upstream: give ssh-keygen the ability to dump the contents of a

binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b
author: djm@openbsd.org <djm@openbsd.org> 2020-04-03 02:26:56 +0000
committer: Damien Miller <djm@mindrot.org> 2020-04-03 13:33:25 +1100
commit: 6ec7457171468da2bbd908b8cd63d298b0e049ea (patch)
tree: c61f384cbaa6cadb2c0b9de7632ef986f016e489
parent: af628b8a6c3ef403644d83d205c80ff188c97f0c (diff)
4 files changed, 107 insertions, 8 deletions
diff --git a/krl.c b/krl.c
index 03476dedd..9da7126e2 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.48 2020/04/03 02:26:56 djm Exp $ */
 #include "includes.h"
@@ -38,6 +38,7 @@
 #include "log.h"
 #include "digest.h"
 #include "bitmap.h"
+#include "utf8.h"
 #include "krl.h"
@@ -1355,3 +1356,94 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
                errno = oerrno;
        return r;
 }
+int
+krl_dump(struct ssh_krl *krl, FILE *f)
+{
+        struct sshkey *key = NULL;
+        struct revoked_blob *rb;
+        struct revoked_certs *rc;
+        struct revoked_serial *rs;
+        struct revoked_key_id *rki;
+        int r, ret = 0;
+        char *fp, timestamp[64];
+        /* Try to print in a KRL spec-compatible format */
+        format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
+        fprintf(f, "# KRL version %lld\n", krl->krl_version);
+        fprintf(f, "# Generated at %s\n", timestamp);
+        if (krl->comment != NULL && *krl->comment != '\0') {
+                r = INT_MAX;
+                asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
+                fprintf(f, "# Comment: %s\n", fp);
+                free(fp);
+        }
+        fputc('\n', f);
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
+                if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        error("Parse key in KRL: %s", ssh_err(r));
+                        continue;
+                }
+                if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+                    SSH_FP_DEFAULT)) == NULL) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        error("sshkey_fingerprint failed");
+                        continue;
+                }
+                fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+                free(fp);
+                free(key);
+        }
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
+                fp = tohex(rb->blob, rb->len);
+                fprintf(f, "hash: SHA256:%s\n", fp);
+                free(fp);
+        }
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
+                /*
+                 * There is not KRL spec keyword for raw SHA1 hashes, so
+                 * print them as comments.
+                 */
+                fp = tohex(rb->blob, rb->len);
+                fprintf(f, "# hash SHA1:%s\n", fp);
+                free(fp);
+        }
+        TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
+                fputc('\n', f);
+                if (rc->ca_key == NULL)
+                        fprintf(f, "# Wildcard CA\n");
+                else {
+                        if ((fp = sshkey_fingerprint(rc->ca_key,
+                            SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
+                                ret = SSH_ERR_INVALID_FORMAT;
+                                error("sshkey_fingerprint failed");
+                                continue;
+                        }
+                        fprintf(f, "# CA key %s %s\n",
+                            sshkey_ssh_name(rc->ca_key), fp);
+                        free(fp);
+                }
+                RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
+                        if (rs->lo == rs->hi)
+                                fprintf(f, "serial: %lld\n", rs->lo);
+                        else {
+                                fprintf(f, "serial: %lld-%lld\n",
+                                    rs->lo, rs->hi);
+                        }
+                }
+                RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
+                        /*
+                         * We don't want key IDs with embedded newlines to
+                         * mess up the display.
