236 	return impl->cert;  in sshkey_type_is_cert()
263 		if (allow_short && !impl->cert && impl->shortname != NULL &&  in type_from_name()
346 		if ((certs_only && !impl->cert) || (plain_only && impl->cert))  in sshkey_alg_list()
425 	return !impl->cert;  in sshkey_type_is_valid_ca()
677 cert_free(struct sshkey_cert *cert)  in cert_free()  argument
681 	if (cert == NULL)  in cert_free()
683 	sshbuf_free(cert->certblob);  in cert_free()
684 	sshbuf_free(cert->critical);  in cert_free()
685 	sshbuf_free(cert->extensions);  in cert_free()
686 	free(cert->key_id);  in cert_free()
687 	for (i = 0; i < cert->nprincipals; i++)  in cert_free()
688 		free(cert->principals[i]);  in cert_free()
689 	free(cert->principals);  in cert_free()
690 	sshkey_free(cert->signature_key);  in cert_free()
691 	free(cert->signature_type);  in cert_free()
692 	freezero(cert, sizeof(*cert));  in cert_free()
698 	struct sshkey_cert *cert;  in cert_new()  local
700 	if ((cert = calloc(1, sizeof(*cert))) == NULL)  in cert_new()
702 	if ((cert->certblob = sshbuf_new()) == NULL ||  in cert_new()
703 	    (cert->critical = sshbuf_new()) == NULL ||  in cert_new()
704 	    (cert->extensions = sshbuf_new()) == NULL) {  in cert_new()
705 		cert_free(cert);  in cert_new()
708 	cert->key_id = NULL;  in cert_new()
709 	cert->principals = NULL;  in cert_new()
710 	cert->signature_key = NULL;  in cert_new()
711 	cert->signature_type = NULL;  in cert_new()
712 	return cert;  in cert_new()
737 		if ((k->cert = cert_new()) == NULL) {  in sshkey_new()
800 		cert_free(k->cert);  in sshkey_free_contents()
861 		if (!cert_compare(a->cert, b->cert))  in sshkey_equal()
894 		if (key->cert == NULL)  in to_blob_buf()
896 		if (sshbuf_len(key->cert->certblob) == 0)  in to_blob_buf()
899 		if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)  in to_blob_buf()
1459 	switch (k->cert->type) {  in sshkey_cert_type()
1541 	if (to_key == NULL || (from = from_key->cert) == NULL)  in sshkey_cert_copy()
1594 	cert_free(to_key->cert);  in sshkey_cert_copy()
1595 	to_key->cert = to;  in sshkey_cert_copy()
1879 	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)  in cert_parse()
1883 	if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||  in cert_parse()
1884 	    (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||  in cert_parse()
1885 	    (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||  in cert_parse()
1887 	    (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||  in cert_parse()
1888 	    (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||  in cert_parse()
1899 	signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);  in cert_parse()
1906 	if (key->cert->type != SSH2_CERT_TYPE_USER &&  in cert_parse()
1907 	    key->cert->type != SSH2_CERT_TYPE_HOST) {  in cert_parse()
1917 		if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {  in cert_parse()
1926 		oprincipals = key->cert->principals;  in cert_parse()
1927 		key->cert->principals = recallocarray(key->cert->principals,  in cert_parse()
1928 		    key->cert->nprincipals, key->cert->nprincipals + 1,  in cert_parse()
1929 		    sizeof(*key->cert->principals));  in cert_parse()
1930 		if (key->cert->principals == NULL) {  in cert_parse()
1932 			key->cert->principals = oprincipals;  in cert_parse()
1936 		key->cert->principals[key->cert->nprincipals++] = principal;  in cert_parse()
1943 	if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||  in cert_parse()
1945 	    (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))  in cert_parse()
1954 			sshbuf_reset(key->cert->critical);  in cert_parse()
1962 			sshbuf_reset(key->cert->extensions);  in cert_parse()
1969 	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {  in cert_parse()
1973 	if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {  in cert_parse()
1977 	if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,  in cert_parse()
1978 	    sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0)  in cert_parse()
1981 	    &key->cert->signature_type)) != 0)  in cert_parse()
2142 	if (key->cert == NULL || key->cert->signature_type == NULL)  in sshkey_check_cert_sigtype()
2144 	if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)  in sshkey_check_cert_sigtype()
2164 		if (!impl->cert)  in sshkey_sigalg_by_name()
2261 	if ((k->cert = cert_new()) == NULL)  in sshkey_to_certified()
