- djm@cvs.openbsd.org 2013/01/17 23:00:01

     [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@

1 files changed, 63 insertions, 0 deletions

diff --git a/krl.h b/krl.h
new file mode 100644
index 000000000..2c43f5bb2
--- /dev/null
+++ b/krl.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */
+
+#ifndef _KRL_H
+#define _KRL_H
+
+/* Functions to manage key revocation lists */
+
+#define KRL_MAGIC               "SSHKRL\n\0"
+#define KRL_FORMAT_VERSION      1
+
+/* KRL section types */
+#define KRL_SECTION_CERTIFICATES        1
+#define KRL_SECTION_EXPLICIT_KEY        2
+#define KRL_SECTION_FINGERPRINT_SHA1    3
+#define KRL_SECTION_SIGNATURE           4
+
+/* KRL_SECTION_CERTIFICATES subsection types */
+#define KRL_SECTION_CERT_SERIAL_LIST    0x20
+#define KRL_SECTION_CERT_SERIAL_RANGE   0x21
+#define KRL_SECTION_CERT_SERIAL_BITMAP  0x22
+#define KRL_SECTION_CERT_KEY_ID         0x23
+
+struct ssh_krl;
+
+struct ssh_krl *ssh_krl_init(void);
+void ssh_krl_free(struct ssh_krl *krl);
+void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
+void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key);
+void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
+int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
+    u_int64_t serial);
+int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
+    u_int64_t lo, u_int64_t hi);
+int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
+    const char *key_id);
+int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key);
+int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key);
+int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key);
+int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
+    u_int nsign_keys);
+int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
+    const Key **sign_ca_keys, u_int nsign_ca_keys);
+int ssh_krl_check_key(struct ssh_krl *krl, const Key *key);
+int ssh_krl_file_contains_key(const char *path, const Key *key);
+
+#endif /* _KRL_H */
+