Bug 2313

Summary: Corrupt KRL file when using multiple CA.
Product: Portable OpenSSH Reporter: Peter <peter>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major CC: djm
Priority: P5    
Version: 6.5p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2266    

Description Peter 2014-11-14 18:25:09 AEDT 
When I have a KRL containing revokations from multiple CA it gets corrupted some way. sshd cant read it.

This is what sshd says:
debug1: KRL version 0 generated at 20141114T080704
debug3: ssh_krl_from_blob: first pass, section 0x01
debug3: ssh_krl_from_blob: first pass, section 0x01
debug3: ssh_krl_from_blob: second pass, section 0x01
debug3: parse_revoked_certs: subsection type 0x20
debug3: revoked_certs_for_ca_key: new CA RSA
debug3: parse_revoked_certs: subsection type 0x22
debug3: parse_revoked_certs: subsection type 0x20
debug3: ssh_krl_from_blob: second pass, section 0x01
debug3: parse_revoked_certs: subsection type 0x20
debug3: parse_revoked_certs: subsection type 0x22
debug3: parse_revoked_certs: subsection type 0x20
buffer_get_string_ptr: bad string length 268032
parse_revoked_certs: buffer error
Invalid KRL, refusing public key authentication


I generated the KRL using two textfiles containing 
multiple serial: <serial> lines like this:
ssh-keygen -k -u -f revoked_keys.bin -s ca1.pub revoked_keys1
ssh-keygen -k -u -f revoked_keys.bin -s ca2.pub revoked_keys2

I have tried to remove the revoked_keys.bin and generate a new one without success. I even tried revoking from ca2 first and then ca1..
Comment 1 Damien Miller 2014-12-11 11:32:00 AEDT 
Fixed in -current and will be released in OpenSSH 6.8:

> commit 9f9fad0191028edc43d100d0ded39419b6895fdf
> Author: djm@openbsd.org <djm@openbsd.org>
> Date:   Mon Nov 17 00:21:40 2014 +0000
> 
>     upstream commit
>     
>     fix KRL generation when multiple CAs are in use
>     
>     We would generate an invalid KRL when revoking certs by serial
>     number for multiple CA keys due to a section being written out
>     twice.
>     
>     Also extend the regress test to catch this case by having it
>     produce a multi-CA KRL.
>     
>     Reported by peter AT pean.org
Comment 2 Damien Miller 2015-03-18 18:16:55 AEDT 
openssh-6.8 is released