Lines Matching +full:touch +full:- +full:enter
1 /* $OpenBSD: ssh-keygen.c,v 1.475 2024/09/15 00:47:01 djm Exp $ */
24 #include "openbsd-compat/openssl-compat.h"
59 #include "ssh-pkcs11.h"
66 #include "ssh-sk.h"
67 #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
77 * least 128 bits of security according to NIST Special Publication 800-57:
79 * For DSA it (and FIPS-186-4 section 4.2) specifies that the only size for
80 * which a 160bit hash is acceptable is 1kbit, and since ssh-dss specifies only
112 /* Comma-separated list of principal names for certifying keys */
160 /* Cipher for new-format private keys */
219 if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1) in type_bits_valid()
302 "%s/%s", pw->pw_dir, name); in ask_filename()
329 xasprintf(&prompt, "Enter passphrase for \"%s\": ", filename); in load_identity()
340 #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
341 #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
342 #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
362 "%u-bit %s, converted by %s@%s from OpenSSH", in do_convert_to_ssh2()
364 pw->pw_name, hostname); in do_convert_to_ssh2()
379 switch (sshkey_type_plain(k->type)) { in do_convert_to_pkcs8()
382 EVP_PKEY_get0_RSA(k->pkey))) in do_convert_to_pkcs8()
387 if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) in do_convert_to_pkcs8()
394 EVP_PKEY_get0_EC_KEY(k->pkey))) in do_convert_to_pkcs8()
407 switch (sshkey_type_plain(k->type)) { in do_convert_to_pem()
410 EVP_PKEY_get0_RSA(k->pkey))) in do_convert_to_pem()
415 if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) in do_convert_to_pem()
422 EVP_PKEY_get0_EC_KEY(k->pkey))) in do_convert_to_pem()
440 ask_filename(pw, "Enter file in which the key is"); in do_convert_to()
441 if (stat(identity_file, &st) == -1) in do_convert_to()
541 switch (key->type) { in do_convert_private_ssh2()
555 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) in do_convert_private_ssh2()
558 if (!DSA_set0_key(key->dsa, dsa_pub_key, dsa_priv_key)) in do_convert_private_ssh2()
599 if ((key->pkey = EVP_PKEY_new()) == NULL) in do_convert_private_ssh2()
612 if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) in do_convert_private_ssh2()
615 alg = "rsa-sha2-256"; in do_convert_private_ssh2()
646 if (pos >= len - 1) in get_line()
661 return -1; in get_line()
679 while ((blen = get_line(fp, line, sizeof(line))) != -1) { in do_convert_from_ssh2()
680 if (blen > 0 && line[blen - 1] == '\\') in do_convert_from_ssh2()
682 if (strncmp(line, "----", 4) == 0 || in do_convert_from_ssh2()
693 escaped--; in do_convert_from_ssh2()
701 (encoded[len-1] == '=') && in do_convert_from_ssh2()
702 (encoded[len-2] == '=') && in do_convert_from_ssh2()
703 (encoded[len-3] == '=')) in do_convert_from_ssh2()
704 encoded[len-3] = '\0'; in do_convert_from_ssh2()
733 (*k)->type = KEY_RSA; in do_convert_from_pkcs8()
734 (*k)->pkey = pubkey; in do_convert_from_pkcs8()
741 (*k)->type = KEY_DSA; in do_convert_from_pkcs8()
742 (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); in do_convert_from_pkcs8()
749 if (((*k)->ecdsa_nid = sshkey_ecdsa_fixup_group(pubkey)) == -1) in do_convert_from_pkcs8()
751 (*k)->type = KEY_ECDSA; in do_convert_from_pkcs8()
752 (*k)->pkey = pubkey; in do_convert_from_pkcs8()
775 if (((*k)->pkey = EVP_PKEY_new()) == NULL) in do_convert_from_pem()
777 (*k)->type = KEY_RSA; in do_convert_from_pem()
778 if (EVP_PKEY_set1_RSA((*k)->pkey, rsa) != 1) in do_convert_from_pem()
795 ask_filename(pw, "Enter file in which the key is"); in do_convert_from()
