summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r--ssh-keygen.c194
1 files changed, 104 insertions, 90 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 2a316bcea..23058ee99 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.249 2014/07/03 03:47:27 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -165,7 +165,7 @@ int rounds = 0;
165/* argv0 */ 165/* argv0 */
166extern char *__progname; 166extern char *__progname;
167 167
168char hostname[MAXHOSTNAMELEN]; 168char hostname[NI_MAXHOST];
169 169
170/* moduli.c */ 170/* moduli.c */
171int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); 171int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
@@ -195,6 +195,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
195 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); 195 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
196 exit(1); 196 exit(1);
197 } 197 }
198#ifdef WITH_OPENSSL
198 if (type == KEY_DSA && *bitsp != 1024) 199 if (type == KEY_DSA && *bitsp != 1024)
199 fatal("DSA keys must be 1024 bits"); 200 fatal("DSA keys must be 1024 bits");
200 else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) 201 else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@@ -202,6 +203,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
202 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) 203 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
203 fatal("Invalid ECDSA key length - valid lengths are " 204 fatal("Invalid ECDSA key length - valid lengths are "
204 "256, 384 or 521 bits"); 205 "256, 384 or 521 bits");
206#endif
205} 207}
206 208
207static void 209static void
@@ -278,6 +280,7 @@ load_identity(char *filename)
278#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" 280#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
279#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb 281#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
280 282
283#ifdef WITH_OPENSSL
281static void 284static void
282do_convert_to_ssh2(struct passwd *pw, Key *k) 285do_convert_to_ssh2(struct passwd *pw, Key *k)
283{ 286{
@@ -408,7 +411,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
408 Buffer b; 411 Buffer b;
409 Key *key = NULL; 412 Key *key = NULL;
410 char *type, *cipher; 413 char *type, *cipher;
411 u_char *sig, data[] = "abcde12345"; 414 u_char *sig = NULL, data[] = "abcde12345";
412 int magic, rlen, ktype, i1, i2, i3, i4; 415 int magic, rlen, ktype, i1, i2, i3, i4;
413 u_int slen; 416 u_int slen;
414 u_long e; 417 u_long e;
@@ -479,7 +482,9 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
479 buffer_get_bignum_bits(&b, key->rsa->iqmp); 482 buffer_get_bignum_bits(&b, key->rsa->iqmp);
480 buffer_get_bignum_bits(&b, key->rsa->q); 483 buffer_get_bignum_bits(&b, key->rsa->q);
481 buffer_get_bignum_bits(&b, key->rsa->p); 484 buffer_get_bignum_bits(&b, key->rsa->p);
482 rsa_generate_additional_parameters(key->rsa); 485 if (rsa_generate_additional_parameters(key->rsa) != 0)
486 fatal("%s: rsa_generate_additional_parameters "
487 "error", __func__);
483 break; 488 break;
484 } 489 }
485 rlen = buffer_len(&b); 490 rlen = buffer_len(&b);
@@ -711,6 +716,7 @@ do_convert_from(struct passwd *pw)
711 key_free(k); 716 key_free(k);
712 exit(0); 717 exit(0);
713} 718}
719#endif
714 720
715static void 721static void
716do_print_public(struct passwd *pw) 722do_print_public(struct passwd *pw)
@@ -981,7 +987,7 @@ do_gen_all_hostkeys(struct passwd *pw)
981} 987}
982 988
983static void 989static void
