KEYSET(2) KEYSET(2)
NAME
keyset - find authentication keys matching a signer
SYNOPSIS
include "keyset.m";
keyset := load Keyset Keyset->PATH;
init: fn(): string;
keysforsigner: fn(signername: string, spkthumb: string,
user: string, dir: string):
(list of (string, string, string), string);
pkhash: fn(pk: string): string;
DESCRIPTION
Keyset looks through a set of certified public keys to find
one or more keys that have were certified by a given signer.
Init must be called before any other function in the module.
It returns nil on success or a diagnostic string on failure.
Keysforsigner looks for public keys that satisfy given con-
ditions: signername is either the name of a signer or nil
(don't care); spkthumb is either a thumbprint of the
signer's public key (as produced by pkhash, below), or nil
(don't care). User is the name of the user that owns the
set of keys; if it is nil, the user's name is read from
/dev/user. Dir is the name of the directory holding a col-
lection of the user's signed keys as obtained for instance
using getauthinfo(8); if it is nil, the directory
/usr/user/keyring is used by default. Only signed (certi-
fied) unexpired keys are considered. Keysforsigner returns
a tuple (keys,err). Keys is list of tuples
(keyfile, owner, signername) where keyfile is the full name
of a file in dir that holds an apparently suitable key;
owner is the name of the key's owner; and signername is the
name of the signer in the certificate attached to the key.
The list is nil if no keys could be found that matched the
criteria. On an error, err is non-nil and gives a diagnos-
tic.
Pkhash returns the hexadecimal representation of the SHA-1
hash of public key pk, which must be in the canonical tex-
tual form produced by Keyring->pktostr (see keyring-
certtostr(2)).
SOURCE
/appl/lib/keyset.b
SEE ALSO
bind(1), keyring-gensk(2), keyring-sha1(2), security-
Page 1 Plan 9 (printed 12/22/24)
KEYSET(2) KEYSET(2)
auth(2), logind(8)
Page 2 Plan 9 (printed 12/22/24)