+                         */
+                        r = INT_MAX;
+                        asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
+                        fprintf(f, "id: %s\n", fp);
+                        free(fp);
+                }
+        }
+        return ret;
+}
diff --git a/krl.h b/krl.h
index ce534a111..ca6d3f284 100644
--- a/krl.h
+++ b/krl.h
@@ -14,7 +14,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $OpenBSD: krl.h,v 1.7 2019/06/21 04:21:04 djm Exp $ */
+/* $OpenBSD: krl.h,v 1.8 2020/04/03 02:26:56 djm Exp $ */
 #ifndef _KRL_H
 #define _KRL_H
@@ -61,6 +61,7 @@ int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
    const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
 int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
 int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);
+int krl_dump(struct ssh_krl *krl, FILE *f);
 #endif /* _KRL_H */
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 629430972..059c1b034 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.202 2020/02/24 04:27:58 dtucker Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.203 2020/04/03 02:26:56 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 24 2020 $
+.Dd $Mdocdate: April 3 2020 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -135,6 +135,7 @@
 .Ar
 .Nm ssh-keygen
 .Fl Q
+.Op Fl l
 .Fl f Ar krl_file
 .Ar
 .Nm ssh-keygen
@@ -521,6 +522,9 @@ containing the private key, for the old passphrase, and twice for the
 new passphrase.
 .It Fl Q
 Test whether keys have been revoked in a KRL.
+If the
+.Fl l
+option is also specified then the contents of the KRL will be printed.
 .It Fl q
 Silence
 .Nm ssh-keygen .
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 0fa141cff..802fd25c2 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.404 2020/03/13 03:17:07 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.405 2020/04/03 02:26:56 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2439,7 +2439,7 @@ do_gen_krl(struct passwd *pw, int updating, const char *ca_key_path,
 }
 static void
-do_check_krl(struct passwd *pw, int argc, char **argv)
+do_check_krl(struct passwd *pw, int print_krl, int argc, char **argv)
 {
        int i, r, ret = 0;
        char *comment;
@@ -2449,6 +2449,8 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
        if (*identity_file == '\0')
                fatal("KRL checking requires an input file");
        load_krl(identity_file, &krl);
+        if (print_krl)
+                krl_dump(krl, stdout);
        for (i = 0; i < argc; i++) {
                if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)
                        fatal("Cannot load public key %s: %s",
@@ -3086,7 +3088,7 @@ usage(void)
            "       ssh-keygen -A [-f prefix_path]\n"
            "       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
            "                  file ...\n"
-            "       ssh-keygen -Q -f krl_file file ...\n"
+            "       ssh-keygen -Q [-l] -f krl_file [file ...]\n"
            "       ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"
            "       ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
            "       ssh-keygen -Y sign -f key_file -n namespace file ...\n"
@@ -3441,7 +3443,7 @@ main(int argc, char **argv)
                return (0);
        }
        if (check_krl) {
-                do_check_krl(pw, argc, argv);
+                do_check_krl(pw, print_fingerprint, argc, argv);
                return (0);
        }
        if (ca_key_path != NULL) {
author	djm@openbsd.org <djm@openbsd.org>	2020-04-03 02:26:56 +0000
committer	Damien Miller <djm@mindrot.org>	2020-04-03 13:33:25 +1100
commit	6ec7457171468da2bbd908b8cd63d298b0e049ea (patch)
tree	c61f384cbaa6cadb2c0b9de7632ef986f016e489
parent	af628b8a6c3ef403644d83d205c80ff188c97f0c (diff)

diff --git a/krl.c b/krl.c index 03476dedd..9da7126e2 100644 --- a/krl.c +++ b/krl.c
@@ -14,7 +14,7 @@
14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	*/	15	*/
16		16
17	/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */	17	/* $OpenBSD: krl.c,v 1.48 2020/04/03 02:26:56 djm Exp $ */
18		18
19	#include "includes.h"	19	#include "includes.h"
20		20
@@ -38,6 +38,7 @@
38	#include "log.h"	38	#include "log.h"
39	#include "digest.h"	39	#include "digest.h"
40	#include "bitmap.h"	40	#include "bitmap.h"
		41	#include "utf8.h"
41		42
42	#include "krl.h"	43	#include "krl.h"
43		44
@@ -1355,3 +1356,94 @@ ssh_krl_file_contains_key(const char path, const struct sshkey key)
1355	errno = oerrno;	1356	errno = oerrno;
1356	return r;	1357	return r;
