tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: allow auto-incrementing certificate serial number for certs 

signed in a single commandline.

OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
This commit is contained in:
djm@openbsd.org 2019-01-23 04:51:02 +00:00 committed by Damien Miller
parent 851f803289
commit be063945e4
2 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.155 2019/01/22 11:40:42 djm Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.156 2019/01/23 04:51:02 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: January 22 2019 $
.Dd $Mdocdate: January 23 2019 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@ -640,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout.
.It Fl z Ar serial_number
Specifies a serial number to be embedded in the certificate to distinguish
this certificate from others from the same CA.
If the
.Ar serial_number
is prefixed with a
.Sq +
character, then the serial number will be incremented for each certificate
signed on a single command-line.
The default serial number is zero.
.Pp
When generating a KRL, the

17
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.325 2019/01/23 04:16:22 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.326 2019/01/23 04:51:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1645,7 +1645,8 @@ agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp,
static void
do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
unsigned long long cert_serial, int argc, char **argv)
unsigned long long cert_serial, int cert_serial_autoinc,
int argc, char **argv)
{
int r, i, fd, found, agent_fd = -1;
u_int n;
@ -1785,6 +1786,8 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
sshkey_free(public);
free(out);
if (cert_serial_autoinc)
cert_serial++;
}
#ifdef ENABLE_PKCS11
pkcs11_terminate();
@ -2414,7 +2417,7 @@ main(int argc, char **argv)
int find_host = 0, delete_host = 0, hash_hosts = 0;
int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
int prefer_agent = 0, convert_to = 0, convert_from = 0;
int print_public = 0, print_generic = 0;
int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
unsigned long long cert_serial = 0;
char *identity_comment = NULL, *ca_key_path = NULL;
u_int bits = 0;
@ -2610,6 +2613,10 @@ main(int argc, char **argv)
break;
case 'z':
errno = 0;
if (*optarg == '+') {
cert_serial_autoinc = 1;
optarg++;
}
cert_serial = strtoull(optarg, &ep, 10);
if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
(errno == ERANGE && cert_serial == ULLONG_MAX))
@ -2700,8 +2707,8 @@ main(int argc, char **argv)
if (ca_key_path != NULL) {
if (cert_key_id == NULL)
fatal("Must specify key id (-I) when certifying");
do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial,
argc, argv);
do_ca_sign(pw, ca_key_path, prefer_agent,
cert_serial, cert_serial_autoinc, argc, argv);
}
if (show_cert)
do_show_cert(pw);