2273 	cert_free(k->cert);  in sshkey_drop_cert()
2274 	k->cert = NULL;  in sshkey_drop_cert()
2290 	struct sshbuf *cert = NULL;  in sshkey_certify_custom()  local
2293 	if (k == NULL || k->cert == NULL ||  in sshkey_certify_custom()
2294 	    k->cert->certblob == NULL || ca == NULL)  in sshkey_certify_custom()
2308 		alg = k->cert->signature_type;  in sshkey_certify_custom()
2309 	else if (k->cert->signature_type != NULL &&  in sshkey_certify_custom()
2310 	    strcmp(alg, k->cert->signature_type) != 0)  in sshkey_certify_custom()
2323 	cert = k->cert->certblob; /* for readability */  in sshkey_certify_custom()
2324 	sshbuf_reset(cert);  in sshkey_certify_custom()
2325 	if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)  in sshkey_certify_custom()
2330 	if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)  in sshkey_certify_custom()
2334 	if ((ret = impl->funcs->serialize_public(k, cert,  in sshkey_certify_custom()
2339 	if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||  in sshkey_certify_custom()
2340 	    (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||  in sshkey_certify_custom()
2341 	    (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)  in sshkey_certify_custom()
2348 	for (i = 0; i < k->cert->nprincipals; i++) {  in sshkey_certify_custom()
2350 		    k->cert->principals[i])) != 0)  in sshkey_certify_custom()
2353 	if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||  in sshkey_certify_custom()
2354 	    (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||  in sshkey_certify_custom()
2355 	    (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||  in sshkey_certify_custom()
2356 	    (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||  in sshkey_certify_custom()
2357 	    (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||  in sshkey_certify_custom()
2358 	    (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */  in sshkey_certify_custom()
2359 	    (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)  in sshkey_certify_custom()
2363 	if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),  in sshkey_certify_custom()
2364 	    sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0)  in sshkey_certify_custom()
2373 	if (k->cert->signature_type == NULL) {  in sshkey_certify_custom()
2374 		k->cert->signature_type = sigtype;  in sshkey_certify_custom()
2378 	if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)  in sshkey_certify_custom()
2383 		sshbuf_reset(cert);  in sshkey_certify_custom()
2425 		if (k->cert->type != SSH2_CERT_TYPE_HOST) {  in sshkey_cert_check_authority()
2430 		if (k->cert->type != SSH2_CERT_TYPE_USER) {  in sshkey_cert_check_authority()
2435 	if (verify_time < k->cert->valid_after) {  in sshkey_cert_check_authority()
2439 	if (verify_time >= k->cert->valid_before) {  in sshkey_cert_check_authority()
2443 	if (k->cert->nprincipals == 0) {  in sshkey_cert_check_authority()
2450 		for (i = 0; i < k->cert->nprincipals; i++) {  in sshkey_cert_check_authority()
2452 				if (match_pattern(k->cert->principals[i],  in sshkey_cert_check_authority()
2457 			} else if (strcmp(name, k->cert->principals[i]) == 0) {  in sshkey_cert_check_authority()
2497 	if (sshbuf_len(key->cert->critical) != 0) {  in sshkey_cert_check_host()
2510 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)  in sshkey_format_cert_validity()  argument
2515 	if (cert->valid_after == 0 &&  in sshkey_format_cert_validity()
2516 	    cert->valid_before == 0xffffffffffffffffULL)  in sshkey_format_cert_validity()
2519 	if (cert->valid_after != 0)  in sshkey_format_cert_validity()
2520 		format_absolute_time(cert->valid_after, from, sizeof(from));  in sshkey_format_cert_validity()
2521 	if (cert->valid_before != 0xffffffffffffffffULL)  in sshkey_format_cert_validity()
2522 		format_absolute_time(cert->valid_before, to, sizeof(to));  in sshkey_format_cert_validity()
2524 	if (cert->valid_after == 0)  in sshkey_format_cert_validity()
2526 	else if (cert->valid_before == 0xffffffffffffffffULL)  in sshkey_format_cert_validity()
2567 		if (key->cert == NULL ||  in sshkey_private_serialize_opt()
2568 		    sshbuf_len(key->cert->certblob) == 0) {  in sshkey_private_serialize_opt()
2572 		if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0)  in sshkey_private_serialize_opt()