1357	}	1358	}
		1359
		1360	int
		1361	krl_dump(struct ssh_krl krl, FILE f)
		1362	{
		1363	struct sshkey *key = NULL;
		1364	struct revoked_blob *rb;
		1365	struct revoked_certs *rc;
		1366	struct revoked_serial *rs;
		1367	struct revoked_key_id *rki;
		1368	int r, ret = 0;
		1369	char *fp, timestamp[64];
		1370
		1371	/* Try to print in a KRL spec-compatible format */
		1372	format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
		1373	fprintf(f, "# KRL version %lld\n", krl->krl_version);
		1374	fprintf(f, "# Generated at %s\n", timestamp);
		1375	if (krl->comment != NULL && *krl->comment != '\0') {
		1376	r = INT_MAX;
		1377	asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
		1378	fprintf(f, "# Comment: %s\n", fp);
		1379	free(fp);
		1380	}
		1381	fputc('\n', f);
		1382
		1383	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
		1384	if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
		1385	ret = SSH_ERR_INVALID_FORMAT;
		1386	error("Parse key in KRL: %s", ssh_err(r));
		1387	continue;
		1388	}
		1389	if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
		1390	SSH_FP_DEFAULT)) == NULL) {
		1391	ret = SSH_ERR_INVALID_FORMAT;
		1392	error("sshkey_fingerprint failed");
		1393	continue;
		1394	}
		1395	fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
		1396	free(fp);
		1397	free(key);
		1398	}
		1399	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
		1400	fp = tohex(rb->blob, rb->len);
		1401	fprintf(f, "hash: SHA256:%s\n", fp);
		1402	free(fp);
		1403	}
		1404	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
		1405	/*
		1406	* There is not KRL spec keyword for raw SHA1 hashes, so
		1407	* print them as comments.
		1408	*/
		1409	fp = tohex(rb->blob, rb->len);
		1410	fprintf(f, "# hash SHA1:%s\n", fp);
		1411	free(fp);
		1412	}
		1413
		1414	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
		1415	fputc('\n', f);
		1416	if (rc->ca_key == NULL)
		1417	fprintf(f, "# Wildcard CA\n");
		1418	else {
		1419	if ((fp = sshkey_fingerprint(rc->ca_key,
		1420	SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
		1421	ret = SSH_ERR_INVALID_FORMAT;
		1422	error("sshkey_fingerprint failed");
		1423	continue;
		1424	}
		1425	fprintf(f, "# CA key %s %s\n",
		1426	sshkey_ssh_name(rc->ca_key), fp);
		1427	free(fp);
		1428	}
		1429	RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
		1430	if (rs->lo == rs->hi)
		1431	fprintf(f, "serial: %lld\n", rs->lo);
		1432	else {
		1433	fprintf(f, "serial: %lld-%lld\n",
		1434	rs->lo, rs->hi);
		1435	}
		1436	}
		1437	RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
		1438	/*
		1439	* We don't want key IDs with embedded newlines to
		1440	* mess up the display.
		1441	*/
		1442	r = INT_MAX;
		1443	asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
		1444	fprintf(f, "id: %s\n", fp);
		1445	free(fp);
		1446	}
		1447	}
		1448	return ret;
		1449	}


diff --git a/krl.h b/krl.h index ce534a111..ca6d3f284 100644 --- a/krl.h +++ b/krl.h
@@ -14,7 +14,7 @@
14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	*/	15	*/
16		16
17	/* $OpenBSD: krl.h,v 1.7 2019/06/21 04:21:04 djm Exp $ */	17	/* $OpenBSD: krl.h,v 1.8 2020/04/03 02:26:56 djm Exp $ */
18		18
19	#ifndef _KRL_H	19	#ifndef _KRL_H
20	#define _KRL_H	20	#define _KRL_H
@@ -61,6 +61,7 @@ int ssh_krl_from_blob(struct sshbuf buf, struct ssh_krl *krlp,
61	const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);	61	const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
62	int ssh_krl_check_key(struct ssh_krl krl, const struct sshkey key);	62	int ssh_krl_check_key(struct ssh_krl krl, const struct sshkey key);
63	int ssh_krl_file_contains_key(const char path, const struct sshkey key);	63	int ssh_krl_file_contains_key(const char path, const struct sshkey key);
		64	int krl_dump(struct ssh_krl krl, FILE f);
64		65
65	#endif /* _KRL_H */	66	#endif /* _KRL_H */
66		67


diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 629430972..059c1b034 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.202 2020/02/24 04:27:58 dtucker Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.203 2020/04/03 02:26:56 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: February 24 2020 $	38	.Dd $Mdocdate: April 3 2020 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -135,6 +135,7 @@
135	.Ar	135	.Ar
136	.Nm ssh-keygen	136	.Nm ssh-keygen
137	.Fl Q	137	.Fl Q
		138	.Op Fl l
138	.Fl f Ar krl_file	139	.Fl f Ar krl_file
139	.Ar	140	.Ar
140	.Nm ssh-keygen	141	.Nm ssh-keygen
@@ -521,6 +522,9 @@ containing the private key, for the old passphrase, and twice for the
521	new passphrase.	522	new passphrase.