796 if (stat(identity_file, &st) == -1) in do_convert_from()
819 switch (k->type) { in do_convert_from()
822 ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, in do_convert_from()
829 EVP_PKEY_get0_EC_KEY(k->pkey), NULL, NULL, 0, in do_convert_from()
835 EVP_PKEY_get0_RSA(k->pkey), NULL, NULL, 0, in do_convert_from()
859 ask_filename(pw, "Enter file in which the key is"); in do_print_public()
860 if (stat(identity_file, &st) == -1) in do_print_public()
870 prv->sk_application, prv->sk_flags); in do_print_public()
968 if (stat(identity_file, &st) == -1) in fingerprint_private()
999 ask_filename(pw, "Enter file in which the key is"); in do_fingerprint()
1002 if (strcmp(identity_file, "-") == 0) { in do_fingerprint()
1008 while (getline(&line, &linesize, f) != -1) { in do_fingerprint()
1027 if (lnum == 1 && strcmp(identity_file, "-") != 0 && in do_fingerprint()
1119 /* Check whether private key exists and is not zero-length */ in do_gen_all_hostkeys()
1147 if ((fd = mkstemp(prv_tmp)) == -1) { in do_gen_all_hostkeys()
1161 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, in do_gen_all_hostkeys()
1169 if ((fd = mkstemp(pub_tmp)) == -1) { in do_gen_all_hostkeys()
1223 int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); in known_hosts_hash()
1224 int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM; in known_hosts_hash()
1226 switch (l->status) { in known_hosts_hash()
1233 if (was_hashed || has_wild || l->marker != MRK_NONE) { in known_hosts_hash()
1234 fprintf(ctx->out, "%s\n", l->line); in known_hosts_hash()
1235 if (has_wild && !ctx->find_host) { in known_hosts_hash()
1237 "with wildcard: %.64s", l->path, in known_hosts_hash()
1238 l->linenum, l->hosts); in known_hosts_hash()
1243 * Split any comma-separated hostnames from the host list, in known_hosts_hash()
1246 ohosts = hosts = xstrdup(l->hosts); in known_hosts_hash()
1251 fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); in known_hosts_hash()
1253 ctx->has_unhashed = 1; in known_hosts_hash()
1259 ctx->invalid = 1; in known_hosts_hash()
1260 logit("%s:%lu: invalid line", l->path, l->linenum); in known_hosts_hash()
1263 fprintf(ctx->out, "%s\n", l->line); in known_hosts_hash()
1267 return -1; in known_hosts_hash()
1281 if (l->status == HKF_STATUS_MATCHED) { in known_hosts_find_delete()
1282 if (ctx->delete_host) { in known_hosts_find_delete()
1283 if (l->marker != MRK_NONE) { in known_hosts_find_delete()
1285 fprintf(ctx->out, "%s\n", l->line); in known_hosts_find_delete()
1290 * line to ctx->out. in known_hosts_find_delete()
1292 ctx->found_key = 1; in known_hosts_find_delete()
1295 ctx->host, l->linenum); in known_hosts_find_delete()
1298 } else if (ctx->find_host) { in known_hosts_find_delete()
1299 ctx->found_key = 1; in known_hosts_find_delete()
1302 ctx->host, in known_hosts_find_delete()
1303 l->linenum, l->marker == MRK_CA ? "CA" : in known_hosts_find_delete()
1304 (l->marker == MRK_REVOKE ? "REVOKED" : "")); in known_hosts_find_delete()
1306 if (ctx->hash_hosts) in known_hosts_find_delete()
1309 fp = sshkey_fingerprint(l->key, fptype, rep); in known_hosts_find_delete()
1310 ra = sshkey_fingerprint(l->key, in known_hosts_find_delete()
1314 mprintf("%s %s %s%s%s\n", ctx->host, in known_hosts_find_delete()
1315 sshkey_type(l->key), fp, in known_hosts_find_delete()
1316 l->comment[0] ? " " : "", in known_hosts_find_delete()
1317 l->comment); in known_hosts_find_delete()
1323 fprintf(ctx->out, "%s\n", l->line); in known_hosts_find_delete()