984printhost(FILE *f, const char *name, Key *public, int ca, int hash) 990printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
985{ 991{
986 if (print_fingerprint) { 992 if (print_fingerprint) {
987 enum fp_rep rep; 993 enum fp_rep rep;
@@ -1001,7 +1007,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
1001 } else { 1007 } else {
1002 if (hash && (name = host_hash(name, NULL, 0)) == NULL) 1008 if (hash && (name = host_hash(name, NULL, 0)) == NULL)
1003 fatal("hash_host failed"); 1009 fatal("hash_host failed");
1004 fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); 1010 fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",
1011 revoked ? REVOKE_MARKER " " : "" , name);
1005 if (!key_write(public, f)) 1012 if (!key_write(public, f))
1006 fatal("key_write failed"); 1013 fatal("key_write failed");
1007 fprintf(f, "\n"); 1014 fprintf(f, "\n");
@@ -1016,7 +1023,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1016 char *cp, *cp2, *kp, *kp2; 1023 char *cp, *cp2, *kp, *kp2;
1017 char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; 1024 char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
1018 int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; 1025 int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
1019 int ca; 1026 int ca, revoked;
1020 int found_key = 0; 1027 int found_key = 0;
1021 1028
1022 if (!have_identity) { 1029 if (!have_identity) {
@@ -1030,6 +1037,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1030 if ((in = fopen(identity_file, "r")) == NULL) 1037 if ((in = fopen(identity_file, "r")) == NULL)
1031 fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); 1038 fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
1032 1039
1040 /* XXX this code is a mess; refactor -djm */
1033 /* 1041 /*
1034 * Find hosts goes to stdout, hash and deletions happen in-place 1042 * Find hosts goes to stdout, hash and deletions happen in-place
1035 * A corner case is ssh-keygen -HF foo, which should go to stdout 1043 * A corner case is ssh-keygen -HF foo, which should go to stdout
@@ -1073,7 +1081,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1073 fprintf(out, "%s\n", cp); 1081 fprintf(out, "%s\n", cp);
1074 continue; 1082 continue;
1075 } 1083 }
1076 /* Check whether this is a CA key */ 1084 /* Check whether this is a CA key or revocation marker */
1077 if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && 1085 if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
1078 (cp[sizeof(CA_MARKER) - 1] == ' ' || 1086 (cp[sizeof(CA_MARKER) - 1] == ' ' ||
1079 cp[sizeof(CA_MARKER) - 1] == '\t')) { 1087 cp[sizeof(CA_MARKER) - 1] == '\t')) {
@@ -1081,6 +1089,14 @@ do_known_hosts(struct passwd *pw, const char *name)
1081 cp += sizeof(CA_MARKER); 1089 cp += sizeof(CA_MARKER);
1082 } else 1090 } else
1083 ca = 0; 1091 ca = 0;
1092 if (strncasecmp(cp, REVOKE_MARKER,
1093 sizeof(REVOKE_MARKER) - 1) == 0 &&
1094 (cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||
1095 cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {
1096 revoked = 1;
1097 cp += sizeof(REVOKE_MARKER);
1098 } else
1099 revoked = 0;
1084 1100
1085 /* Find the end of the host name portion. */ 1101 /* Find the end of the host name portion. */
1086 for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) 1102 for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
@@ -1124,20 +1140,23 @@ do_known_hosts(struct passwd *pw, const char *name)
1124 printf("# Host %s found: " 1140 printf("# Host %s found: "
1125 "line %d type %s%s\n", name, 1141 "line %d type %s%s\n", name,