522	.It Fl Q	523	.It Fl Q
523	Test whether keys have been revoked in a KRL.	524	Test whether keys have been revoked in a KRL.
		525	If the
		526	.Fl l
		527	option is also specified then the contents of the KRL will be printed.
524	.It Fl q	528	.It Fl q
525	Silence	529	Silence
526	.Nm ssh-keygen .	530	.Nm ssh-keygen .


diff --git a/ssh-keygen.c b/ssh-keygen.c index 0fa141cff..802fd25c2 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-keygen.c,v 1.404 2020/03/13 03:17:07 djm Exp $ */	1	/* $OpenBSD: ssh-keygen.c,v 1.405 2020/04/03 02:26:56 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2439,7 +2439,7 @@ do_gen_krl(struct passwd pw, int updating, const char ca_key_path,
2439	}	2439	}
2440		2440
2441	static void	2441	static void
2442	do_check_krl(struct passwd pw, int argc, char *argv)	2442	do_check_krl(struct passwd pw, int print_krl, int argc, char *argv)
2443	{	2443	{
2444	int i, r, ret = 0;	2444	int i, r, ret = 0;
2445	char *comment;	2445	char *comment;
@@ -2449,6 +2449,8 @@ do_check_krl(struct passwd pw, int argc, char *argv)
2449	if (*identity_file == '\0')	2449	if (*identity_file == '\0')
2450	fatal("KRL checking requires an input file");	2450	fatal("KRL checking requires an input file");
2451	load_krl(identity_file, &krl);	2451	load_krl(identity_file, &krl);
		2452	if (print_krl)
		2453	krl_dump(krl, stdout);
2452	for (i = 0; i < argc; i++) {	2454	for (i = 0; i < argc; i++) {
2453	if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)	2455	if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)
2454	fatal("Cannot load public key %s: %s",	2456	fatal("Cannot load public key %s: %s",
@@ -3086,7 +3088,7 @@ usage(void)
3086	" ssh-keygen -A [-f prefix_path]\n"	3088	" ssh-keygen -A [-f prefix_path]\n"
3087	" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"	3089	" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
3088	" file ...\n"	3090	" file ...\n"
3089	" ssh-keygen -Q -f krl_file file ...\n"	3091	" ssh-keygen -Q [-l] -f krl_file [file ...]\n"
3090	" ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"	3092	" ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"
3091	" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"	3093	" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
3092	" ssh-keygen -Y sign -f key_file -n namespace file ...\n"	3094	" ssh-keygen -Y sign -f key_file -n namespace file ...\n"
@@ -3441,7 +3443,7 @@ main(int argc, char **argv)
3441	return (0);	3443	return (0);
3442	}	3444	}
3443	if (check_krl) {	3445	if (check_krl) {
3444	do_check_krl(pw, argc, argv);	3446	do_check_krl(pw, print_fingerprint, argc, argv);
3445	return (0);	3447	return (0);
3446	}	3448	}
3447	if (ca_key_path != NULL) {	3449	if (ca_key_path != NULL) {