1326 } else if (ctx->delete_host) { in known_hosts_find_delete()
1327 /* Retain non-matching hosts when deleting */ in known_hosts_find_delete()
1328 if (l->status == HKF_STATUS_INVALID) { in known_hosts_find_delete()
1329 ctx->invalid = 1; in known_hosts_find_delete()
1330 logit("%s:%lu: invalid line", l->path, l->linenum); in known_hosts_find_delete()
1332 fprintf(ctx->out, "%s\n", l->line); in known_hosts_find_delete()
1348 cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); in do_known_hosts()
1366 * Find hosts goes to stdout, hash and deletions happen in-place in do_known_hosts()
1367 * A corner case is ssh-keygen -HF foo, which should go to stdout in do_known_hosts()
1376 if ((fd = mkstemp(tmp)) == -1) in do_known_hosts()
1386 /* XXX support identity_file == "-" for stdin */ in do_known_hosts()
1414 if (unlink(old) == -1 && errno != ENOENT) in do_known_hosts()
1416 if (link(identity_file, old) == -1) in do_known_hosts()
1420 if (rename(tmp, identity_file) == -1) { in do_known_hosts()
1454 ask_filename(pw, "Enter file in which the key is"); in do_change_passphrase()
1455 if (stat(identity_file, &st) == -1) in do_change_passphrase()
1464 read_passphrase("Enter old passphrase: ", in do_change_passphrase()
1484 read_passphrase("Enter new passphrase (empty for no " in do_change_passphrase()
1486 passphrase2 = read_passphrase("Enter same passphrase again: ", in do_change_passphrase()
1530 int r, hash = -1; in do_print_resource_record()
1535 if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1) in do_print_resource_record()
1544 if (stat(fname, &st) == -1) { in do_print_resource_record()
1570 ask_filename(pw, "Enter file in which the key is"); in do_change_comment()
1571 if (stat(identity_file, &st) == -1) in do_change_comment()
1584 passphrase = read_passphrase("Enter passphrase: ", in do_change_comment()
1595 if (private->type != KEY_ED25519 && private->type != KEY_XMSS && in do_change_comment()
1598 "the new format (-o)."); in do_change_comment()
1675 if (a->crit != b->crit) in cert_ext_cmp()
1676 return (a->crit < b->crit) ? -1 : 1; in cert_ext_cmp()
1677 if ((r = strcmp(a->key, b->key)) != 0) in cert_ext_cmp()
1679 if ((a->val == NULL) != (b->val == NULL)) in cert_ext_cmp()
1680 return (a->val == NULL) ? -1 : 1; in cert_ext_cmp()
1681 if (a->val != NULL && (r = strcmp(a->val, b->val)) != 0) in cert_ext_cmp()
1701 if ((ext->crit && (which & OPTIONS_EXTENSIONS)) || in prepare_options_buf()
1702 (!ext->crit && (which & OPTIONS_CRITICAL))) in prepare_options_buf()
1704 if (ext->val == NULL) { in prepare_options_buf()
1706 debug3_f("%s", ext->key); in prepare_options_buf()
1707 if ((r = sshbuf_put_cstring(c, ext->key)) != 0 || in prepare_options_buf()
1712 debug3_f("%s=%s", ext->key, ext->val); in prepare_options_buf()
1714 if ((r = sshbuf_put_cstring(c, ext->key)) != 0 || in prepare_options_buf()
1715 (r = sshbuf_put_cstring(b, ext->val)) != 0 || in prepare_options_buf()
1728 cert_ext_add("force-command", certflags_command, 1); in finalise_cert_exts()
1730 cert_ext_add("source-address", certflags_src_addr, 1); in finalise_cert_exts()
1732 cert_ext_add("verify-required", NULL, 1); in finalise_cert_exts()
1735 cert_ext_add("permit-X11-forwarding", NULL, 0); in finalise_cert_exts()
1737 cert_ext_add("permit-agent-forwarding", NULL, 0); in finalise_cert_exts()
1739 cert_ext_add("permit-port-forwarding", NULL, 0); in finalise_cert_exts()
1741 cert_ext_add("permit-pty", NULL, 0); in finalise_cert_exts()
1743 cert_ext_add("permit-user-rc", NULL, 0); in finalise_cert_exts()
