From ec77c954c8c7b7cebab0e263b1a43bf6b789ecfb Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 9 Jan 2013 15:58:00 +1100
Subject:    - djm@cvs.openbsd.org 2013/01/03 23:22:58      [ssh-keygen.c]     
 allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...    
  ok markus@

---
 ssh-keygen.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

(limited to 'ssh-keygen.c')

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 1bbe0b0a8..106f1536d 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.220 2012/12/03 00:14:06 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.221 2013/01/03 23:22:58 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -723,15 +723,30 @@ do_download(struct passwd *pw)
 #ifdef ENABLE_PKCS11
 	Key **keys = NULL;
 	int i, nkeys;
+	enum fp_rep rep;
+	enum fp_type fptype;
+	char *fp, *ra;
 
 	pkcs11_init(0);
 	nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
 	if (nkeys <= 0)
 		fatal("cannot read public key from pkcs11");
 	for (i = 0; i < nkeys; i++) {
-		key_write(keys[i], stdout);
+		if (print_fingerprint) {
+			fp = key_fingerprint(keys[i], fptype, rep);
+			ra = key_fingerprint(keys[i], SSH_FP_MD5,
+			    SSH_FP_RANDOMART);
+			printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
+			    fp, key_type(keys[i]));
+			if (log_level >= SYSLOG_LEVEL_VERBOSE)
+				printf("%s\n", ra);
+			xfree(ra);
+			xfree(fp);
+		} else {
+			key_write(keys[i], stdout);
+			fprintf(stdout, "\n");
+		}
 		key_free(keys[i]);
-		fprintf(stdout, "\n");
 	}
 	xfree(keys);
 	pkcs11_terminate();
@@ -2177,7 +2192,7 @@ main(int argc, char **argv)
 		usage();
 	}
 	if (print_fingerprint && (delete_host || hash_hosts)) {
-		printf("Cannot use -l with -D or -R.\n");
+		printf("Cannot use -l with -H or -R.\n");
 		usage();
 	}
 	if (ca_key_path != NULL) {
@@ -2189,6 +2204,8 @@ main(int argc, char **argv)
 		do_show_cert(pw);
 	if (delete_host || hash_hosts || find_host)
 		do_known_hosts(pw, rr_hostname);
+	if (pkcs11provider != NULL)
+		do_download(pw);
 	if (print_fingerprint || print_bubblebabble)
 		do_fingerprint(pw);
 	if (change_passphrase)
@@ -2226,8 +2243,6 @@ main(int argc, char **argv)
 			exit(0);
 		}
 	}
-	if (pkcs11provider != NULL)
-		do_download(pw);
 
 	if (do_gen_candidates) {
 		FILE *out = fopen(out_file, "w");
-- 
cgit v1.2.3