From 6ace5e865f2d385b7ac5e78020584bdff4057840 Mon Sep 17 00:00:00 2001
From: Kenny Root <kenny@the-b.org>
Date: Fri, 26 Jun 2009 08:36:12 +0000
Subject: Add confirm-use and lifetime constraints to individual pubkeys

git-svn-id: https://connectbot.googlecode.com/svn/trunk/connectbot@334 df292f66-193f-0410-a5fc-6d59da041ff2
---
 .../java/com/trilead/ssh2/AuthAgentCallback.java   |  4 +++-
 .../ssh2/channel/AuthAgentForwardThread.java       | 27 +++++++++++++++++++---
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/lib/src/main/java/com/trilead/ssh2/AuthAgentCallback.java b/lib/src/main/java/com/trilead/ssh2/AuthAgentCallback.java
index ffc3020..c395198 100644
--- a/lib/src/main/java/com/trilead/ssh2/AuthAgentCallback.java
+++ b/lib/src/main/java/com/trilead/ssh2/AuthAgentCallback.java
@@ -20,9 +20,11 @@ public interface AuthAgentCallback {
 	 *            containing a DSA or RSA private key of
 	 *            the user in Trilead object format.
 	 * @param comment comment associated with this key
+	 * @param confirmUse whether to prompt before using this key
+	 * @param lifetime lifetime in seconds for key to be remembered
 	 * @return success or failure
 	 */
-	boolean addIdentity(Object key, String comment);
+	boolean addIdentity(Object key, String comment, boolean confirmUse, int lifetime);
 
 	/**
 	 * @param publicKey byte blob containing the OpenSSH-format encoded public key
diff --git a/lib/src/main/java/com/trilead/ssh2/channel/AuthAgentForwardThread.java b/lib/src/main/java/com/trilead/ssh2/channel/AuthAgentForwardThread.java
index 1c6be84..b4ab108 100644
--- a/lib/src/main/java/com/trilead/ssh2/channel/AuthAgentForwardThread.java
+++ b/lib/src/main/java/com/trilead/ssh2/channel/AuthAgentForwardThread.java
@@ -129,7 +129,10 @@ public class AuthAgentForwardThread extends Thread implements IChannelWorkerThre
 						sendIdentities();
 						break;
 					case SSH2_AGENTC_ADD_IDENTITY:
-						addIdentity(tr);
+						addIdentity(tr, false);
+						break;
+					case SSH2_AGENTC_ADD_ID_CONSTRAINED:
+						addIdentity(tr, true);
 						break;
 					case SSH2_AGENTC_REMOVE_IDENTITY:
 						removeIdentity(tr);
@@ -240,7 +243,7 @@ public class AuthAgentForwardThread extends Thread implements IChannelWorkerThre
 	/**
 	 * @param tr
 	 */
-	private void addIdentity(TypesReader tr) {
+	private void addIdentity(TypesReader tr, boolean checkConstraints) {
 		try
 		{
 			if (failWhenLocked())
@@ -275,7 +278,25 @@ public class AuthAgentForwardThread extends Thread implements IChannelWorkerThre
 				return;
 			}
 
-			if (authAgent.addIdentity(key, comment))
+			boolean confirmUse = false;
+			int lifetime = 0;
+
+			if (checkConstraints) {
+				while (tr.remain() > 0) {
+					int constraint = tr.readByte();
+					if (constraint == SSH_AGENT_CONSTRAIN_CONFIRM)
+						confirmUse = true;
+					else if (constraint == SSH_AGENT_CONSTRAIN_LIFETIME)
+						lifetime = tr.readUINT32();
+					else {
+						// Unknown constraint. Bail.
+						os.write(SSH_AGENT_FAILURE);
+						return;
+					}
+				}
+			}
+
+			if (authAgent.addIdentity(key, comment, confirmUse, lifetime))
 				os.write(SSH_AGENT_SUCCESS);
 			else
 				os.write(SSH_AGENT_FAILURE);
-- 
cgit v1.2.3