From 78230b3ec8cbabc1e7de68732dc5cbd4837c6675 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 27 Nov 2021 07:14:46 +0000
Subject: upstream: Add ssh-keygen -Y match-principals operation to perform

matching of principals names against an allowed signers file.

Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.

"doesn't bother me" deraadt@

OpenBSD-Commit-ID: 8d1b71f5a4127bc5e10a880c8ea6053394465247
---
 sshsig.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sshsig.h')

diff --git a/sshsig.h b/sshsig.h
index b725c7d7..ac557796 100644
--- a/sshsig.h
+++ b/sshsig.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshsig.h,v 1.10 2021/07/23 03:37:52 djm Exp $ */
+/* $OpenBSD: sshsig.h,v 1.11 2021/11/27 07:14:46 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -104,4 +104,8 @@ int sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey);
 int sshsig_find_principals(const char *path, const struct sshkey *sign_key,
     uint64_t verify_time, char **principal);
 
+/* Find all principals in allowed_keys file matching *principal */
+int sshsig_match_principals(const char *path,
+	const char *principal, char ***principalsp, size_t *nprincipalsp);
+
 #endif /* SSHSIG_H */
-- 
cgit v1.2.3