diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 03:28:41 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-12-30 14:32:20 +1100 |
| commit | 1e645fe767f27725dc7fd7864526de34683f7daf (patch) | |
| tree | 61d4230dba514a5a560522c97e424cee60b33156 /ssh-keygen.c | |
| parent | 20ccd854245c598e2b47cc9f8d4955d645195055 (diff) | |
upstream: prepare for use of ssh-keygen -O flag beyond certs
Move list of available certificate options in ssh-keygen.1 to the
CERTIFICATES section.
Collect options specified by -O but delay parsing/validation of
certificate options until we're sure that we're acting as a CA.
ok markus@
OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 24e246c0b..43f2e1e82 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.375 2019/12/30 03:28:41 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -2820,7 +2820,8 @@ main(int argc, char **argv) | |||
| 2820 | int prefer_agent = 0, convert_to = 0, convert_from = 0; | 2820 | int prefer_agent = 0, convert_to = 0, convert_from = 0; |
| 2821 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; | 2821 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; |
| 2822 | unsigned long long ull, cert_serial = 0; | 2822 | unsigned long long ull, cert_serial = 0; |
| 2823 | char *identity_comment = NULL, *ca_key_path = NULL; | 2823 | char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
| 2824 | size_t i, nopts = 0; | ||
| 2824 | u_int32_t bits = 0; | 2825 | u_int32_t bits = 0; |
| 2825 | uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; | 2826 | uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; |
| 2826 | FILE *f; | 2827 | FILE *f; |
| @@ -2950,7 +2951,9 @@ main(int argc, char **argv) | |||
| 2950 | check_krl = 1; | 2951 | check_krl = 1; |
| 2951 | break; | 2952 | break; |
| 2952 | case 'O': | 2953 | case 'O': |
| 2953 | add_cert_option(optarg); | 2954 | opts = xrecallocarray(opts, nopts, nopts + 1, |
| 2955 | sizeof(*opts)); | ||
| 2956 | opts[nopts++] = xstrdup(optarg); | ||
| 2954 | break; | 2957 | break; |
| 2955 | case 'Z': | 2958 | case 'Z': |
| 2956 | openssh_format_cipher = optarg; | 2959 | openssh_format_cipher = optarg; |
| @@ -3184,6 +3187,8 @@ main(int argc, char **argv) | |||
| 3184 | if (ca_key_path != NULL) { | 3187 | if (ca_key_path != NULL) { |
| 3185 | if (cert_key_id == NULL) | 3188 | if (cert_key_id == NULL) |
| 3186 | fatal("Must specify key id (-I) when certifying"); | 3189 | fatal("Must specify key id (-I) when certifying"); |
| 3190 | for (i = 0; i < nopts; i++) | ||
| 3191 | add_cert_option(opts[i]); | ||
| 3187 | do_ca_sign(pw, ca_key_path, prefer_agent, | 3192 | do_ca_sign(pw, ca_key_path, prefer_agent, |
| 3188 | cert_serial, cert_serial_autoinc, argc, argv); | 3193 | cert_serial, cert_serial_autoinc, argc, argv); |
| 3189 | } | 3194 | } |