1126 num, key_type(pub), 1142 num, key_type(pub),
1127 ca ? " (CA key)" : ""); 1143 ca ? " (CA key)" :
1128 printhost(out, cp, pub, ca, 0); 1144 revoked? " (revoked)" : "");
1145 printhost(out, cp, pub, ca, revoked, 0);
1129 found_key = 1; 1146 found_key = 1;
1130 } 1147 }
1131 if (delete_host) { 1148 if (delete_host) {
1132 if (!c && !ca) 1149 if (!c || ca || revoked) {
1133 printhost(out, cp, pub, ca, 0); 1150 printhost(out, cp, pub,
1134 else 1151 ca, revoked, 0);
1152 } else {
1135 printf("# Host %s found: " 1153 printf("# Host %s found: "
1136 "line %d type %s\n", name, 1154 "line %d type %s\n", name,
1137 num, key_type(pub)); 1155 num, key_type(pub));
1156 }
1138 } 1157 }
1139 } else if (hash_hosts) 1158 } else if (hash_hosts)
1140 printhost(out, cp, pub, ca, 0); 1159 printhost(out, cp, pub, ca, revoked, 0);
1141 } else { 1160 } else {
1142 if (find_host || delete_host) { 1161 if (find_host || delete_host) {
1143 c = (match_hostname(name, cp, 1162 c = (match_hostname(name, cp,
@@ -1148,38 +1167,43 @@ do_known_hosts(struct passwd *pw, const char *name)
1148 "line %d type %s%s\n", name, 1167 "line %d type %s%s\n", name,
1149 num, key_type(pub), 1168 num, key_type(pub),
1150 ca ? " (CA key)" : ""); 1169 ca ? " (CA key)" : "");
1151 printhost(out, name, pub, 1170 printhost(out, name, pub, ca, revoked,
1152 ca, hash_hosts && !ca); 1171 hash_hosts && !(ca || revoked));
1153 found_key = 1; 1172 found_key = 1;
1154 } 1173 }
1155 if (delete_host) { 1174 if (delete_host) {
1156 if (!c && !ca) 1175 if (!c || ca || revoked) {
1157 printhost(out, cp, pub, ca, 0); 1176 printhost(out, cp, pub,
1158 else 1177 ca, revoked, 0);
1178 } else {
1159 printf("# Host %s found: " 1179 printf("# Host %s found: "
1160 "line %d type %s\n", name, 1180 "line %d type %s\n", name,
1161 num, key_type(pub)); 1181 num, key_type(pub));
1182 }
1162 } 1183 }
1184 } else if (hash_hosts && (ca || revoked)) {
1185 /* Don't hash CA and revoked keys' hostnames */
1186 printhost(out, cp, pub, ca, revoked, 0);
1187 has_unhashed = 1;
1163 } else if (hash_hosts) { 1188 } else if (hash_hosts) {
1189 /* Hash each hostname separately */
1164 for (cp2 = strsep(&cp, ","); 1190 for (cp2 = strsep(&cp, ",");
1165 cp2 != NULL && *cp2 != '\0'; 1191 cp2 != NULL && *cp2 != '\0';
1166 cp2 = strsep(&cp, ",")) { 1192 cp2 = strsep(&cp, ",")) {
1167 if (ca) { 1193 if (strcspn(cp2, "*?!") !=
1168 fprintf(stderr, "Warning: "
1169 "ignoring CA key for host: "
1170 "%.64s\n", cp2);
1171 printhost(out, cp2, pub, ca, 0);
1172 } else if (strcspn(cp2, "*?!") !=
1173 strlen(cp2)) { 1194 strlen(cp2)) {
1174 fprintf(stderr, "Warning: " 1195 fprintf(stderr, "Warning: "
1175 "ignoring host name with " 1196 "ignoring host name with "
1176 "metacharacters: %.64s\n", 1197 "metacharacters: %.64s\n",
1177 cp2); 1198 cp2);
1178 printhost(out, cp2, pub, ca, 0); 1199 printhost(out, cp2, pub, ca,
1179 } else 1200 revoked, 0);
1180 printhost(out, cp2, pub, ca, 1); 1201 has_unhashed = 1;
1202 } else {
1203 printhost(out, cp2, pub, ca,
1204 revoked, 1);
1205 }
1181 } 1206 }
1182 has_unhashed = 1;
1183 } 1207 }
1184 } 1208 }
1185 key_free(pub); 1209 key_free(pub);
@@ -1589,7 +1613,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1589 } 1613 }
1590 } 1614 }
1591 1615
1616#ifdef ENABLE_PKCS11
1592 pkcs11_init(1); 1617 pkcs11_init(1);
1618#endif
1593 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); 1619 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
