From b9f4635ea5bc33ed5ebbacf332d79bae463b0f54 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 11 Aug 2021 08:54:17 +0000 Subject: upstream: when verifying sshsig signatures, support an option (-Oprint-pubkey) to dump the full public key to stdout; based on patch from Fabian Stelzer; ok markus@ OpenBSD-Commit-ID: 0598000e5b9adfb45d42afa76ff80daaa12fc3e2 --- ssh-keygen.1 | 6 ++++-- ssh-keygen.c | 23 +++++++++++++++++++---- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c157186a..f83f515f 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.215 2021/07/23 06:01:17 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.216 2021/08/11 08:54:17 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 23 2021 $ +.Dd $Mdocdate: August 11 2021 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -537,6 +537,8 @@ When performing signature-related options using the .Fl Y flag, the following options are accepted: .Bl -tag -width Ds +.It Cm print-pubkey +Print the full public key to standard output after signature verification. .It Cm verify-time Ns = Ns Ar timestamp Specifies a time to use when validating signatures instead of the current time. diff --git a/ssh-keygen.c b/ssh-keygen.c index 07910115..18e9f1d1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.434 2021/07/24 02:51:14 dtucker Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2673,12 +2673,14 @@ done: } static int -sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep) +sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep, + int *print_pubkey) { size_t i; time_t now; *verify_timep = 0; + *print_pubkey = 0; for (i = 0; i < nopts; i++) { if (strncasecmp(opts[i], "verify-time=", 12) == 0) { if (parse_absolute_time(opts[i] + 12, @@ -2686,6 +2688,9 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep) error("Invalid \"verify-time\" option"); return SSH_ERR_INVALID_ARGUMENT; } + } else if (print_pubkey && + strcasecmp(opts[i], "print-pubkey") == 0) { + *print_pubkey = 1; } else { error("Invalid option \"%s\"", opts[i]); return SSH_ERR_INVALID_ARGUMENT; @@ -2707,13 +2712,14 @@ sig_verify(const char *signature, const char *sig_namespace, char * const *opts, size_t nopts) { int r, ret = -1; + int print_pubkey = 0; struct sshbuf *sigbuf = NULL, *abuf = NULL; struct sshkey *sign_key = NULL; char *fp = NULL; struct sshkey_sig_details *sig_details = NULL; uint64_t verify_time = 0; - if (sig_process_opts(opts, nopts, &verify_time) != 0) + if (sig_process_opts(opts, nopts, &verify_time, &print_pubkey) != 0) goto done; /* error already logged */ memset(&sig_details, 0, sizeof(sig_details)); @@ -2774,6 +2780,15 @@ done: printf("Could not verify signature.\n"); } } + /* Print the signature key if requested */ + if (ret == 0 && print_pubkey && sign_key != NULL) { + if ((r = sshkey_write(sign_key, stdout)) == 0) + fputc('\n', stdout); + else { + error_r(r, "Could not print public key.\n"); + ret = -1; + } + } sshbuf_free(sigbuf); sshbuf_free(abuf); sshkey_free(sign_key); @@ -2792,7 +2807,7 @@ sig_find_principals(const char *signature, const char *allowed_keys, char *principals = NULL, *cp, *tmp; uint64_t verify_time = 0; - if (sig_process_opts(opts, nopts, &verify_time) != 0) + if (sig_process_opts(opts, nopts, &verify_time, NULL) != 0) goto done; /* error already logged */ if ((r = sshbuf_load_file(signature, &abuf)) != 0) { -- cgit v1.2.1