		if (!is_stdin && lnum == 1)
+			printf("%s:\n", path);
+		else
+			printf("%s:%lu:\n", path, lnum);
+		print_cert(key);
+	}
+	sshkey_free(key);
+	fclose(f);
+	exit(ok ? 0 : 1);
 }
 
 static void