1745 cert_ext_add("no-touch-required", NULL, 0); in finalise_cert_exts()
1799 int r, i, found, agent_fd = -1; in do_ca_sign()
1811 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); in do_ca_sign()
1829 for (j = 0; j < agent_ids->nkeys; j++) { in do_ca_sign()
1830 if (sshkey_equal(ca, agent_ids->keys[j])) { in do_ca_sign()
1838 ca->flags |= SSHKEY_FLAG_EXT; in do_ca_sign()
1843 (ca->sk_flags & SSH_SK_USER_VERIFICATION_REQD)) { in do_ca_sign()
1844 if ((pin = read_passphrase("Enter PIN for CA key: ", in do_ca_sign()
1852 if (sshkey_type_from_shortname(key_type_name) != ca->type) { in do_ca_sign()
1856 } else if (ca->type == KEY_RSA) { in do_ca_sign()
1858 key_type_name = "rsa-sha2-512"; in do_ca_sign()
1879 tmp = tilde_expand_filename(argv[i], pw->pw_uid); in do_ca_sign()
1889 public->cert->type = cert_key_type; in do_ca_sign()
1890 public->cert->serial = (u_int64_t)cert_serial; in do_ca_sign()
1891 public->cert->key_id = xstrdup(cert_key_id); in do_ca_sign()
1892 public->cert->nprincipals = n; in do_ca_sign()
1893 public->cert->principals = plist; in do_ca_sign()
1894 public->cert->valid_after = cert_valid_from; in do_ca_sign()
1895 public->cert->valid_before = cert_valid_to; in do_ca_sign()
1896 prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); in do_ca_sign()
1897 prepare_options_buf(public->cert->extensions, in do_ca_sign()
1900 &public->cert->signature_key)) != 0) in do_ca_sign()
1903 if (agent_fd != -1 && (ca->flags & SSHKEY_FLAG_EXT) != 0) { in do_ca_sign()
1910 (ca->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { in do_ca_sign()
1924 xasprintf(&out, "%s-cert.pub", tmp); in do_ca_sign()
1933 sshkey_format_cert_validity(public->cert, in do_ca_sign()
1937 out, public->cert->key_id, in do_ca_sign()
1938 (unsigned long long)public->cert->serial, in do_ca_sign()
1963 mul = *s == '-' ? -1 : 1; in parse_relative_time()
1965 if ((secs = convtime(s + 1)) == -1) in parse_relative_time()
1967 if (mul == -1 && secs > now) in parse_relative_time()
1996 if ((secs = convtime(timespec + 1)) == -1) in parse_cert_times()
2001 * with poorly-synchronised clocks. in parse_cert_times()
2003 cert_valid_from = ((now - 59)/ 60) * 60; in parse_cert_times()
2009 * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "always" in parse_cert_times()
2010 * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "forever" in parse_cert_times()
2018 if (*from == '-' || *from == '+') in parse_cert_times()
2027 if (*to == '-' || *to == '+') in parse_cert_times()
2049 else if (strcasecmp(opt, "no-x11-forwarding") == 0) in add_cert_option()
2051 else if (strcasecmp(opt, "permit-x11-forwarding") == 0) in add_cert_option()
2053 else if (strcasecmp(opt, "no-agent-forwarding") == 0) in add_cert_option()
2055 else if (strcasecmp(opt, "permit-agent-forwarding") == 0) in add_cert_option()
2057 else if (strcasecmp(opt, "no-port-forwarding") == 0) in add_cert_option()
2059 else if (strcasecmp(opt, "permit-port-forwarding") == 0) in add_cert_option()
2061 else if (strcasecmp(opt, "no-pty") == 0) in add_cert_option()
2063 else if (strcasecmp(opt, "permit-pty") == 0) in add_cert_option()
2065 else if (strcasecmp(opt, "no-user-rc") == 0) in add_cert_option()
2067 else if (strcasecmp(opt, "permit-user-rc") == 0) in add_cert_option()
2069 else if (strcasecmp(opt, "touch-required") == 0) in add_cert_option()
2071 else if (strcasecmp(opt, "no-touch-required") == 0) in add_cert_option()
2073 else if (strcasecmp(opt, "no-verify-required") == 0) in add_cert_option()
