1 files changed, 96 insertions, 1 deletions
diff --git a/krl.c b/krl.c
index 03476dedd..c431f7047 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.50 2020/04/03 05:48:57 djm Exp $ */
 #include "includes.h"
@@ -38,6 +38,7 @@
 #include "log.h"
 #include "digest.h"
 #include "bitmap.h"
+#include "utf8.h"
 #include "krl.h"
@@ -1355,3 +1356,97 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
                errno = oerrno;
        return r;
 }
+int
+krl_dump(struct ssh_krl *krl, FILE *f)
+{
+        struct sshkey *key = NULL;
+        struct revoked_blob *rb;
+        struct revoked_certs *rc;
+        struct revoked_serial *rs;
+        struct revoked_key_id *rki;
+        int r, ret = 0;
+        char *fp, timestamp[64];
+        /* Try to print in a KRL spec-compatible format */
+        format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
+        fprintf(f, "# KRL version %llu\n",
+            (unsigned long long)krl->krl_version);
+        fprintf(f, "# Generated at %s\n", timestamp);
+        if (krl->comment != NULL && *krl->comment != '\0') {
+                r = INT_MAX;
+                asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
+                fprintf(f, "# Comment: %s\n", fp);
+                free(fp);
+        }
+        fputc('\n', f);
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
+                if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        error("Parse key in KRL: %s", ssh_err(r));
+                        continue;
+                }
+                if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+                    SSH_FP_DEFAULT)) == NULL) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        error("sshkey_fingerprint failed");
+                        continue;
+                }
+                fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+                free(fp);
+                free(key);
+        }
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
+                fp = tohex(rb->blob, rb->len);
+                fprintf(f, "hash: SHA256:%s\n", fp);
+                free(fp);
+        }
+        RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
+                /*
+                 * There is not KRL spec keyword for raw SHA1 hashes, so
+                 * print them as comments.
+                 */
+                fp = tohex(rb->blob, rb->len);
+                fprintf(f, "# hash SHA1:%s\n", fp);
+                free(fp);
+        }
+        TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
+                fputc('\n', f);
+                if (rc->ca_key == NULL)
+                        fprintf(f, "# Wildcard CA\n");
+                else {
+                        if ((fp = sshkey_fingerprint(rc->ca_key,
+                            SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
+                                ret = SSH_ERR_INVALID_FORMAT;
+                                error("sshkey_fingerprint failed");
+                                continue;
+                        }
+                        fprintf(f, "# CA key %s %s\n",
+                            sshkey_ssh_name(rc->ca_key), fp);
+                        free(fp);
+                }
+                RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
+                        if (rs->lo == rs->hi) {
+                                fprintf(f, "serial: %llu\n",
+                                    (unsigned long long)rs->lo);
+                        } else {
+                                fprintf(f, "serial: %llu-%llu\n",
+                                    (unsigned long long)rs->lo,
+                                    (unsigned long long)rs->hi);
+                        }
+                }
+                RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
+                        /*
+                         * We don't want key IDs with embedded newlines to
+                         * mess up the display.
+                         */
+                        r = INT_MAX;
+                        asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
+                        fprintf(f, "id: %s\n", fp);
+                        free(fp);
+                }
+        }
+        return ret;
+}

diff --git a/krl.c b/krl.c index 03476dedd..c431f7047 100644 --- a/krl.c +++ b/krl.c
@@ -14,7 +14,7 @@
14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	*/	15	*/
16		16
17	/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */	17	/* $OpenBSD: krl.c,v 1.50 2020/04/03 05:48:57 djm Exp $ */
18		18
19	#include "includes.h"	19	#include "includes.h"
20		20
@@ -38,6 +38,7 @@
38	#include "log.h"	38	#include "log.h"
39	#include "digest.h"	39	#include "digest.h"
40	#include "bitmap.h"	40	#include "bitmap.h"
		41	#include "utf8.h"
41		42
42	#include "krl.h"	43	#include "krl.h"
43		44
@@ -1355,3 +1356,97 @@ ssh_krl_file_contains_key(const char path, const struct sshkey key)
1355	errno = oerrno;	1356	errno = oerrno;
1356	return r;	1357	return r;
1357	}	1358	}
		1359
		1360	int
		1361	krl_dump(struct ssh_krl krl, FILE f)
		1362	{
		1363	struct sshkey *key = NULL;
		1364	struct revoked_blob *rb;
		1365	struct revoked_certs *rc;
		1366	struct revoked_serial *rs;
		1367	struct revoked_key_id *rki;
		1368	int r, ret = 0;
		1369	char *fp, timestamp[64];
		1370
		1371	/* Try to print in a KRL spec-compatible format */
		1372	format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
		1373	fprintf(f, "# KRL version %llu\n",
		1374	(unsigned long long)krl->krl_version);
		1375	fprintf(f, "# Generated at %s\n", timestamp);
		1376	if (krl->comment != NULL && *krl->comment != '\0') {
		1377	r = INT_MAX;
		1378	asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
		1379	fprintf(f, "# Comment: %s\n", fp);
		1380	free(fp);
		1381	}
		1382	fputc('\n', f);
		1383
		1384	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
		1385	if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
		1386	ret = SSH_ERR_INVALID_FORMAT;
		1387	error("Parse key in KRL: %s", ssh_err(r));
		1388	continue;
		1389	}
		1390	if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
		1391	SSH_FP_DEFAULT)) == NULL) {
		1392	ret = SSH_ERR_INVALID_FORMAT;
		1393	error("sshkey_fingerprint failed");
		1394	continue;
		1395	}
		1396	fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
		1397	free(fp);
		1398	free(key);
		1399	}
		1400	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
		1401	fp = tohex(rb->blob, rb->len);
		1402	fprintf(f, "hash: SHA256:%s\n", fp);
		1403	free(fp);
		1404	}
		1405	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
		1406	/*
		1407	* There is not KRL spec keyword for raw SHA1 hashes, so
		1408	* print them as comments.
		1409	*/
		1410	fp = tohex(rb->blob, rb->len);
		1411	fprintf(f, "# hash SHA1:%s\n", fp);
		1412	free(fp);
		1413	}
		1414
		1415	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
		1416	fputc('\n', f);
		1417	if (rc->ca_key == NULL)
		1418	fprintf(f, "# Wildcard CA\n");
		1419	else {
		1420	if ((fp = sshkey_fingerprint(rc->ca_key,
		1421	SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
		1422	ret = SSH_ERR_INVALID_FORMAT;
		1423	error("sshkey_fingerprint failed");
		1424	continue;
		1425	}
		1426	fprintf(f, "# CA key %s %s\n",
		1427	sshkey_ssh_name(rc->ca_key), fp);
		1428	free(fp);
		1429	}
		1430	RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
		1431	if (rs->lo == rs->hi) {
		1432	fprintf(f, "serial: %llu\n",
		1433	(unsigned long long)rs->lo);
		1434	} else {
		1435	fprintf(f, "serial: %llu-%llu\n",
		1436	(unsigned long long)rs->lo,
		1437	(unsigned long long)rs->hi);
		1438	}
		1439	}
		1440	RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
		1441	/*
		1442	* We don't want key IDs with embedded newlines to
		1443	* mess up the display.
		1444	*/
		1445	r = INT_MAX;
		1446	asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
		1447	fprintf(f, "id: %s\n", fp);
		1448	free(fp);
		1449	}
		1450	}
		1451	return ret;
		1452	}