upstream: give ssh-keygen the ability to dump the contents of a

binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b
author: djm@openbsd.org <djm@openbsd.org> 2020-04-03 02:26:56 +0000
committer: Damien Miller <djm@mindrot.org> 2020-04-03 13:33:25 +1100
commit: 6ec7457171468da2bbd908b8cd63d298b0e049ea (patch)
tree: c61f384cbaa6cadb2c0b9de7632ef986f016e489 /krl.c
parent: af628b8a6c3ef403644d83d205c80ff188c97f0c (diff)
1 files changed, 93 insertions, 1 deletions
diff --git a/krl.c b/krl.c
index 03476dedd..9da7126e2 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.48 2020/04/03 02:26:56 djm Exp $ */
 #include "includes.h"
@@ -38,6 +38,7 @@
 #include "log.h"
 #include "digest.h"
 #include "bitmap.h"
+#include "utf8.h"
 #include "krl.h"
@@ -1355,3 +1356,94 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
                errno = oerrno;
        return r;
 }
+int
+krl_dump(struct ssh_krl *krl, FILE *f)
+{
+        struct sshkey *key = NULL;
+        struct revoked_blob *rb;
+        struct revoked_certs *rc;
+        struct revoked_serial *rs;
+        struct revoked_key_id *rki;
+        int r, ret = 0;
+        char *fp, timestamp[64];
+        /* Try to print in a KRL spec-compatible format */
+        format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
+        fprintf(f, "# KRL version %lld\n", krl->krl_version);
+        fprintf(f, "# Generated at %s\n", timestamp);
+        if (krl->comment != NULL && *krl->comment != '\0') {
+                r = INT_MAX;
+                asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
+                fprintf(f, "# Comment: %s\n", fp);
+                free(fp);
+        }
+        fputc('\n', f);
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
+                if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        error("Parse key in KRL: %s", ssh_err(r));
+                        continue;
+                }
+                if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+                    SSH_FP_DEFAULT)) == NULL) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        error("sshkey_fingerprint failed");
+                        continue;
+                }
+                fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+                free(fp);
+                free(key);
+        }
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
+                fp = tohex(rb->blob, rb->len);
+                fprintf(f, "hash: SHA256:%s\n", fp);
+                free(fp);
+        }
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
+                /*
+                 * There is not KRL spec keyword for raw SHA1 hashes, so
+                 * print them as comments.
+                 */
+                fp = tohex(rb->blob, rb->len);
+                fprintf(f, "# hash SHA1:%s\n", fp);
+                free(fp);
+        }
+        TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
+                fputc('\n', f);
+                if (rc->ca_key == NULL)
+                        fprintf(f, "# Wildcard CA\n");
+                else {
+                        if ((fp = sshkey_fingerprint(rc->ca_key,
+                            SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
+                                ret = SSH_ERR_INVALID_FORMAT;
+                                error("sshkey_fingerprint failed");
+                                continue;
+                        }
+                        fprintf(f, "# CA key %s %s\n",
+                            sshkey_ssh_name(rc->ca_key), fp);
+                        free(fp);
+                }
+                RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
+                        if (rs->lo == rs->hi)
+                                fprintf(f, "serial: %lld\n", rs->lo);
+                        else {
+                                fprintf(f, "serial: %lld-%lld\n",
+                                    rs->lo, rs->hi);
+                        }
+                }
+                RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
+                        /*
+                         * We don't want key IDs with embedded newlines to
+                         * mess up the display.
