summaryrefslogtreecommitdiff
path: root/krl.h
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-01-18 11:44:04 +1100
committerDamien Miller <djm@mindrot.org>2013-01-18 11:44:04 +1100
commitf3747bf4014a450c9aaf1d88b010f6e579d10072 (patch)
tree0b1e1b497da13eb815e16a0f43be09e873e6a243 /krl.h
parentb26699bbadaffa1b1de2f6b0e175b77aba337de5 (diff)
- djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
Diffstat (limited to 'krl.h')
-rw-r--r--krl.h63
1 files changed, 63 insertions, 0 deletions
diff --git a/krl.h b/krl.h
new file mode 100644
index 000000000..2c43f5bb2
--- /dev/null
+++ b/krl.h
@@ -0,0 +1,63 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */
18
19#ifndef _KRL_H
20#define _KRL_H
21
22/* Functions to manage key revocation lists */
23
24#define KRL_MAGIC "SSHKRL\n\0"
25#define KRL_FORMAT_VERSION 1
26
27/* KRL section types */
28#define KRL_SECTION_CERTIFICATES 1
29#define KRL_SECTION_EXPLICIT_KEY 2
30#define KRL_SECTION_FINGERPRINT_SHA1 3
31#define KRL_SECTION_SIGNATURE 4
32
33/* KRL_SECTION_CERTIFICATES subsection types */
34#define KRL_SECTION_CERT_SERIAL_LIST 0x20
35#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
36#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
37#define KRL_SECTION_CERT_KEY_ID 0x23
38
39struct ssh_krl;
40
41struct ssh_krl *ssh_krl_init(void);
42void ssh_krl_free(struct ssh_krl *krl);
43void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
44void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key);
45void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
46int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
47 u_int64_t serial);
48int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
49 u_int64_t lo, u_int64_t hi);
50int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
51 const char *key_id);
52int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key);
53int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key);
54int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key);
55int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
56 u_int nsign_keys);
57int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
58 const Key **sign_ca_keys, u_int nsign_ca_keys);
59int ssh_krl_check_key(struct ssh_krl *krl, const Key *key);
60int ssh_krl_file_contains_key(const char *path, const Key *key);
61
62#endif /* _KRL_H */
63