KEYSET(2)                                               KEYSET(2)

     NAME
          keyset - find authentication keys matching a signer

     SYNOPSIS
          include "keyset.m";
          keyset := load Keyset Keyset->PATH;

          init:      fn(): string;
          keysforsigner: fn(signername: string, spkthumb: string,
                            user: string, dir: string):
                            (list of (string, string, string), string);
          pkhash:    fn(pk: string): string;

     DESCRIPTION
          Keyset looks through a set of certified public keys to find
          one or more keys that have were certified by a given signer.

          Init must be called before any other function in the module.
          It returns nil on success or a diagnostic string on failure.

          Keysforsigner looks for public keys that satisfy given con-
          ditions: signername is either the name of a signer or nil
          (don't care); spkthumb is either a thumbprint of the
          signer's public key (as produced by pkhash, below), or nil
          (don't care).  User is the name of the user that owns the
          set of keys; if it is nil, the user's name is read from
          /dev/user.  Dir is the name of the directory holding a col-
          lection of the user's signed keys as obtained for instance
          using getauthinfo(8); if it is nil, the directory
          /usr/user/keyring is used by default.  Only signed (certi-
          fied) unexpired keys are considered.  Keysforsigner returns
          a tuple (keys,err).  Keys is list of tuples
          (keyfile, owner, signername) where keyfile is the full name
          of a file in dir that holds an apparently suitable key;
          owner is the name of the key's owner; and signername is the
          name of the signer in the certificate attached to the key.
          The list is nil if no keys could be found that matched the
          criteria.  On an error, err is non-nil and gives a diagnos-
          tic.

          Pkhash returns the hexadecimal representation of the SHA-1
          hash of public key pk, which must be in the canonical tex-
          tual form produced by Keyring->pktostr (see keyring-
          certtostr(2)).

     SOURCE
          /appl/lib/keyset.b

     SEE ALSO
          bind(1), keyring-gensk(2), keyring-sha1(2), security-

     Page 1                       Plan 9            (printed 12/22/24)

     KEYSET(2)                                               KEYSET(2)

          auth(2), logind(8)

     Page 2                       Plan 9            (printed 12/22/24)