2075 else if (strcasecmp(opt, "verify-required") == 0) in add_cert_option()
2077 else if (strncasecmp(opt, "force-command=", 14) == 0) { in add_cert_option()
2080 fatal("Empty force-command option"); in add_cert_option()
2082 fatal("force-command already specified"); in add_cert_option()
2084 } else if (strncasecmp(opt, "source-address=", 15) == 0) { in add_cert_option()
2087 fatal("Empty source-address option"); in add_cert_option()
2089 fatal("source-address already specified"); in add_cert_option()
2091 fatal("Invalid source-address list"); in add_cert_option()
2121 (strcmp(name, "permit-X11-forwarding") == 0 || in show_options()
2122 strcmp(name, "permit-agent-forwarding") == 0 || in show_options()
2123 strcmp(name, "permit-port-forwarding") == 0 || in show_options()
2124 strcmp(name, "permit-pty") == 0 || in show_options()
2125 strcmp(name, "permit-user-rc") == 0 || in show_options()
2126 strcmp(name, "no-touch-required") == 0)) { in show_options()
2129 (strcmp(name, "force-command") == 0 || in show_options()
2130 strcmp(name, "source-address") == 0)) { in show_options()
2136 strcmp(name, "verify-required") == 0) { in show_options()
2161 ca_fp = sshkey_fingerprint(key->cert->signature_key, in print_cert()
2165 sshkey_format_cert_validity(key->cert, valid, sizeof(valid)); in print_cert()
2171 sshkey_type(key->cert->signature_key), ca_fp, in print_cert()
2172 key->cert->signature_type); in print_cert()
2173 printf(" Key ID: \"%s\"\n", key->cert->key_id); in print_cert()
2174 printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); in print_cert()
2177 if (key->cert->nprincipals == 0) in print_cert()
2180 for (i = 0; i < key->cert->nprincipals; i++) in print_cert()
2182 key->cert->principals[i]); in print_cert()
2186 if (sshbuf_len(key->cert->critical) == 0) in print_cert()
2190 show_options(key->cert->critical, 1); in print_cert()
2193 if (sshbuf_len(key->cert->extensions) == 0) in print_cert()
2197 show_options(key->cert->extensions, 0); in print_cert()
2214 ask_filename(pw, "Enter file in which the key is"); in do_show_cert()
2215 if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) == -1) in do_show_cert()
2219 if (strcmp(path, "-") == 0) { in do_show_cert()
2226 while (getline(&line, &linesize, f) != -1) { in do_show_cert()
2289 if ((tlen = strlen(cp)) >= SIZE_MAX - 5) in hash_to_blob()
2321 path = tilde_expand_filename(file, pw->pw_uid); in update_krl_from_file()
2322 if (strcmp(path, "-") == 0) { in update_krl_from_file()
2331 while (getline(&line, &linesize, krl_spec) != -1) { in update_krl_from_file()
2340 for (i = 0, r = -1; cp[i] != '\0'; i++) { in update_krl_from_file()
2347 if (r == -1) in update_krl_from_file()
2350 r = -1; in update_krl_from_file()
2352 if (r != -1) in update_krl_from_file()
2365 if (*cp == '\0' || (*ep != '\0' && *ep != '-')) in update_krl_from_file()
2372 if (*ep == '-') { in update_krl_from_file()
2456 if (strcmp(path, "-") != 0) in update_krl_from_file()
2476 if (stat(identity_file, &sb) == -1) { in do_gen_krl()
2487 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); in do_gen_krl()
2552 static const char * const suffixes[] = { "-cert.pub", ".pub", NULL }; in load_sign_key()
2559 * private key. This lets us specify certificates on the command-line in load_sign_key()
2560 * and have ssh-keygen find the appropriate private key. in load_sign_key()
2565 strcmp(privpath + plen - slen, suffixes[i]) != 0) in load_sign_key()
2567 privpath[plen - slen] = '\0'; in load_sign_key()
