summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ssh-keygen.124
-rw-r--r--ssh-keygen.c30
2 files changed, 44 insertions, 10 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 081158546..f8dafb3aa 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.166 2019/09/05 05:47:23 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.167 2019/09/16 03:23:02 djm Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: September 5 2019 $ 38.Dd $Mdocdate: September 16 2019 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -149,10 +149,14 @@
149.Nm ssh-keygen 149.Nm ssh-keygen
150.Fl Y Cm verify 150.Fl Y Cm verify
151.Fl I Ar signer_identity 151.Fl I Ar signer_identity
152.Fl f Ar allowed_keys_file 152.Fl f Ar allowed_signers_file
153.Fl n Ar namespace 153.Fl n Ar namespace
154.Fl s Ar signature_file 154.Fl s Ar signature_file
155.Op Fl r Ar revocation_file 155.Op Fl r Ar revocation_file
156.Nm ssh-keygen
157.Fl Y Cm check-novalidate
158.Fl s Ar signature_file
159.Fl n Ar namespace
156.Ek 160.Ek
157.Sh DESCRIPTION 161.Sh DESCRIPTION
158.Nm 162.Nm
@@ -716,6 +720,20 @@ flag.
716The revocation file may be a KRL or a one-per-line list of public keys. 720The revocation file may be a KRL or a one-per-line list of public keys.
717Successful verification by an authorized signer is signalled by 721Successful verification by an authorized signer is signalled by
718.Nm 722.Nm
723.It Fl Y Cm check-novalidate
724Checks that a signature generated using
725.Nm
726.Fl Y Cm sign
727has a valid structure.
728This does not validate if a signature comes from an authorized signer.
729When testing a signature,
730.Nm
731accepts a message on standard input and a signature namespace using
732.Fl n .
733A file containing the corresponding signature must also be supplied using the
734.Fl s
735flag. Successful testing of the signature is signalled by
736.Nm
719returning a zero exit status. 737returning a zero exit status.
720.It Fl z Ar serial_number 738.It Fl z Ar serial_number
721Specifies a serial number to be embedded in the certificate to distinguish 739Specifies a serial number to be embedded in the certificate to distinguish
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 570f31795..0dfad08c4 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.349 2019/09/06 07:53:40 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.350 2019/09/16 03:23:02 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2666,8 +2666,9 @@ verify(const char *signature, const char *sig_namespace, const char *principal,
2666 } 2666 }
2667 } 2667 }
2668 2668
2669 if ((r = sshsig_check_allowed_keys(allowed_keys, sign_key, 2669 if (allowed_keys != NULL &&
2670 principal, sig_namespace)) != 0) { 2670 (r = sshsig_check_allowed_keys(allowed_keys, sign_key,
2671 principal, sig_namespace)) != 0) {
2671 debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r)); 2672 debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r));
2672 goto done; 2673 goto done;
2673 } 2674 }
@@ -2681,9 +2682,15 @@ done:
2681 fatal("%s: sshkey_fingerprint failed", 2682 fatal("%s: sshkey_fingerprint failed",
2682 __func__); 2683 __func__);
2683 } 2684 }
2684 printf("Good \"%s\" signature for %s with %s key %s\n", 2685 if (principal == NULL) {
2685 sig_namespace, principal, 2686 printf("Good \"%s\" signature with %s key %s\n",
2686 sshkey_type(sign_key), fp); 2687 sig_namespace, sshkey_type(sign_key), fp);
2688
2689 } else {
2690 printf("Good \"%s\" signature for %s with %s key %s\n",
2691 sig_namespace, principal,
2692 sshkey_type(sign_key), fp);
2693 }
2687 } else { 2694 } else {
2688 printf("Could not verify signature.\n"); 2695 printf("Could not verify signature.\n");
2689 } 2696 }
@@ -2735,7 +2742,8 @@ usage(void)
2735 " ssh-keygen -Q -f krl_file file ...\n" 2742 " ssh-keygen -Q -f krl_file file ...\n"
2736 " ssh-keygen -Y sign -f sign_key -n namespace\n" 2743 " ssh-keygen -Y sign -f sign_key -n namespace\n"
2737 " ssh-keygen -Y verify -I signer_identity -s signature_file\n" 2744 " ssh-keygen -Y verify -I signer_identity -s signature_file\n"
2738 " -n namespace -f allowed_keys [-r revoked_keys]\n"); 2745 " -n namespace -f allowed_keys [-r revoked_keys]\n"
2746 " ssh-keygen -Y check-novalidate -s signature_file -n namespace\n");
2739 exit(1); 2747 exit(1);
2740} 2748}
2741 2749
@@ -3034,6 +3042,14 @@ main(int argc, char **argv)
3034 exit(1); 3042 exit(1);
3035 } 3043 }
3036 return sign(identity_file, cert_principals, argc, argv); 3044 return sign(identity_file, cert_principals, argc, argv);
3045 } else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
3046 if (ca_key_path == NULL) {
3047 error("Too few arguments for check-novalidate: "
3048 "missing signature file");
3049 exit(1);
3050 }
3051 return verify(ca_key_path, cert_principals,
3052 NULL, NULL, NULL);
3037 } else if (strncmp(sign_op, "verify", 6) == 0) { 3053 } else if (strncmp(sign_op, "verify", 6) == 0) {
3038 if (ca_key_path == NULL) { 3054 if (ca_key_path == NULL) {
3039 error("Too few arguments for verify: " 3055 error("Too few arguments for verify: "