diff options
Diffstat (limited to 'ssh-add.c')
-rw-r--r-- | ssh-add.c | 54 |
1 files changed, 38 insertions, 16 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-add.c,v 1.90 2007/09/09 11:38:01 sobrado Exp $ */ | 1 | /* $OpenBSD: ssh-add.c,v 1.94 2010/03/01 11:07:06 otto Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -138,9 +138,9 @@ delete_all(AuthenticationConnection *ac) | |||
138 | static int | 138 | static int |
139 | add_file(AuthenticationConnection *ac, const char *filename) | 139 | add_file(AuthenticationConnection *ac, const char *filename) |
140 | { | 140 | { |
141 | Key *private; | 141 | Key *private, *cert; |
142 | char *comment = NULL; | 142 | char *comment = NULL; |
143 | char msg[1024]; | 143 | char msg[1024], *certpath; |
144 | int fd, perms_ok, ret = -1; | 144 | int fd, perms_ok, ret = -1; |
145 | 145 | ||
146 | if ((fd = open(filename, O_RDONLY)) < 0) { | 146 | if ((fd = open(filename, O_RDONLY)) < 0) { |
@@ -195,13 +195,37 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
195 | if (confirm != 0) | 195 | if (confirm != 0) |
196 | fprintf(stderr, | 196 | fprintf(stderr, |
197 | "The user has to confirm each use of the key\n"); | 197 | "The user has to confirm each use of the key\n"); |
198 | } else if (ssh_add_identity(ac, private, comment)) { | ||
199 | fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); | ||
200 | ret = 0; | ||
201 | } else { | 198 | } else { |
202 | fprintf(stderr, "Could not add identity: %s\n", filename); | 199 | fprintf(stderr, "Could not add identity: %s\n", filename); |
203 | } | 200 | } |
204 | 201 | ||
202 | |||
203 | /* Now try to add the certificate flavour too */ | ||
204 | xasprintf(&certpath, "%s-cert.pub", filename); | ||
205 | if ((cert = key_load_public(certpath, NULL)) != NULL) { | ||
206 | /* Graft with private bits */ | ||
207 | if (key_to_certified(private) != 0) | ||
208 | fatal("%s: key_to_certified failed", __func__); | ||
209 | key_cert_copy(cert, private); | ||
210 | key_free(cert); | ||
211 | |||
212 | if (ssh_add_identity_constrained(ac, private, comment, | ||
213 | lifetime, confirm)) { | ||
214 | fprintf(stderr, "Certificate added: %s (%s)\n", | ||
215 | certpath, private->cert->key_id); | ||
216 | if (lifetime != 0) | ||
217 | fprintf(stderr, "Lifetime set to %d seconds\n", | ||
218 | lifetime); | ||
219 | if (confirm != 0) | ||
220 | fprintf(stderr, "The user has to confirm each " | ||
221 | "use of the key\n"); | ||
222 | } else { | ||
223 | error("Certificate %s (%s) add failed", certpath, | ||
224 | private->cert->key_id); | ||
225 | } | ||
226 | } | ||
227 | |||
228 | xfree(certpath); | ||
205 | xfree(comment); | 229 | xfree(comment); |
206 | key_free(private); | 230 | key_free(private); |
207 | 231 | ||
@@ -214,7 +238,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) | |||
214 | char *pin; | 238 | char *pin; |
215 | int ret = -1; | 239 | int ret = -1; |
216 | 240 | ||
217 | pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN); | 241 | pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN); |
218 | if (pin == NULL) | 242 | if (pin == NULL) |
219 | return -1; | 243 | return -1; |
220 | 244 | ||
@@ -320,10 +344,8 @@ usage(void) | |||
320 | fprintf(stderr, " -X Unlock agent.\n"); | 344 | fprintf(stderr, " -X Unlock agent.\n"); |
321 | fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n"); | 345 | fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n"); |
322 | fprintf(stderr, " -c Require confirmation to sign using identities\n"); | 346 | fprintf(stderr, " -c Require confirmation to sign using identities\n"); |
323 | #ifdef SMARTCARD | 347 | fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n"); |
324 | fprintf(stderr, " -s reader Add key in smartcard reader.\n"); | 348 | fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n"); |
325 | fprintf(stderr, " -e reader Remove key in smartcard reader.\n"); | ||
326 | #endif | ||
327 | } | 349 | } |
328 | 350 | ||
329 | int | 351 | int |
@@ -332,7 +354,7 @@ main(int argc, char **argv) | |||
332 | extern char *optarg; | 354 | extern char *optarg; |
333 | extern int optind; | 355 | extern int optind; |
334 | AuthenticationConnection *ac = NULL; | 356 | AuthenticationConnection *ac = NULL; |
335 | char *sc_reader_id = NULL; | 357 | char *pkcs11provider = NULL; |
336 | int i, ch, deleting = 0, ret = 0; | 358 | int i, ch, deleting = 0, ret = 0; |
337 | 359 | ||
338 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 360 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
@@ -374,11 +396,11 @@ main(int argc, char **argv) | |||
374 | ret = 1; | 396 | ret = 1; |
375 | goto done; | 397 | goto done; |
376 | case 's': | 398 | case 's': |
377 | sc_reader_id = optarg; | 399 | pkcs11provider = optarg; |
378 | break; | 400 | break; |
379 | case 'e': | 401 | case 'e': |
380 | deleting = 1; | 402 | deleting = 1; |
381 | sc_reader_id = optarg; | 403 | pkcs11provider = optarg; |
382 | break; | 404 | break; |
383 | case 't': | 405 | case 't': |
384 | if ((lifetime = convtime(optarg)) == -1) { | 406 | if ((lifetime = convtime(optarg)) == -1) { |
@@ -395,8 +417,8 @@ main(int argc, char **argv) | |||
395 | } | 417 | } |
396 | argc -= optind; | 418 | argc -= optind; |
397 | argv += optind; | 419 | argv += optind; |
398 | if (sc_reader_id != NULL) { | 420 | if (pkcs11provider != NULL) { |
399 | if (update_card(ac, !deleting, sc_reader_id) == -1) | 421 | if (update_card(ac, !deleting, pkcs11provider) == -1) |
400 | ret = 1; | 422 | ret = 1; |
401 | goto done; | 423 | goto done; |
402 | } | 424 | } |