2615 int r = SSH_ERR_INTERNAL_ERROR, wfd = -1, oerrno; in sign_one()
2626 if ((signkey->sk_flags & SSH_SK_USER_VERIFICATION_REQD)) { in sign_one()
2627 xasprintf(&prompt, "Enter PIN for %s key: ", in sign_one()
2633 if ((signkey->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { in sign_one()
2664 0666)) == -1) { in sign_one()
2697 if (wfd != -1) in sign_one()
2720 strncasecmp(opts[i], "verify-time=", 12) == 0) { in sig_process_opts()
2723 error("Invalid \"verify-time\" option"); in sig_process_opts()
2727 strcasecmp(opts[i], "print-pubkey") == 0) { in sig_process_opts()
2749 int i, fd = -1, r, ret = -1; in sig_sign()
2750 int agent_fd = -1; in sig_sign()
2757 if (strcmp(argv[i], "-") != 0) in sig_sign()
2786 /* Not using agent - try to load private key */ in sig_sign()
2801 if (strcmp(argv[i], "-") == 0) in sig_sign()
2803 else if ((fd = open(argv[i], O_RDONLY)) == -1) { in sig_sign()
2813 fd = -1; in sig_sign()
2819 if (fd != -1 && fd != STDIN_FILENO) in sig_sign()
2832 int r, ret = -1; in sig_verify()
2864 sig_details->sk_counter, sig_details->sk_flags); in sig_verify()
2908 ret = -1; in sig_verify()
2923 int r, ret = -1; in sig_find_principals()
3015 /* XXX - also compare length against bits */ in do_moduli_gen()
3063 } else if (strncmp(opts[i], "start-line=", 11) == 0) { in do_moduli_screen()
3075 } else if (strncmp(opts[i], "prime-tests=", 12) == 0) { in do_moduli_screen()
3088 if (have_identity && strcmp(identity_file, "-") != 0) { in do_moduli_screen()
3148 xasprintf(&prompt, "Enter passphrase for \"%s\" " in private_key_passphrase()
3151 "Enter same passphrase again: ", in private_key_passphrase()
3163 /* Trim off URL-like preamble */ in sk_suffix()
3173 if (user[userlen - i - 1] != 0) in sk_suffix()
3177 return ret; /* user-id was default all-zeros */ in sk_suffix()
3179 /* Append user-id, escaping non-UTF-8 characters */ in sk_suffix()
3180 slen = userlen - i; in sk_suffix()
3181 if (asmprintf(&cp, INT_MAX, NULL, "%.*s", (int)slen, user) == -1) in sk_suffix()
3183 /* Don't emit a user-id that contains path or control characters */ in sk_suffix()
3199 int r, ret = -1; in do_download_sk()
3207 pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); in do_download_sk()
3209 printf("You may need to touch your authenticator " in do_download_sk()
3217 return -1; in do_download_sk()
3225 key = srks[i]->key; in do_download_sk()
3226 if (key->type != KEY_ECDSA_SK && key->type != KEY_ED25519_SK) { in do_download_sk()
3228 sshkey_type(key), key->type); in do_download_sk()
3235 sshkey_type(key), fp, key->sk_application, key->sk_flags); in do_download_sk()
3236 ext = sk_suffix(key->sk_application, in do_download_sk()
3237 srks[i]->user_id, srks[i]->user_id_len); in do_download_sk()
3239 key->type == KEY_ECDSA_SK ? "ecdsa_sk" : "ed25519_sk", in do_download_sk()
3252 key->sk_application, private_key_format, in do_download_sk()
3261 *ext != '\0' ? key->sk_application : "", in do_download_sk()
3269 key->sk_application)) != 0) { in do_download_sk()
3326 "usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]\n" in usage()
3327 " [-m format] [-N new_passphrase] [-O option]\n" in usage()
3328 " [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" in usage()
3329 " [-w provider] [-Z cipher]\n" in usage()
3330 " ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n" in usage()
3331 " [-P old_passphrase] [-Z cipher]\n" in usage()
3333 " ssh-keygen -i [-f input_keyfile] [-m key_format]\n" in usage()
3334 " ssh-keygen -e [-f input_keyfile] [-m key_format]\n" in usage()
