[manual index][section index]

NAME

keyset - find authentication keys matching a signer

SYNOPSIS

include "keyset.m";
keyset := load Keyset Keyset->PATH;

init:      fn(): string;
keysforsigner: fn(signername: string, spkthumb: string,
                  user: string, dir: string):
                  (list of (string, string, string), string);
pkhash:    fn(pk: string): string;

DESCRIPTION

Keyset looks through a set of certified public keys to find one or more keys that have were certified by a given signer.

Init must be called before any other function in the module. It returns nil on success or a diagnostic string on failure.

Keysforsigner looks for public keys that satisfy given conditions: signername is either the name of a signer or nil (don't care); spkthumb is either a thumbprint of the signer's public key (as produced by pkhash, below), or nil (don't care). User is the name of the user that owns the set of keys; if it is nil, the user's name is read from /dev/user. Dir is the name of the directory holding a collection of the user's signed keys as obtained for instance using getauthinfo(8); if it is nil, the directory /usr/user/keyring is used by default. Only signed (certified) unexpired keys are considered. Keysforsigner returns a tuple (keys,err). Keys is list of tuples (keyfile, owner, signername) where keyfile is the full name of a file in dir that holds an apparently suitable key; owner is the name of the key's owner; and signername is the name of the signer in the certificate attached to the key. The list is nil if no keys could be found that matched the criteria. On an error, err is non-nil and gives a diagnostic.

Pkhash returns the hexadecimal representation of the SHA-1 hash of public key pk, which must be in the canonical textual form produced by Keyring->pktostr (see keyring-certtostr(2)).

SOURCE

/appl/lib/keyset.b

SEE ALSO

bind(1), keyring-gensk(2), keyring-sha1(2), security-auth(2), logind(8)

KEYSET(2 ) Rev:  Thu Feb 15 14:43:27 GMT 2007