KEYSET(2)KEYSET(2)NAMEkeyset - find authentication keys matching a signer
SYNOPSIS
include "keyset.m";
keyset := load Keyset Keyset->PATH;
init: fn(): string;
keysforsigner: fn(signername: string, spkthumb: string,
user: string, dir: string):
(list of (string, string, string), string);
pkhash: fn(pk: string): string;
DESCRIPTION
Keyset looks through a set of certified public keys to find one or more
keys that have were certified by a given signer.
Init must be called before any other function in the module. It
returns nil on success or a diagnostic string on failure.
Keysforsigner looks for public keys that satisfy given conditions:
signername is either the name of a signer or nil (don't care); spkthumb
is either a thumbprint of the signer's public key (as produced by
pkhash, below), or nil (don't care). User is the name of the user that
owns the set of keys; if it is nil, the user's name is read from
/dev/user. Dir is the name of the directory holding a collection of
the user's signed keys as obtained for instance using getauthinfo(8);
if it is nil, the directory /usr/user/keyring is used by default. Only
signed (certified) unexpired keys are considered. Keysforsigner
returns a tuple (keys,err). Keys is list of tuples (key‐
file, owner, signername) where keyfile is the full name of a file in
dir that holds an apparently suitable key; owner is the name of the
key's owner; and signername is the name of the signer in the certifi‐
cate attached to the key. The list is nil if no keys could be found
that matched the criteria. On an error, err is non-nil and gives a
diagnostic.
Pkhash returns the hexadecimal representation of the SHA-1 hash of pub‐
lic key pk, which must be in the canonical textual form produced by
Keyring->pktostr (see keyring-certtostr(2)).
SOURCE
/appl/lib/keyset.b
SEE ALSObind(1), keyring-gensk(2), keyring-sha1(2), security-auth(2), logind(8)KEYSET(2)