3336 " ssh-keygen -y [-f input_keyfile]\n" in usage()
3337 " ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]\n" in usage()
3338 " ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" in usage()
3339 " ssh-keygen -B [-f input_keyfile]\n"); in usage()
3342 " ssh-keygen -D pkcs11\n"); in usage()
3345 " ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" in usage()
3346 " ssh-keygen -H [-f known_hosts_file]\n" in usage()
3347 " ssh-keygen -K [-a rounds] [-w provider]\n" in usage()
3348 " ssh-keygen -R hostname [-f known_hosts_file]\n" in usage()
3349 " ssh-keygen -r hostname [-g] [-f input_keyfile]\n" in usage()
3351 " ssh-keygen -M generate [-O option] output_file\n" in usage()
3352 " ssh-keygen -M screen [-f input_file] [-O option] output_file\n" in usage()
3354 " ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" in usage()
3355 " [-n principals] [-O option] [-V validity_interval]\n" in usage()
3356 " [-z serial_number] file ...\n" in usage()
3357 " ssh-keygen -L [-f input_keyfile]\n" in usage()
3358 " ssh-keygen -A [-a rounds] [-f prefix_path]\n" in usage()
3359 " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" in usage()
3361 " ssh-keygen -Q [-l] -f krl_file [file ...]\n" in usage()
3362 " ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n" in usage()
3363 " ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file\n" in usage()
3364 " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" in usage()
3365 " ssh-keygen -Y sign -f key_file -n namespace file [-O option] ...\n" in usage()
3366 " ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" in usage()
3367 " -n namespace -s signature_file [-r krl_file] [-O option]\n"); in usage()
3419 if (gethostname(hostname, sizeof(hostname)) == -1) in main()
3427 "a:b:f:g:m:n:r:s:t:w:z:")) != -1) { in main()
3441 if (fingerprint_hash == -1) in main()
3488 /* no-op; new format is already the default */ in main()
3525 fatal("Invalid OpenSSH-format cipher '%s'", in main()
3628 argc -= optind; in main()
3631 if (strncmp(sign_op, "find-principals", 15) == 0) { in main()
3633 error("Too few arguments for find-principals:" in main()
3638 error("Too few arguments for find-principals:" in main()
3644 } else if (strncmp(sign_op, "match-principals", 16) == 0) { in main()
3646 error("Too few arguments for match-principals:" in main()
3651 error("Too few arguments for match-principals: " in main()
3658 /* NB. cert_principals is actually namespace, via -n */ in main()
3672 } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { in main()
3673 /* NB. cert_principals is actually namespace, via -n */ in main()
3676 error("Too few arguments for check-novalidate: " in main()
3681 error("Too few arguments for check-novalidate: " in main()
3688 /* NB. cert_principals is actually namespace, via -n */ in main()
3714 error("Unsupported operation for -Y: \"%s\"", sign_op); in main()
3730 error("Can only have one of -p and -c."); in main()
3734 error("Cannot use -l with -H or -R."); in main()
3748 fatal("Must specify key id (-I) when certifying"); in main()
3857 if (strcasecmp(opts[i], "no-touch-required") == 0) { in main()
3859 } else if (strcasecmp(opts[i], "verify-required") == 0) { in main()
3875 "write-attestation=", 18) == 0) { in main()
3894 printf("You may need to touch your " in main()
3922 passphrase = read_passphrase("Enter PIN for " in main()
3939 ask_filename(pw, "Enter file in which to save the key"); in main()
3954 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); in main()