diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-01-23 04:51:02 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-01-23 19:03:05 +1100 |
| commit | be063945e4e7d46b1734d973bf244c350fae172a (patch) | |
| tree | 636c38761962bb0cd74b809fe896ccba88c18268 | |
| parent | 851f80328931975fe68f71af363c4537cb896da2 (diff) | |
| download | openssh-git-be063945e4e7d46b1734d973bf244c350fae172a.tar.gz | |
upstream: allow auto-incrementing certificate serial number for certs
signed in a single commandline.
OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
| -rw-r--r-- | ssh-keygen.1 | 10 | ||||
| -rw-r--r-- | ssh-keygen.c | 17 |
2 files changed, 20 insertions, 7 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 474f4294..0c284a29 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.155 2019/01/22 11:40:42 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.156 2019/01/23 04:51:02 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 22 2019 $ +.Dd $Mdocdate: January 23 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -640,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout. .It Fl z Ar serial_number Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA. +If the +.Ar serial_number +is prefixed with a +.Sq + +character, then the serial number will be incremented for each certificate +signed on a single command-line. The default serial number is zero. .Pp When generating a KRL, the diff --git a/ssh-keygen.c b/ssh-keygen.c index ffb92fd9..992491f1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.325 2019/01/23 04:16:22 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.326 2019/01/23 04:51:02 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1645,7 +1645,8 @@ agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp, static void do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, - unsigned long long cert_serial, int argc, char **argv) + unsigned long long cert_serial, int cert_serial_autoinc, + int argc, char **argv) { int r, i, fd, found, agent_fd = -1; u_int n; @@ -1785,6 +1786,8 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, sshkey_free(public); free(out); + if (cert_serial_autoinc) + cert_serial++; } #ifdef ENABLE_PKCS11 pkcs11_terminate(); @@ -2414,7 +2417,7 @@ main(int argc, char **argv) int find_host = 0, delete_host = 0, hash_hosts = 0; int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; int prefer_agent = 0, convert_to = 0, convert_from = 0; - int print_public = 0, print_generic = 0; + int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL; u_int bits = 0; @@ -2610,6 +2613,10 @@ main(int argc, char **argv) break; case 'z': errno = 0; + if (*optarg == '+') { + cert_serial_autoinc = 1; + optarg++; + } cert_serial = strtoull(optarg, &ep, 10); if (*optarg < '0' || *optarg > '9' || *ep != '\0' || (errno == ERANGE && cert_serial == ULLONG_MAX)) @@ -2700,8 +2707,8 @@ main(int argc, char **argv) if (ca_key_path != NULL) { if (cert_key_id == NULL) fatal("Must specify key id (-I) when certifying"); - do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial, - argc, argv); + do_ca_sign(pw, ca_key_path, prefer_agent, + cert_serial, cert_serial_autoinc, argc, argv); } if (show_cert) do_show_cert(pw); |