Bugzilla – Attachment 2717 Details for
Bug 2472
Add support to load additional certificates
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch part 3/3
0003-ssh-add-Support-adding-an-additional-certificate.patch (text/plain), 5.21 KB, created by
Thomas Jarosch
on 2015-09-26 02:14:30 AEST
(
hide
)
Description:
Patch part 3/3
Filename:
MIME Type:
Creator:
Thomas Jarosch
Created:
2015-09-26 02:14:30 AEST
Size:
5.21 KB
patch
obsolete
>From 514d58e2f8eea0869713c64cbe019a6c51251aee Mon Sep 17 00:00:00 2001 >From: Thomas Jarosch <thomas.jarosch@intra2net.com> >Date: Fri, 25 Sep 2015 18:03:24 +0200 >Subject: [PATCH 3/3] ssh-add: Support adding an additional certificate > >New cmdline switch "-p": >Load additional certificate for already loaded private key. >Will refuse to load the certificate if no matching key is found. >Useful if the private key is stored on a PKCS#11 hardware token. > >Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> >--- > ssh-add.1 | 4 ++++ > ssh-add.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------ > 2 files changed, 64 insertions(+), 6 deletions(-) > >diff --git a/ssh-add.1 b/ssh-add.1 >index f02b595..298b9b6 100644 >--- a/ssh-add.1 >+++ b/ssh-add.1 >@@ -122,6 +122,10 @@ Remove keys provided by the PKCS#11 shared library > .It Fl k > When loading keys into or deleting keys from the agent, process plain private > keys only and skip certificates. >+.It Fl p >+Load additional certificate for already loaded private key. >+Will refuse to load the certificate if no matching key is found. >+Useful if the private key is stored on a PKCS#11 hardware token. > .It Fl L > Lists public key parameters of all identities currently represented > by the agent. >diff --git a/ssh-add.c b/ssh-add.c >index d8d6481..f97f411 100644 >--- a/ssh-add.c >+++ b/ssh-add.c >@@ -180,6 +180,49 @@ delete_all(int agent_fd) > } > > static int >+add_certificate_only(int agent_fd, const char *filename) >+{ >+ struct sshkey *cert = NULL; >+ char *comment = NULL; >+ int r, ret = -1; >+ >+ /* Load certificate */ >+ if ((r = sshkey_load_public(filename, &cert, &comment)) != 0) { >+ if (r != SSH_ERR_SYSTEM_ERROR || errno != ENOENT) >+ error("Failed to load certificate \"%s\": %s", >+ filename, ssh_err(r)); >+ goto out; >+ } >+ if (!sshkey_is_cert(cert)) { >+ error("Not a certificate: %s", filename); >+ goto out; >+ } >+ >+ /* Add empty private key fields for serialization */ >+ if ((r = sshkey_add_private(cert)) != 0) >+ goto out; >+ >+ if ((r = ssh_add_identity_constrained(agent_fd, cert, comment, >+ lifetime, confirm)) != 0) { >+ error("Certificate %s (%s) add failed: %s", filename, >+ cert->cert->key_id, ssh_err(r)); >+ goto out; >+ } >+ ret = 0; >+ fprintf(stderr, "Certificate added: %s (%s)\n", filename, >+ cert->cert->key_id); >+ if (lifetime != 0) >+ fprintf(stderr, "Lifetime set to %d seconds\n", lifetime); >+ if (confirm != 0) >+ fprintf(stderr, "The user must confirm each use of the key\n"); >+ out: >+ free(comment); >+ sshkey_free(cert); >+ >+ return ret; >+} >+ >+static int > add_file(int agent_fd, const char *filename, int key_only) > { > struct sshkey *private, *cert; >@@ -442,13 +485,16 @@ lock_agent(int agent_fd, int lock) > } > > static int >-do_file(int agent_fd, int deleting, int key_only, char *file) >+do_file(int agent_fd, int deleting, int key_only, int cert_only, char *file) > { > if (deleting) { > if (delete_file(agent_fd, file, key_only) == -1) > return -1; > } else { >- if (add_file(agent_fd, file, key_only) == -1) >+ if (cert_only) { >+ if (add_certificate_only(agent_fd, file) == -1) >+ return -1; >+ } else if (add_file(agent_fd, file, key_only) == -1) > return -1; > } > return 0; >@@ -463,6 +509,7 @@ usage(void) > fprintf(stderr, " -E hash Specify hash algorithm used for fingerprints.\n"); > fprintf(stderr, " -L List public key parameters of all identities.\n"); > fprintf(stderr, " -k Load only keys and not certificates.\n"); >+ fprintf(stderr, " -p Load additional certificate. Private key must be loaded.\n"); > fprintf(stderr, " -c Require confirmation to sign using identities\n"); > fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n"); > fprintf(stderr, " -d Delete identity.\n"); >@@ -480,7 +527,7 @@ main(int argc, char **argv) > extern int optind; > int agent_fd; > char *pkcs11provider = NULL; >- int r, i, ch, deleting = 0, ret = 0, key_only = 0; >+ int r, i, ch, deleting = 0, ret = 0, key_only = 0, cert_only = 0; > int xflag = 0, lflag = 0, Dflag = 0; > > /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ >@@ -508,7 +555,7 @@ main(int argc, char **argv) > exit(2); > } > >- while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) { >+ while ((ch = getopt(argc, argv, "kplLcdDxXE:e:s:t:")) != -1) { > switch (ch) { > case 'E': > fingerprint_hash = ssh_digest_alg_by_name(optarg); >@@ -516,8 +563,15 @@ main(int argc, char **argv) > fatal("Invalid hash algorithm \"%s\"", optarg); > break; > case 'k': >+ if (cert_only) >+ fatal("-k and -p are incompatible"); > key_only = 1; > break; >+ case 'p': >+ if (key_only) >+ fatal("-k and -p are incompatible"); >+ cert_only = 1; >+ break; > case 'l': > case 'L': > if (lflag != 0) >@@ -601,7 +655,7 @@ main(int argc, char **argv) > default_files[i]); > if (stat(buf, &st) < 0) > continue; >- if (do_file(agent_fd, deleting, key_only, buf) == -1) >+ if (do_file(agent_fd, deleting, key_only, cert_only, buf) == -1) > ret = 1; > else > count++; >@@ -610,7 +664,7 @@ main(int argc, char **argv) > ret = 1; > } else { > for (i = 0; i < argc; i++) { >- if (do_file(agent_fd, deleting, key_only, >+ if (do_file(agent_fd, deleting, key_only, cert_only, > argv[i]) == -1) > ret = 1; > } >-- >2.4.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2717">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2472
:
2715
|
2716
|
2717
|
2933
|
2934
|
3227