2 files changed, 60 insertions, 6 deletions

diff --git a/ssh-add.1 b/ssh-add.1
index d5da9279c..35ab04426 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-add.1,v 1.66 2017/08/29 13:05:58 jmc Exp $
+.\"     $OpenBSD: ssh-add.1,v 1.67 2019/01/20 22:03:29 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2017 $
+.Dd $Mdocdate: January 20 2019 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Nd adds private key identities to the authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl cDdkLlqXx
+.Op Fl cDdkLlqTXx
 .Op Fl E Ar fingerprint_hash
 .Op Fl t Ar life
 .Op Ar
@@ -51,6 +51,10 @@
 .Fl s Ar pkcs11
 .Nm ssh-add
 .Fl e Ar pkcs11
+.Nm ssh-add
+.Fl T
+.Ar pubkey
+.Op Ar ...
 .Sh DESCRIPTION
 .Nm
 adds private key identities to the authentication agent,
@@ -131,6 +135,10 @@ Be quiet after a successful operation.
 .It Fl s Ar pkcs11
 Add keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+.It Fl T Ar pubkey Op Ar ...
+Tests whether the private keys that correspond to the specified
+.Ar pubkey
+files are usable by performing sign and verify operations on each.
 .It Fl t Ar life
 Set a maximum lifetime when adding identities to an agent.
 The lifetime may be specified in seconds or in a time format
diff --git a/ssh-add.c b/ssh-add.c
index 50165e7d6..eb2552ad5 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.136 2018/09/19 02:03:02 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.137 2019/01/20 22:03:29 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -418,6 +418,40 @@ update_card(int agent_fd, int add, const char *id, int qflag)
 }
 
 static int
+test_key(int agent_fd, const char *filename)
+{
+        struct sshkey *key = NULL;
+        u_char *sig = NULL;
+        size_t slen = 0;
+        int r, ret = -1;
+        char data[1024];
+
+        if ((r = sshkey_load_public(filename, &key, NULL)) != 0) {
+                error("Couldn't read public key %s: %s", filename, ssh_err(r));
+                return -1;
+        }
+        arc4random_buf(data, sizeof(data));
+        if ((r = ssh_agent_sign(agent_fd, key, &sig, &slen, data, sizeof(data),
+            NULL, 0)) != 0) {
+                error("Agent signature failed for %s: %s",
+                    filename, ssh_err(r));
+                goto done;
+        }
+        if ((r = sshkey_verify(key, sig, slen, data, sizeof(data),
+            NULL, 0)) != 0) {
+                error("Signature verification failed for %s: %s",
+                    filename, ssh_err(r));
+                goto done;
+        }
+        /* success */
+        ret = 0;
+ done:
+        free(sig);
+        sshkey_free(key);
+        return ret;
+}
+
+static int
 list_identities(int agent_fd, int do_fp)
 {
         char *fp;
@@ -524,6 +558,7 @@ usage(void)
         fprintf(stderr, "  -X          Unlock agent.\n");
         fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
         fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
+        fprintf(stderr, "  -T pubkey   Test if ssh-agent can access matching private key.\n");
         fprintf(stderr, "  -q          Be quiet after a successful operation.\n");
 }
 
@@ -535,7 +570,7 @@ main(int argc, char **argv)
         int agent_fd;
         char *pkcs11provider = NULL;
         int r, i, ch, deleting = 0, ret = 0, key_only = 0;
-        int xflag = 0, lflag = 0, Dflag = 0, qflag = 0;
+        int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0;
 
         ssh_malloc_init();      /* must be called before any mallocs */
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -559,7 +594,7 @@ main(int argc, char **argv)
                 exit(2);
         }
 
-        while ((ch = getopt(argc, argv, "klLcdDxXE:e:M:m:qs:t:")) != -1) {
+        while ((ch = getopt(argc, argv, "klLcdDTxXE:e:M:m:qs:t:")) != -1) {
                 switch (ch) {
                 case 'E':
                         fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -623,6 +658,9 @@ main(int argc, char **argv)
                 case 'q':
                         qflag = 1;
                         break;
+                case 'T':
+                        Tflag = 1;
+                        break;
                 default:
                         usage();
                         ret = 1;
@@ -648,6 +686,14 @@ main(int argc, char **argv)
 
         argc -= optind;
         argv += optind;
+        if (Tflag) {
+                if (argc <= 0)
+                        fatal("no keys to test");
+                for (r = i = 0; i < argc; i++)
+                        r |= test_key(agent_fd, argv[i]);
+                ret = r == 0 ? 0 : 1;
+                goto done;
+        }
         if (pkcs11provider != NULL) {
                 if (update_card(agent_fd, !deleting, pkcs11provider,
                     qflag) == -1)