1594 if (pkcs11provider != NULL) { 1620 if (pkcs11provider != NULL) {
1595 if ((ca = load_pkcs11_key(tmp)) == NULL) 1621 if ((ca = load_pkcs11_key(tmp)) == NULL)
@@ -1631,12 +1657,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1631 public->cert->valid_after = cert_valid_from; 1657 public->cert->valid_after = cert_valid_from;
1632 public->cert->valid_before = cert_valid_to; 1658 public->cert->valid_before = cert_valid_to;
1633 if (v00) { 1659 if (v00) {
1634 prepare_options_buf(&public->cert->critical, 1660 prepare_options_buf(public->cert->critical,
1635 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); 1661 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
1636 } else { 1662 } else {
1637 prepare_options_buf(&public->cert->critical, 1663 prepare_options_buf(public->cert->critical,
1638 OPTIONS_CRITICAL); 1664 OPTIONS_CRITICAL);
1639 prepare_options_buf(&public->cert->extensions, 1665 prepare_options_buf(public->cert->extensions,
1640 OPTIONS_EXTENSIONS); 1666 OPTIONS_EXTENSIONS);
1641 } 1667 }
1642 public->cert->signature_key = key_from_private(ca); 1668 public->cert->signature_key = key_from_private(ca);
@@ -1672,7 +1698,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1672 key_free(public); 1698 key_free(public);
1673 free(out); 1699 free(out);
1674 } 1700 }
1701#ifdef ENABLE_PKCS11
1675 pkcs11_terminate(); 1702 pkcs11_terminate();
1703#endif
1676 exit(0); 1704 exit(0);
1677} 1705}
1678 1706
@@ -1820,8 +1848,8 @@ add_cert_option(char *opt)
1820static void 1848static void
1821show_options(const Buffer *optbuf, int v00, int in_critical) 1849show_options(const Buffer *optbuf, int v00, int in_critical)
1822{ 1850{
1823 char *name; 1851 char *name, *arg;
1824 u_char *data; 1852 const u_char *data;
1825 u_int dlen; 1853 u_int dlen;
1826 Buffer options, option; 1854 Buffer options, option;
1827 1855
@@ -1844,9 +1872,9 @@ show_options(const Buffer *optbuf, int v00, int in_critical)
1844 else if ((v00 || in_critical) && 1872 else if ((v00 || in_critical) &&
1845 (strcmp(name, "force-command") == 0 || 1873 (strcmp(name, "force-command") == 0 ||
1846 strcmp(name, "source-address") == 0)) { 1874 strcmp(name, "source-address") == 0)) {
1847 data = buffer_get_string(&option, NULL); 1875 arg = buffer_get_cstring(&option, NULL);
1848 printf(" %s\n", data); 1876 printf(" %s\n", arg);
1849 free(data); 1877 free(arg);
1850 } else { 1878 } else {
1851 printf(" UNKNOWN OPTION (len %u)\n", 1879 printf(" UNKNOWN OPTION (len %u)\n",
1852 buffer_len(&option)); 1880 buffer_len(&option));
@@ -1905,24 +1933,25 @@ do_show_cert(struct passwd *pw)
1905 printf("\n"); 1933 printf("\n");
1906 } 1934 }
1907 printf(" Critical Options: "); 1935 printf(" Critical Options: ");
1908 if (buffer_len(&key->cert->critical) == 0) 1936 if (buffer_len(key->cert->critical) == 0)
1909 printf("(none)\n"); 1937 printf("(none)\n");
1910 else { 1938 else {
1911 printf("\n"); 1939 printf("\n");
1912 show_options(&key->cert->critical, v00, 1); 1940 show_options(key->cert->critical, v00, 1);
1913 } 1941 }
1914 if (!v00) { 1942 if (!v00) {
1915 printf(" Extensions: "); 1943 printf(" Extensions: ");
1916 if (buffer_len(&key->cert->extensions) == 0) 1944 if (buffer_len(key->cert->extensions) == 0)
1917 printf("(none)\n"); 1945 printf("(none)\n");
1918 else { 1946 else {
1919 printf("\n"); 1947 printf("\n");
1920 show_options(&key->cert->extensions, v00, 0); 1948 show_options(key->cert->extensions, v00, 0);
1921 } 1949 }
1922 } 1950 }
1923 exit(0); 1951 exit(0);
1924} 1952}
1925 1953
1954#ifdef WITH_OPENSSL
