upstream commit

permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA; ok markus@
author: djm@openbsd.org <djm@openbsd.org> 2015-01-30 01:10:33 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-30 12:17:07 +1100
commit: 669aee994348468af8b4b2ebd29b602cf2860b22 (patch)
tree: 47acfa09dd5b13cbab745b70c5cf2b7de3777f5a /ssh-keygen.c
parent: 7a2c368477e26575d0866247d3313da4256cb2b5 (diff)
1 files changed, 15 insertions, 11 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index b435498cb..2c6a56839 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.260 2015/01/30 00:59:19 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.261 2015/01/30 01:10:33 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1973,7 +1973,7 @@ load_krl(const char *path, struct ssh_krl **krlp)
 }
 static void
-update_krl_from_file(struct passwd *pw, const char *file,
+update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
    const struct sshkey *ca, struct ssh_krl *krl)
 {
        struct sshkey *key = NULL;
@@ -2015,7 +2015,7 @@ update_krl_from_file(struct passwd *pw, const char *file,
                if (*cp == '\0')
                        continue;
                if (strncasecmp(cp, "serial:", 7) == 0) {
-                        if (ca == NULL) {
+                        if (ca == NULL && !wild_ca) {
                                fatal("revoking certificates by serial number "
                                    "requires specification of a CA key");
                        }
@@ -2052,7 +2052,7 @@ update_krl_from_file(struct passwd *pw, const char *file,
                                    __func__);
                        }
                } else if (strncasecmp(cp, "id:", 3) == 0) {
-                        if (ca == NULL) {
+                        if (ca == NULL && !wild_ca) {
                                fatal("revoking certificates by key ID "
                                    "requires specification of a CA key");
                        }
@@ -2103,7 +2103,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
        struct ssh_krl *krl;
        struct stat sb;
        struct sshkey *ca = NULL;
-        int fd, i, r;
+        int fd, i, r, wild_ca = 0;
        char *tmp;
        struct sshbuf *kbuf;
@@ -2117,11 +2117,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
                        fatal("KRL \"%s\" does not exist", identity_file);
        }
        if (ca_key_path != NULL) {
-                tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
+                if (strcasecmp(ca_key_path, "none") == 0)
-                if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)
+                        wild_ca = 1;
-                        fatal("Cannot load CA public key %s: %s",
+                else {
-                            tmp, ssh_err(r));
+                        tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
-                free(tmp);
+                        if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)
+                                fatal("Cannot load CA public key %s: %s",
+                                    tmp, ssh_err(r));
+                        free(tmp);
+                }
        }
        if (updating)
@@ -2135,7 +2139,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
                ssh_krl_set_comment(krl, identity_comment);
        for (i = 0; i < argc; i++)
-                update_krl_from_file(pw, argv[i], ca, krl);
+                update_krl_from_file(pw, argv[i], wild_ca, ca, krl);
        if ((kbuf = sshbuf_new()) == NULL)
                fatal("sshbuf_new failed");
author	djm@openbsd.org <djm@openbsd.org>	2015-01-30 01:10:33 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-30 12:17:07 +1100
commit	669aee994348468af8b4b2ebd29b602cf2860b22 (patch)
tree	47acfa09dd5b13cbab745b70c5cf2b7de3777f5a /ssh-keygen.c
parent	7a2c368477e26575d0866247d3313da4256cb2b5 (diff)