tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: when verifying sshsig signatures, support an option 

(-Oprint-pubkey) to dump the full public key to stdout; based on patch from
Fabian Stelzer; ok markus@

OpenBSD-Commit-ID: 0598000e5b9adfb45d42afa76ff80daaa12fc3e2
This commit is contained in:
djm@openbsd.org 2021-08-11 08:54:17 +00:00 committed by Damien Miller
parent 750c1a45ba
commit b9f4635ea5
2 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.215 2021/07/23 06:01:17 jmc Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.216 2021/08/11 08:54:17 djm Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: July 23 2021 $ .Dd $Mdocdate: August 11 2021 $
.Dt SSH-KEYGEN 1 .Dt SSH-KEYGEN 1
.Os .Os
.Sh NAME .Sh NAME
@ -537,6 +537,8 @@ When performing signature-related options using the
.Fl Y .Fl Y
flag, the following options are accepted: flag, the following options are accepted:
.Bl -tag -width Ds .Bl -tag -width Ds
.It Cm print-pubkey
Print the full public key to standard output after signature verification.
.It Cm verify-time Ns = Ns Ar timestamp .It Cm verify-time Ns = Ns Ar timestamp
Specifies a time to use when validating signatures instead of the current Specifies a time to use when validating signatures instead of the current
time. time.

23
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.434 2021/07/24 02:51:14 dtucker Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2673,12 +2673,14 @@ done:
} }
static int static int
sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep) sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep,
int *print_pubkey)
{ {
size_t i; size_t i;
time_t now; time_t now;
*verify_timep = 0; *verify_timep = 0;
*print_pubkey = 0;
for (i = 0; i < nopts; i++) { for (i = 0; i < nopts; i++) {
if (strncasecmp(opts[i], "verify-time=", 12) == 0) { if (strncasecmp(opts[i], "verify-time=", 12) == 0) {
if (parse_absolute_time(opts[i] + 12, if (parse_absolute_time(opts[i] + 12,
@ -2686,6 +2688,9 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep)
error("Invalid \"verify-time\" option"); error("Invalid \"verify-time\" option");
return SSH_ERR_INVALID_ARGUMENT; return SSH_ERR_INVALID_ARGUMENT;
} }
} else if (print_pubkey &&
strcasecmp(opts[i], "print-pubkey") == 0) {
*print_pubkey = 1;
} else { } else {
error("Invalid option \"%s\"", opts[i]); error("Invalid option \"%s\"", opts[i]);
return SSH_ERR_INVALID_ARGUMENT; return SSH_ERR_INVALID_ARGUMENT;
@ -2707,13 +2712,14 @@ sig_verify(const char *signature, const char *sig_namespace,
char * const *opts, size_t nopts) char * const *opts, size_t nopts)
{ {
int r, ret = -1; int r, ret = -1;
int print_pubkey = 0;
struct sshbuf *sigbuf = NULL, *abuf = NULL; struct sshbuf *sigbuf = NULL, *abuf = NULL;
struct sshkey *sign_key = NULL; struct sshkey *sign_key = NULL;
char *fp = NULL; char *fp = NULL;
struct sshkey_sig_details *sig_details = NULL; struct sshkey_sig_details *sig_details = NULL;
uint64_t verify_time = 0; uint64_t verify_time = 0;
if (sig_process_opts(opts, nopts, &verify_time) != 0) if (sig_process_opts(opts, nopts, &verify_time, &print_pubkey) != 0)
goto done; /* error already logged */ goto done; /* error already logged */
memset(&sig_details, 0, sizeof(sig_details)); memset(&sig_details, 0, sizeof(sig_details));
@ -2774,6 +2780,15 @@ done:
printf("Could not verify signature.\n"); printf("Could not verify signature.\n");
} }
} }
/* Print the signature key if requested */
if (ret == 0 && print_pubkey && sign_key != NULL) {
if ((r = sshkey_write(sign_key, stdout)) == 0)
fputc('\n', stdout);
else {
error_r(r, "Could not print public key.\n");
ret = -1;
}
}
sshbuf_free(sigbuf); sshbuf_free(sigbuf);
sshbuf_free(abuf); sshbuf_free(abuf);
sshkey_free(sign_key); sshkey_free(sign_key);
@ -2792,7 +2807,7 @@ sig_find_principals(const char *signature, const char *allowed_keys,
char *principals = NULL, *cp, *tmp; char *principals = NULL, *cp, *tmp;
uint64_t verify_time = 0; uint64_t verify_time = 0;
if (sig_process_opts(opts, nopts, &verify_time) != 0) if (sig_process_opts(opts, nopts, &verify_time, NULL) != 0)
goto done; /* error already logged */ goto done; /* error already logged */
if ((r = sshbuf_load_file(signature, &abuf)) != 0) { if ((r = sshbuf_load_file(signature, &abuf)) != 0) {