1926static void 1955static void
1927load_krl(const char *path, struct ssh_krl **krlp) 1956load_krl(const char *path, struct ssh_krl **krlp)
1928{ 1957{
@@ -2145,60 +2174,40 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
2145 ssh_krl_free(krl); 2174 ssh_krl_free(krl);
2146 exit(ret); 2175 exit(ret);
2147} 2176}
2177#endif
2148 2178
2149static void 2179static void
2150usage(void) 2180usage(void)
2151{ 2181{
2152 fprintf(stderr, "usage: %s [options]\n", __progname); 2182 fprintf(stderr,
2153 fprintf(stderr, "Options:\n"); 2183 "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"
2154 fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); 2184 " [-N new_passphrase] [-C comment] [-f output_keyfile]\n"
2155 fprintf(stderr, " -a number Number of KDF rounds for new key format or moduli primality tests.\n"); 2185 " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"
2156 fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); 2186 " ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
2157 fprintf(stderr, " -b bits Number of bits in the key to create.\n"); 2187 " ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
2158 fprintf(stderr, " -C comment Provide new comment.\n"); 2188 " ssh-keygen -y [-f input_keyfile]\n"
2159 fprintf(stderr, " -c Change comment in private and public key files.\n"); 2189 " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
2190 " ssh-keygen -l [-f input_keyfile]\n"
2191 " ssh-keygen -B [-f input_keyfile]\n");
2160#ifdef ENABLE_PKCS11 2192#ifdef ENABLE_PKCS11
2161 fprintf(stderr, " -D pkcs11 Download public key from pkcs11 token.\n"); 2193 fprintf(stderr,
2194 " ssh-keygen -D pkcs11\n");
2162#endif 2195#endif
2163 fprintf(stderr, " -e Export OpenSSH to foreign format key file.\n"); 2196 fprintf(stderr,
2164 fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); 2197 " ssh-keygen -F hostname [-f known_hosts_file] [-l]\n"
2165 fprintf(stderr, " -f filename Filename of the key file.\n"); 2198 " ssh-keygen -H [-f known_hosts_file]\n"
2166 fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); 2199 " ssh-keygen -R hostname [-f known_hosts_file]\n"
2167 fprintf(stderr, " -g Use generic DNS resource record format.\n"); 2200 " ssh-keygen -r hostname [-f input_keyfile] [-g]\n"
2168 fprintf(stderr, " -H Hash names in known_hosts file.\n"); 2201 " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n"
2169 fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); 2202 " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"
2170 fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); 2203 " [-j start_line] [-K checkpt] [-W generator]\n"
2171 fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n"); 2204 " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"
2172 fprintf(stderr, " -J number Screen this number of moduli lines.\n"); 2205 " [-O option] [-V validity_interval] [-z serial_number] file ...\n"
2173 fprintf(stderr, " -j number Start screening moduli at specified line.\n"); 2206 " ssh-keygen -L [-f input_keyfile]\n"
2174 fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); 2207 " ssh-keygen -A\n"
2175 fprintf(stderr, " -k Generate a KRL file.\n"); 2208 " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
2176 fprintf(stderr, " -L Print the contents of a certificate.\n"); 2209 " file ...\n"
2177 fprintf(stderr, " -l Show fingerprint of key file.\n"); 2210 " ssh-keygen -Q -f krl_file file ...\n");
2178 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
