diff options
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 570f31795..0dfad08c4 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.349 2019/09/06 07:53:40 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.350 2019/09/16 03:23:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2666,8 +2666,9 @@ verify(const char *signature, const char *sig_namespace, const char *principal, | |||
2666 | } | 2666 | } |
2667 | } | 2667 | } |
2668 | 2668 | ||
2669 | if ((r = sshsig_check_allowed_keys(allowed_keys, sign_key, | 2669 | if (allowed_keys != NULL && |
2670 | principal, sig_namespace)) != 0) { | 2670 | (r = sshsig_check_allowed_keys(allowed_keys, sign_key, |
2671 | principal, sig_namespace)) != 0) { | ||
2671 | debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r)); | 2672 | debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r)); |
2672 | goto done; | 2673 | goto done; |
2673 | } | 2674 | } |
@@ -2681,9 +2682,15 @@ done: | |||
2681 | fatal("%s: sshkey_fingerprint failed", | 2682 | fatal("%s: sshkey_fingerprint failed", |
2682 | __func__); | 2683 | __func__); |
2683 | } | 2684 | } |
2684 | printf("Good \"%s\" signature for %s with %s key %s\n", | 2685 | if (principal == NULL) { |
2685 | sig_namespace, principal, | 2686 | printf("Good \"%s\" signature with %s key %s\n", |
2686 | sshkey_type(sign_key), fp); | 2687 | sig_namespace, sshkey_type(sign_key), fp); |
2688 | |||
2689 | } else { | ||
2690 | printf("Good \"%s\" signature for %s with %s key %s\n", | ||
2691 | sig_namespace, principal, | ||
2692 | sshkey_type(sign_key), fp); | ||
2693 | } | ||
2687 | } else { | 2694 | } else { |
2688 | printf("Could not verify signature.\n"); | 2695 | printf("Could not verify signature.\n"); |
2689 | } | 2696 | } |
@@ -2735,7 +2742,8 @@ usage(void) | |||
2735 | " ssh-keygen -Q -f krl_file file ...\n" | 2742 | " ssh-keygen -Q -f krl_file file ...\n" |
2736 | " ssh-keygen -Y sign -f sign_key -n namespace\n" | 2743 | " ssh-keygen -Y sign -f sign_key -n namespace\n" |
2737 | " ssh-keygen -Y verify -I signer_identity -s signature_file\n" | 2744 | " ssh-keygen -Y verify -I signer_identity -s signature_file\n" |
2738 | " -n namespace -f allowed_keys [-r revoked_keys]\n"); | 2745 | " -n namespace -f allowed_keys [-r revoked_keys]\n" |
2746 | " ssh-keygen -Y check-novalidate -s signature_file -n namespace\n"); | ||
2739 | exit(1); | 2747 | exit(1); |
2740 | } | 2748 | } |
2741 | 2749 | ||
@@ -3034,6 +3042,14 @@ main(int argc, char **argv) | |||
3034 | exit(1); | 3042 | exit(1); |
3035 | } | 3043 | } |
3036 | return sign(identity_file, cert_principals, argc, argv); | 3044 | return sign(identity_file, cert_principals, argc, argv); |
3045 | } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { | ||
3046 | if (ca_key_path == NULL) { | ||
3047 | error("Too few arguments for check-novalidate: " | ||
3048 | "missing signature file"); | ||
3049 | exit(1); | ||
3050 | } | ||
3051 | return verify(ca_key_path, cert_principals, | ||
3052 | NULL, NULL, NULL); | ||
3037 | } else if (strncmp(sign_op, "verify", 6) == 0) { | 3053 | } else if (strncmp(sign_op, "verify", 6) == 0) { |
3038 | if (ca_key_path == NULL) { | 3054 | if (ca_key_path == NULL) { |
3039 | error("Too few arguments for verify: " | 3055 | error("Too few arguments for verify: " |