From 78230b3ec8cbabc1e7de68732dc5cbd4837c6675 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 27 Nov 2021 07:14:46 +0000
Subject: upstream: Add ssh-keygen -Y match-principals operation to perform

matching of principals names against an allowed signers file.

Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.

"doesn't bother me" deraadt@

OpenBSD-Commit-ID: 8d1b71f5a4127bc5e10a880c8ea6053394465247
---
 ssh-keygen.c | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

(limited to 'ssh-keygen.c')

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 248a0ae7..f3f15cd0 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.440 2021/10/29 03:20:46 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.441 2021/11/27 07:14:46 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2849,6 +2849,32 @@ done:
 	return ret;
 }
 
+static int
+sig_match_principals(const char *allowed_keys, char *principal,
+	char * const *opts, size_t nopts)
+{
+	int r;
+	char **principals = NULL;
+	size_t i, nprincipals = 0;
+
+	if ((r = sig_process_opts(opts, nopts, NULL, NULL)) != 0)
+		return r; /* error already logged */
+
+	if ((r = sshsig_match_principals(allowed_keys, principal,
+	    &principals, &nprincipals)) != 0) {
+		debug_f("match: %s", ssh_err(r));
+		fprintf(stderr, "No principal matched.\n");
+		return r;
+	}
+	for (i = 0; i < nprincipals; i++) {
+		printf("%s\n", principals[i]);
+		free(principals[i]);
+	}
+	free(principals);
+
+	return 0;
+}
+
 static void
 do_moduli_gen(const char *out_file, char **opts, size_t nopts)
 {
@@ -3187,6 +3213,7 @@ usage(void)
 	    "                  file ...\n"
 	    "       ssh-keygen -Q [-l] -f krl_file [file ...]\n"
 	    "       ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"
+		"       ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file\n"
 	    "       ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
 	    "       ssh-keygen -Y sign -f key_file -n namespace file ...\n"
 	    "       ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n"
@@ -3468,6 +3495,19 @@ main(int argc, char **argv)
 			}
 			return sig_find_principals(ca_key_path, identity_file,
 			    opts, nopts);
+		} else if (strncmp(sign_op, "match-principals", 16) == 0) {
+			if (!have_identity) {
+				error("Too few arguments for match-principals:"
+				    "missing allowed keys file");
+				exit(1);
+			}
+			if (cert_key_id == NULL) {
+				error("Too few arguments for match-principals: "
+				    "missing principal ID");
+				exit(1);
+			}
+			return sig_match_principals(identity_file, cert_key_id,
+			    opts, nopts);
 		} else if (strncmp(sign_op, "sign", 4) == 0) {
 			if (cert_principals == NULL ||
 			    *cert_principals == '\0') {
-- 
cgit v1.2.1