From f2b70cad7585a67f7098119ccb6ae31573f2dc60 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 5 Mar 2010 07:39:35 +1100 Subject: - djm@cvs.openbsd.org 2010/03/04 20:35:08 [ssh-keygen.1 ssh-keygen.c] Add a -L flag to print the contents of a certificate; ok markus@ --- ChangeLog | 3 ++ ssh-keygen.1 | 10 ++++-- ssh-keygen.c | 115 ++++++++++++++++++++++++++++++++++++++++++++++++++++------- 3 files changed, 114 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab7f88fe2..3f0ba4237 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - jmc@cvs.openbsd.org 2010/03/04 12:51:25 [ssh.1 sshd_config.5] tweak previous; + - djm@cvs.openbsd.org 2010/03/04 20:35:08 + [ssh-keygen.1 ssh-keygen.c] + Add a -L flag to print the contents of a certificate; ok markus@ 20100304 - (djm) [ssh-keygen.c] Use correct local variable, instead of diff --git a/ssh-keygen.1 b/ssh-keygen.1 index d704f0660..dccf5eabc 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.85 2010/02/26 22:09:28 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.86 2010/03/04 20:35:08 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -37,7 +37,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 26 2010 $ +.Dd $Mdocdate: March 4 2010 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -115,6 +115,10 @@ .Op Fl O Ar constraint .Op Fl V Ar validity_interval .Ar +.Nm ssh-keygen +.Bk -words +.Fl L +.Op Fl f Ar input_keyfile .Ek .Sh DESCRIPTION .Nm @@ -275,6 +279,8 @@ also reads the RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations. +.It Fl L +Prints the contents of a certificate. .It Fl l Show fingerprint of specified public key file. Private RSA1 keys are also supported. diff --git a/ssh-keygen.c b/ssh-keygen.c index c2120bbc1..492c301d3 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.181 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.182 2010/03/04 20:35:08 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -82,6 +82,9 @@ int find_host = 0; /* Flag indicating that we want to delete a host from a known_hosts file */ int delete_host = 0; +/* Flag indicating that we want to show the contents of a certificate */ +int show_cert = 0; + /* Flag indicating that we just want to see the key fingerprint */ int print_fingerprint = 0; int print_bubblebabble = 0; @@ -1063,7 +1066,7 @@ do_change_comment(struct passwd *pw) } static const char * -fmt_validity(void) +fmt_validity(u_int64_t valid_from, u_int64_t valid_to) { char from[32], to[32]; static char ret[64]; @@ -1071,28 +1074,27 @@ fmt_validity(void) struct tm *tm; *from = *to = '\0'; - if (cert_valid_from == 0 && - cert_valid_to == 0xffffffffffffffffULL) + if (valid_from == 0 && valid_to == 0xffffffffffffffffULL) return "forever"; - if (cert_valid_from != 0) { + if (valid_from != 0) { /* XXX revisit INT_MAX in 2038 :) */ - tt = cert_valid_from > INT_MAX ? INT_MAX : cert_valid_from; + tt = valid_from > INT_MAX ? INT_MAX : valid_from; tm = localtime(&tt); strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); } - if (cert_valid_to != 0xffffffffffffffffULL) { + if (valid_to != 0xffffffffffffffffULL) { /* XXX revisit INT_MAX in 2038 :) */ - tt = cert_valid_to > INT_MAX ? INT_MAX : cert_valid_to; + tt = valid_to > INT_MAX ? INT_MAX : valid_to; tm = localtime(&tt); strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); } - if (cert_valid_from == 0) { + if (valid_from == 0) { snprintf(ret, sizeof(ret), "before %s", to); return ret; } - if (cert_valid_to == 0xffffffffffffffffULL) { + if (valid_to == 0xffffffffffffffffULL) { snprintf(ret, sizeof(ret), "after %s", from); return ret; } @@ -1216,7 +1218,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) out, cert_key_id, cert_principals != NULL ? " for " : "", cert_principals != NULL ? cert_principals : "", - fmt_validity()); + fmt_validity(cert_valid_from, cert_valid_to)); key_free(public); xfree(out); @@ -1365,6 +1367,89 @@ add_cert_constraint(char *opt) fatal("Unsupported certificate constraint \"%s\"", opt); } +static void +do_show_cert(struct passwd *pw) +{ + Key *key; + struct stat st; + char *key_fp, *ca_fp; + Buffer constraints, constraint; + u_char *name, *data; + u_int i, dlen; + + if (!have_identity) + ask_filename(pw, "Enter file in which the key is"); + if (stat(identity_file, &st) < 0) { + perror(identity_file); + exit(1); + } + if ((key = key_load_public(identity_file, NULL)) == NULL) + fatal("%s is not a public key", identity_file); + if (!key_is_cert(key)) + fatal("%s is not a certificate", identity_file); + + key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + ca_fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); + + printf("%s:\n", identity_file); + printf(" %s certificate %s\n", key_type(key), key_fp); + printf(" Signed by %s CA %s\n", + key_type(key->cert->signature_key), ca_fp); + printf(" Key ID \"%s\"\n", key->cert->key_id); + printf(" Valid: %s\n", + fmt_validity(key->cert->valid_after, key->cert->valid_before)); + printf(" Principals: "); + if (key->cert->nprincipals == 0) + printf("(none)\n"); + else { + for (i = 0; i < key->cert->nprincipals; i++) + printf("\n %s", + key->cert->principals[i]); + printf("\n"); + } + printf(" Constraints: "); + if (buffer_len(&key->cert->constraints) == 0) + printf("(none)\n"); + else { + printf("\n"); + buffer_init(&constraints); + buffer_append(&constraints, + buffer_ptr(&key->cert->constraints), + buffer_len(&key->cert->constraints)); + buffer_init(&constraint); + while (buffer_len(&constraints) != 0) { + name = buffer_get_string(&constraints, NULL); + data = buffer_get_string_ptr(&constraints, &dlen); + buffer_append(&constraint, data, dlen); + printf(" %s", name); + if (strcmp(name, "permit-X11-forwarding") == 0 || + strcmp(name, "permit-agent-forwarding") == 0 || + strcmp(name, "permit-port-forwarding") == 0 || + strcmp(name, "permit-pty") == 0 || + strcmp(name, "permit-user-rc") == 0) + printf("\n"); + else if (strcmp(name, "force-command") == 0 || + strcmp(name, "source-address") == 0) { + data = buffer_get_string(&constraint, NULL); + printf(" %s\n", data); + xfree(data); + } else { + printf(" UNKNOWN CONSTRAINT (len %u)\n", + buffer_len(&constraint)); + buffer_clear(&constraint); + } + xfree(name); + if (buffer_len(&constraint) != 0) + fatal("Constraint corrupt: extra data at end"); + } + buffer_free(&constraint); + buffer_free(&constraints); + } + + exit(0); +} + static void usage(void) { @@ -1387,6 +1472,7 @@ usage(void) fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n"); + fprintf(stderr, " -L Print the contents of a certificate.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); @@ -1453,7 +1539,7 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "degiqpclBHhvxXyF:b:f:t:D:I:P:N:n:" + while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:N:n:" "O:C:r:g:R:T:G:M:S:s:a:V:W:")) != -1) { switch (opt) { case 'b': @@ -1476,6 +1562,9 @@ main(int argc, char **argv) delete_host = 1; rr_hostname = optarg; break; + case 'L': + show_cert = 1; + break; case 'l': print_fingerprint = 1; break; @@ -1629,6 +1718,8 @@ main(int argc, char **argv) fatal("Must specify key id (-I) when certifying"); do_ca_sign(pw, argc, argv); } + if (show_cert) + do_show_cert(pw); if (delete_host || hash_hosts || find_host) do_known_hosts(pw, rr_hostname); if (print_fingerprint || print_bubblebabble) -- cgit v1.2.3