upstream: allow auto-incrementing certificate serial number for certs

signed in a single commandline. OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
2019-01-23 04:51:02 +00:00 · 2019-01-23 04:51:02 +00:00 · be063945e4
parent 851f803289
commit be063945e4
2 changed files with 20 additions and 7 deletions
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.155 2019/01/22 11:40:42 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.156 2019/01/23 04:51:02 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 22 2019 $
+.Dd $Mdocdate: January 23 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@ -640,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout.
 .It Fl z Ar serial_number
 Specifies a serial number to be embedded in the certificate to distinguish
 this certificate from others from the same CA.
 If the
 .Ar serial_number
 is prefixed with a
 .Sq +
 character, then the serial number will be incremented for each certificate
 signed on a single command-line.
 The default serial number is zero.
 .Pp
 When generating a KRL, the
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.325 2019/01/23 04:16:22 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.326 2019/01/23 04:51:02 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1645,7 +1645,8 @@ agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp,
 static void
 do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
-    unsigned long long cert_serial, int argc, char **argv)
+    unsigned long long cert_serial, int cert_serial_autoinc,
    int argc, char **argv)
 {
 	int r, i, fd, found, agent_fd = -1;
 	u_int n;
@ -1785,6 +1786,8 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 		sshkey_free(public);
 		free(out);
 		if (cert_serial_autoinc)
 			cert_serial++;
 	}
 #ifdef ENABLE_PKCS11
 	pkcs11_terminate();
@ -2414,7 +2417,7 @@ main(int argc, char **argv)
 	int find_host = 0, delete_host = 0, hash_hosts = 0;
 	int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
 	int prefer_agent = 0, convert_to = 0, convert_from = 0;
-	int print_public = 0, print_generic = 0;
+	int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
 	unsigned long long cert_serial = 0;
 	char *identity_comment = NULL, *ca_key_path = NULL;
 	u_int bits = 0;
@ -2610,6 +2613,10 @@ main(int argc, char **argv)
 			break;
 		case 'z':
 			errno = 0;
 			if (*optarg == '+') {
 				cert_serial_autoinc = 1;
 				optarg++;
 			}
 			cert_serial = strtoull(optarg, &ep, 10);
 			if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
 			    (errno == ERANGE && cert_serial == ULLONG_MAX))
@ -2700,8 +2707,8 @@ main(int argc, char **argv)
 	if (ca_key_path != NULL) {
 		if (cert_key_id == NULL)
 			fatal("Must specify key id (-I) when certifying");
-		do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial,
+		do_ca_sign(pw, ca_key_path, prefer_agent,
-		    argc, argv);
+		    cert_serial, cert_serial_autoinc, argc, argv);
 	}
 	if (show_cert)
 		do_show_cert(pw);