2179 fprintf(stderr, " -m key_fmt Conversion format for -e/-i (PEM|PKCS8|RFC4716).\n");
2180 fprintf(stderr, " -N phrase Provide new passphrase.\n");
2181 fprintf(stderr, " -n name,... User/host principal names to include in certificate\n");
2182 fprintf(stderr, " -O option Specify a certificate option.\n");
2183 fprintf(stderr, " -o Enforce new private key format.\n");
2184 fprintf(stderr, " -P phrase Provide old passphrase.\n");
2185 fprintf(stderr, " -p Change passphrase of private key file.\n");
2186 fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n");
2187 fprintf(stderr, " -q Quiet.\n");
2188 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
2189 fprintf(stderr, " -r hostname Print DNS resource record.\n");
2190 fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n");
2191 fprintf(stderr, " -s ca_key Certify keys with CA key.\n");
2192 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
2193 fprintf(stderr, " -t type Specify type of key to create.\n");
2194 fprintf(stderr, " -u Update KRL rather than creating a new one.\n");
2195 fprintf(stderr, " -V from:to Specify certificate validity interval.\n");
2196 fprintf(stderr, " -v Verbose.\n");
2197 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
2198 fprintf(stderr, " -y Read private key file and print public key.\n");
2199 fprintf(stderr, " -Z cipher Specify a cipher for new private key format.\n");
2200 fprintf(stderr, " -z serial Specify a serial number.\n");
2201
2202 exit(1); 2211 exit(1);
2203} 2212}
2204 2213
@@ -2469,6 +2478,7 @@ main(int argc, char **argv)
2469 printf("Cannot use -l with -H or -R.\n"); 2478 printf("Cannot use -l with -H or -R.\n");
2470 usage(); 2479 usage();
2471 } 2480 }
2481#ifdef WITH_OPENSSL
2472 if (gen_krl) { 2482 if (gen_krl) {
2473 do_gen_krl(pw, update_krl, argc, argv); 2483 do_gen_krl(pw, update_krl, argc, argv);
2474 return (0); 2484 return (0);
@@ -2477,6 +2487,7 @@ main(int argc, char **argv)
2477 do_check_krl(pw, argc, argv); 2487 do_check_krl(pw, argc, argv);
2478 return (0); 2488 return (0);
2479 } 2489 }
2490#endif
2480 if (ca_key_path != NULL) { 2491 if (ca_key_path != NULL) {
2481 if (cert_key_id == NULL) 2492 if (cert_key_id == NULL)
2482 fatal("Must specify key id (-I) when certifying"); 2493 fatal("Must specify key id (-I) when certifying");
@@ -2494,10 +2505,12 @@ main(int argc, char **argv)
2494 do_change_passphrase(pw); 2505 do_change_passphrase(pw);
2495 if (change_comment) 2506 if (change_comment)
2496 do_change_comment(pw); 2507 do_change_comment(pw);
2508#ifdef WITH_OPENSSL
2497 if (convert_to) 2509 if (convert_to)
2498 do_convert_to(pw); 2510 do_convert_to(pw);
2499 if (convert_from) 2511 if (convert_from)
2500 do_convert_from(pw); 2512 do_convert_from(pw);
2513#endif
2501 if (print_public) 2514 if (print_public)
2502 do_print_public(pw); 2515 do_print_public(pw);
2503 if (rr_hostname != NULL) { 2516 if (rr_hostname != NULL) {
@@ -2519,7 +2532,8 @@ main(int argc, char **argv)
2519 _PATH_HOST_DSA_KEY_FILE, rr_hostname); 2532 _PATH_HOST_DSA_KEY_FILE, rr_hostname);
2520 n += do_print_resource_record(pw, 2533 n += do_print_resource_record(pw,
2521 _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); 2534 _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
2522 2535 n += do_print_resource_record(pw,
2536 _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
2523 if (n == 0) 2537 if (n == 0)
2524 fatal("no keys found."); 2538 fatal("no keys found.");
2525 exit(0); 2539 exit(0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 12:06:53 +0000