-.\" $OpenBSD: ssh-keygen.1,v 1.166 2019/09/05 05:47:23 jmc Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.167 2019/09/16 03:23:02 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: September 5 2019 $
+.Dd $Mdocdate: September 16 2019 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
.Nm ssh-keygen
.Fl Y Cm verify
.Fl I Ar signer_identity
-.Fl f Ar allowed_keys_file
+.Fl f Ar allowed_signers_file
.Fl n Ar namespace
.Fl s Ar signature_file
.Op Fl r Ar revocation_file
+.Nm ssh-keygen
+.Fl Y Cm check-novalidate
+.Fl s Ar signature_file
+.Fl n Ar namespace
.Ek
.Sh DESCRIPTION
.Nm
The revocation file may be a KRL or a one-per-line list of public keys.
Successful verification by an authorized signer is signalled by
.Nm
+.It Fl Y Cm check-novalidate
+Checks that a signature generated using
+.Nm
+.Fl Y Cm sign
+has a valid structure.
+This does not validate if a signature comes from an authorized signer.
+When testing a signature,
+.Nm
+accepts a message on standard input and a signature namespace using
+.Fl n .
+A file containing the corresponding signature must also be supplied using the
+.Fl s
+flag. Successful testing of the signature is signalled by
+.Nm
returning a zero exit status.
.It Fl z Ar serial_number
Specifies a serial number to be embedded in the certificate to distinguish
-/* $OpenBSD: ssh-keygen.c,v 1.349 2019/09/06 07:53:40 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.350 2019/09/16 03:23:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
}
}
- if ((r = sshsig_check_allowed_keys(allowed_keys, sign_key,
- principal, sig_namespace)) != 0) {
+ if (allowed_keys != NULL &&
+ (r = sshsig_check_allowed_keys(allowed_keys, sign_key,
+ principal, sig_namespace)) != 0) {
debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r));
goto done;
}
fatal("%s: sshkey_fingerprint failed",
__func__);
}
- printf("Good \"%s\" signature for %s with %s key %s\n",
- sig_namespace, principal,
- sshkey_type(sign_key), fp);
+ if (principal == NULL) {
+ printf("Good \"%s\" signature with %s key %s\n",
+ sig_namespace, sshkey_type(sign_key), fp);
+
+ } else {
+ printf("Good \"%s\" signature for %s with %s key %s\n",
+ sig_namespace, principal,
+ sshkey_type(sign_key), fp);
+ }
} else {
printf("Could not verify signature.\n");
}
" ssh-keygen -Q -f krl_file file ...\n"
" ssh-keygen -Y sign -f sign_key -n namespace\n"
" ssh-keygen -Y verify -I signer_identity -s signature_file\n"
- " -n namespace -f allowed_keys [-r revoked_keys]\n");
+ " -n namespace -f allowed_keys [-r revoked_keys]\n"
+ " ssh-keygen -Y check-novalidate -s signature_file -n namespace\n");
exit(1);
}
exit(1);
}
return sign(identity_file, cert_principals, argc, argv);
+ } else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
+ if (ca_key_path == NULL) {
+ error("Too few arguments for check-novalidate: "
+ "missing signature file");
+ exit(1);
+ }
+ return verify(ca_key_path, cert_principals,
+ NULL, NULL, NULL);
} else if (strncmp(sign_op, "verify", 6) == 0) {
if (ca_key_path == NULL) {
error("Too few arguments for verify: "
projects / thirdparty / openssh-portable.git / commitdiff