+                         */
+                        r = INT_MAX;
+                        asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
+                        fprintf(f, "id: %s\n", fp);
+                        free(fp);
+                }
+        }
+        return ret;
+}
author	djm@openbsd.org <djm@openbsd.org>	2020-04-03 02:26:56 +0000
committer	Damien Miller <djm@mindrot.org>	2020-04-03 13:33:25 +1100
commit	6ec7457171468da2bbd908b8cd63d298b0e049ea (patch)
tree	c61f384cbaa6cadb2c0b9de7632ef986f016e489 /krl.c
parent	af628b8a6c3ef403644d83d205c80ff188c97f0c (diff)

diff --git a/krl.c b/krl.c index 03476dedd..9da7126e2 100644 --- a/krl.c +++ b/krl.c
@@ -14,7 +14,7 @@
14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	*/	15	*/
16		16
17	/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */	17	/* $OpenBSD: krl.c,v 1.48 2020/04/03 02:26:56 djm Exp $ */
18		18
19	#include "includes.h"	19	#include "includes.h"
20		20
@@ -38,6 +38,7 @@
38	#include "log.h"	38	#include "log.h"
39	#include "digest.h"	39	#include "digest.h"
40	#include "bitmap.h"	40	#include "bitmap.h"
		41	#include "utf8.h"
41		42
42	#include "krl.h"	43	#include "krl.h"
43		44
@@ -1355,3 +1356,94 @@ ssh_krl_file_contains_key(const char path, const struct sshkey key)
1355	errno = oerrno;	1356	errno = oerrno;
1356	return r;	1357	return r;
1357	}	1358	}
		1359
		1360	int
		1361	krl_dump(struct ssh_krl krl, FILE f)
		1362	{
		1363	struct sshkey *key = NULL;
		1364	struct revoked_blob *rb;
		1365	struct revoked_certs *rc;
		1366	struct revoked_serial *rs;
		1367	struct revoked_key_id *rki;
		1368	int r, ret = 0;
		1369	char *fp, timestamp[64];
		1370
		1371	/* Try to print in a KRL spec-compatible format */
		1372	format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
		1373	fprintf(f, "# KRL version %lld\n", krl->krl_version);
		1374	fprintf(f, "# Generated at %s\n", timestamp);
		1375	if (krl->comment != NULL && *krl->comment != '\0') {
		1376	r = INT_MAX;
		1377	asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
		1378	fprintf(f, "# Comment: %s\n", fp);
		1379	free(fp);
		1380	}
		1381	fputc('\n', f);
		1382
		1383	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
		1384	if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
		1385	ret = SSH_ERR_INVALID_FORMAT;
		1386	error("Parse key in KRL: %s", ssh_err(r));
		1387	continue;
		1388	}
		1389	if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
		1390	SSH_FP_DEFAULT)) == NULL) {
		1391	ret = SSH_ERR_INVALID_FORMAT;
		1392	error("sshkey_fingerprint failed");
		1393	continue;
		1394	}
		1395	fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
		1396	free(fp);
		1397	free(key);
		1398	}
		1399	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
		1400	fp = tohex(rb->blob, rb->len);
		1401	fprintf(f, "hash: SHA256:%s\n", fp);
		1402	free(fp);
		1403	}
		1404	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
		1405	/*
		1406	* There is not KRL spec keyword for raw SHA1 hashes, so
		1407	* print them as comments.
		1408	*/
		1409	fp = tohex(rb->blob, rb->len);
		1410	fprintf(f, "# hash SHA1:%s\n", fp);
		1411	free(fp);
		1412	}
		1413
		1414	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
		1415	fputc('\n', f);
		1416	if (rc->ca_key == NULL)
		1417	fprintf(f, "# Wildcard CA\n");
		1418	else {
		1419	if ((fp = sshkey_fingerprint(rc->ca_key,
		1420	SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
		1421	ret = SSH_ERR_INVALID_FORMAT;
		1422	error("sshkey_fingerprint failed");
		1423	continue;
		1424	}
		1425	fprintf(f, "# CA key %s %s\n",
		1426	sshkey_ssh_name(rc->ca_key), fp);
		1427	free(fp);
		1428	}
		1429	RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
		1430	if (rs->lo == rs->hi)
		1431	fprintf(f, "serial: %lld\n", rs->lo);
		1432	else {
		1433	fprintf(f, "serial: %lld-%lld\n",
		1434	rs->lo, rs->hi);
		1435	}
		1436	}
		1437	RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
		1438	/*
		1439	* We don't want key IDs with embedded newlines to
		1440	* mess up the display.
		1441	*/
		1442	r = INT_MAX;
		1443	asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
		1444	fprintf(f, "id: %s\n", fp);
		1445	free(fp);
		1446	}
		1447	}
		1448	return ret;
		1449	}