upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
diff --git a/sshkey.c b/sshkey.c
index a138a6f..acc6e3f 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.52 2017/06/09 06:40:24 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.53 2017/06/28 01:09:22 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -2253,7 +2253,8 @@
/* Sign a certified key, (re-)generating the signed certblob. */
int
-sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
+sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
+ sshkey_certify_signer *signer, void *signer_ctx)
{
struct sshbuf *principals = NULL;
u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
@@ -2342,8 +2343,8 @@
goto out;
/* Sign the whole mess */
- if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
- sshbuf_len(cert), alg, 0)) != 0)
+ if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
+ sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
goto out;
/* Append signature and we are done */
@@ -2359,6 +2360,22 @@
return ret;
}
+static int
+default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+ const u_char *data, size_t datalen,
+ const char *alg, u_int compat, void *ctx)
+{
+ if (ctx != NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+ return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat);
+}
+
+int
+sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
+{
+ return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL);
+}
+
int
sshkey_cert_check_authority(const struct sshkey *k,
int want_host, int require_principal,