upstream: allow auto-incrementing certificate serial number for certs

signed in a single commandline.

OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b

2 files changed, 20 insertions, 7 deletions

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 474f4294a..0c284a295 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.155 2019/01/22 11:40:42 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.156 2019/01/23 04:51:02 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 22 2019 $
+.Dd $Mdocdate: January 23 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -640,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout.
 .It Fl z Ar serial_number
 Specifies a serial number to be embedded in the certificate to distinguish
 this certificate from others from the same CA.
+If the
+.Ar serial_number
+is prefixed with a
+.Sq +
+character, then the serial number will be incremented for each certificate
+signed on a single command-line.
 The default serial number is zero.
 .Pp
 When generating a KRL, the
diff --git a/ssh-keygen.c b/ssh-keygen.c
index ffb92fd94..992491f15 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.325 2019/01/23 04:16:22 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.326 2019/01/23 04:51:02 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1645,7 +1645,8 @@ agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp,
 
 static void
 do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
-    unsigned long long cert_serial, int argc, char **argv)
+    unsigned long long cert_serial, int cert_serial_autoinc,
+    int argc, char **argv)
 {
         int r, i, fd, found, agent_fd = -1;
         u_int n;
@@ -1785,6 +1786,8 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 
                 sshkey_free(public);
                 free(out);
+                if (cert_serial_autoinc)
+                        cert_serial++;
         }
 #ifdef ENABLE_PKCS11
         pkcs11_terminate();
@@ -2414,7 +2417,7 @@ main(int argc, char **argv)
         int find_host = 0, delete_host = 0, hash_hosts = 0;
         int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
         int prefer_agent = 0, convert_to = 0, convert_from = 0;
-        int print_public = 0, print_generic = 0;
+        int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
         unsigned long long cert_serial = 0;
         char *identity_comment = NULL, *ca_key_path = NULL;
         u_int bits = 0;
@@ -2610,6 +2613,10 @@ main(int argc, char **argv)
                         break;
                 case 'z':
                         errno = 0;
+                        if (*optarg == '+') {
+                                cert_serial_autoinc = 1;
+                                optarg++;
+                        }
                         cert_serial = strtoull(optarg, &ep, 10);
                         if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
                             (errno == ERANGE && cert_serial == ULLONG_MAX))
@@ -2700,8 +2707,8 @@ main(int argc, char **argv)
         if (ca_key_path != NULL) {
                 if (cert_key_id == NULL)
                         fatal("Must specify key id (-I) when certifying");
-                do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial,
-                    argc, argv);
+                do_ca_sign(pw, ca_key_path, prefer_agent,
+                    cert_serial, cert_serial_autoinc, argc, argv);
         }
         if (show_cert)
                 do_show_cert(pw);