diff options
Diffstat (limited to 'krl.c')
-rw-r--r-- | krl.c | 97 |
1 files changed, 96 insertions, 1 deletions
@@ -14,7 +14,7 @@ | |||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
15 | */ | 15 | */ |
16 | 16 | ||
17 | /* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */ | 17 | /* $OpenBSD: krl.c,v 1.50 2020/04/03 05:48:57 djm Exp $ */ |
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
@@ -38,6 +38,7 @@ | |||
38 | #include "log.h" | 38 | #include "log.h" |
39 | #include "digest.h" | 39 | #include "digest.h" |
40 | #include "bitmap.h" | 40 | #include "bitmap.h" |
41 | #include "utf8.h" | ||
41 | 42 | ||
42 | #include "krl.h" | 43 | #include "krl.h" |
43 | 44 | ||
@@ -1355,3 +1356,97 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key) | |||
1355 | errno = oerrno; | 1356 | errno = oerrno; |
1356 | return r; | 1357 | return r; |
1357 | } | 1358 | } |
1359 | |||
1360 | int | ||
1361 | krl_dump(struct ssh_krl *krl, FILE *f) | ||
1362 | { | ||
1363 | struct sshkey *key = NULL; | ||
1364 | struct revoked_blob *rb; | ||
1365 | struct revoked_certs *rc; | ||
1366 | struct revoked_serial *rs; | ||
1367 | struct revoked_key_id *rki; | ||
1368 | int r, ret = 0; | ||
1369 | char *fp, timestamp[64]; | ||
1370 | |||
1371 | /* Try to print in a KRL spec-compatible format */ | ||
1372 | format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); | ||
1373 | fprintf(f, "# KRL version %llu\n", | ||
1374 | (unsigned long long)krl->krl_version); | ||
1375 | fprintf(f, "# Generated at %s\n", timestamp); | ||
1376 | if (krl->comment != NULL && *krl->comment != '\0') { | ||
1377 | r = INT_MAX; | ||
1378 | asmprintf(&fp, INT_MAX, &r, "%s", krl->comment); | ||
1379 | fprintf(f, "# Comment: %s\n", fp); | ||
1380 | free(fp); | ||
1381 | } | ||
1382 | fputc('\n', f); | ||
1383 | |||
1384 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { | ||
1385 | if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) { | ||
1386 | ret = SSH_ERR_INVALID_FORMAT; | ||
1387 | error("Parse key in KRL: %s", ssh_err(r)); | ||
1388 | continue; | ||
1389 | } | ||
1390 | if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
1391 | SSH_FP_DEFAULT)) == NULL) { | ||
1392 | ret = SSH_ERR_INVALID_FORMAT; | ||
1393 | error("sshkey_fingerprint failed"); | ||
1394 | continue; | ||
1395 | } | ||
1396 | fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key)); | ||
1397 | free(fp); | ||
1398 | free(key); | ||
1399 | } | ||
1400 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) { | ||
1401 | fp = tohex(rb->blob, rb->len); | ||
1402 | fprintf(f, "hash: SHA256:%s\n", fp); | ||
1403 | free(fp); | ||
1404 | } | ||
1405 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { | ||
1406 | /* | ||
1407 | * There is not KRL spec keyword for raw SHA1 hashes, so | ||
1408 | * print them as comments. | ||
1409 | */ | ||
1410 | fp = tohex(rb->blob, rb->len); | ||
1411 | fprintf(f, "# hash SHA1:%s\n", fp); | ||
1412 | free(fp); | ||
1413 | } | ||
1414 | |||
1415 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { | ||
1416 | fputc('\n', f); | ||
1417 | if (rc->ca_key == NULL) | ||
1418 | fprintf(f, "# Wildcard CA\n"); | ||
1419 | else { | ||
1420 | if ((fp = sshkey_fingerprint(rc->ca_key, | ||
1421 | SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) { | ||
1422 | ret = SSH_ERR_INVALID_FORMAT; | ||
1423 | error("sshkey_fingerprint failed"); | ||
1424 | continue; | ||
1425 | } | ||
1426 | fprintf(f, "# CA key %s %s\n", | ||
1427 | sshkey_ssh_name(rc->ca_key), fp); | ||
1428 | free(fp); | ||
1429 | } | ||
1430 | RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) { | ||
1431 | if (rs->lo == rs->hi) { | ||
1432 | fprintf(f, "serial: %llu\n", | ||
1433 | (unsigned long long)rs->lo); | ||
1434 | } else { | ||
1435 | fprintf(f, "serial: %llu-%llu\n", | ||
1436 | (unsigned long long)rs->lo, | ||
1437 | (unsigned long long)rs->hi); | ||
1438 | } | ||
1439 | } | ||
1440 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { | ||
1441 | /* | ||
1442 | * We don't want key IDs with embedded newlines to | ||
1443 | * mess up the display. | ||
1444 | */ | ||
1445 | r = INT_MAX; | ||
1446 | asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id); | ||
1447 | fprintf(f, "id: %s\n", fp); | ||
1448 | free(fp); | ||
1449 | } | ||
1450 | } | ||
1451 | return ret; | ||
1452 | } | ||