Attachment 3367 Details for Bug 3132 – Support for dumping KRL contents via ssh-keygen

[patch] Support for dumping KRL contents via ssh-keygen

0001-support-for-dumping-KRL-contents.patch (text/plain), 7.82 KB, created by Damien Miller on 2020-03-13 18:35:31 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2020-03-13 18:35:31 AEDT

Size: 7.82 KB

patch

obsolete

>From a2fa385380546b42896f61097824c67c472c42db Mon Sep 17 00:00:00 2001
>From: Damien Miller <djm@mindrot.org>
>Date: Fri, 13 Mar 2020 18:31:33 +1100
>Subject: [PATCH] support for dumping KRL contents
>
>---
> krl.c                | 92 ++++++++++++++++++++++++++++++++++++++++++++
> krl.h                |  1 +
> ssh-add/Makefile     |  2 +-
> ssh-agent/Makefile   |  2 +-
> ssh-keygen.1         |  4 ++
> ssh-keygen.c         |  8 ++--
> ssh-keysign/Makefile |  2 +-
> utf8.c               | 14 +++++++
> utf8.h               |  3 ++
> 9 files changed, 122 insertions(+), 6 deletions(-)
>
>diff --git a/krl.c b/krl.c
>index dc9830e..1153fa1 100644
>--- a/krl.c
>+++ b/krl.c
>@@ -36,6 +36,7 @@
> #include "log.h"
> #include "digest.h"
> #include "bitmap.h"
>+#include "utf8.h"
> 
> #include "krl.h"
> 
>@@ -1353,3 +1354,94 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
> 		errno = oerrno;
> 	return r;
> }
>+
>+int
>+krl_dump(struct ssh_krl *krl, FILE *f)
>+{
>+	struct sshkey *key = NULL;
>+	struct revoked_blob *rb;
>+	struct revoked_certs *rc;
>+	struct revoked_serial *rs;
>+	struct revoked_key_id *rki;
>+	int r, ret = 0;
>+	char *fp, timestamp[64];
>+
>+	/* Try to print in a KRL spec-compatible format */
>+	format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
>+	fprintf(f, "# KRL version %lld\n", krl->krl_version);
>+	fprintf(f, "# Generated at %s\n", timestamp);
>+	if (krl->comment != NULL && *krl->comment != '\0') {
>+		r = INT_MAX;
>+		asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
>+		fprintf(f, "# Comment: %s\n", fp);
>+		free(fp);
>+	}
>+	fputc('\n', f);
>+
>+	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
>+		if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
>+			ret = SSH_ERR_INVALID_FORMAT;
>+			error("Parse key in KRL: %s", ssh_err(r));
>+			continue;
>+		}
>+		if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
>+		    SSH_FP_DEFAULT)) == NULL) {
>+			ret = SSH_ERR_INVALID_FORMAT;
>+			error("sshkey_fingerprint failed");
>+			continue;
>+		}
>+		fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
>+		free(fp);
>+		free(key);
>+	}
>+	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
>+		fp = tohex(rb->blob, rb->len);
>+		fprintf(f, "hash: SHA256:%s\n", fp);
>+		free(fp);
>+	}
>+	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
>+		/*
>+		 * There is not KRL spec keyword for raw SHA1 hashes, so
>+		 * print them as comments.
>+		 */
>+		fp = tohex(rb->blob, rb->len);
>+		fprintf(f, "# hash SHA1:%s\n", fp);
>+		free(fp);
>+	}
>+
>+	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
>+		fputc('\n', f);
>+		if (rc->ca_key == NULL)
>+			fprintf(f, "# Wildcard CA\n");
>+		else {
>+			if ((fp = sshkey_fingerprint(rc->ca_key,
>+			    SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
>+				ret = SSH_ERR_INVALID_FORMAT;
>+				error("sshkey_fingerprint failed");
>+				continue;
>+			}
>+			fprintf(f, "# CA key %s %s\n",
>+			    sshkey_ssh_name(rc->ca_key), fp);
>+			free(fp);
>+		}
>+		RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
>+			if (rs->lo == rs->hi)
>+				fprintf(f, "serial: %lld\n", rs->lo);
>+			else {
>+				fprintf(f, "serial: %lld-%lld\n",
>+				    rs->lo, rs->hi);
>+			}
>+		}
>+		RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
>+			/*
>+			 * We don't want key IDs with embedded newlines to
>+			 * mess up the display.
>+			 */
>+			r = INT_MAX;
>+			asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
>+			fprintf(f, "id: %s\n", fp);
>+			free(fp);
>+		}
>+	}
>+	return ret;
>+}
>diff --git a/krl.h b/krl.h
>index ce534a1..c816878 100644
>--- a/krl.h
>+++ b/krl.h
>@@ -61,6 +61,7 @@ int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
>     const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
> int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
> int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);
>+int krl_dump(struct ssh_krl *krl, FILE *f);
> 
> #endif /* _KRL_H */
> 
>diff --git a/ssh-add/Makefile b/ssh-add/Makefile
>index 93f9254..aca0b30 100644
>--- a/ssh-add/Makefile
>+++ b/ssh-add/Makefile
>@@ -3,7 +3,7 @@
> .PATH:		${.CURDIR}/..
> 
> SRCS=	ssh-add.c
>-SRCS+=	authfd.c cleanup.c fatal.c readpass.c
>+SRCS+=	authfd.c cleanup.c fatal.c readpass.c utf8.c
> SRCS+=	${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL}
> SRCS+=	${SRCS_SK_CLIENT}
> 
>diff --git a/ssh-agent/Makefile b/ssh-agent/Makefile
>index a263c18..7e595d8 100644
>--- a/ssh-agent/Makefile
>+++ b/ssh-agent/Makefile
>@@ -3,7 +3,7 @@
> .PATH:		${.CURDIR}/..
> 
> SRCS=	ssh-agent.c ${SRCS_PKCS11_CLIENT}
>-SRCS+=	compat.c fatal.c readpass.c
>+SRCS+=	compat.c fatal.c readpass.c utf8.c
> SRCS+=	${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL}
> SRCS+=	${SRCS_SK_CLIENT}
> 
>diff --git a/ssh-keygen.1 b/ssh-keygen.1
>index 6294309..eb0829f 100644
>--- a/ssh-keygen.1
>+++ b/ssh-keygen.1
>@@ -135,6 +135,7 @@
> .Ar
> .Nm ssh-keygen
> .Fl Q
>+.Op Fl l
> .Fl f Ar krl_file
> .Ar
> .Nm ssh-keygen
>@@ -521,6 +522,9 @@ containing the private key, for the old passphrase, and twice for the
> new passphrase.
> .It Fl Q
> Test whether keys have been revoked in a KRL.
>+If the
>+.Fl l
>+option is also specified then the contents of the KRL will be printed.
> .It Fl q
> Silence
> .Nm ssh-keygen .
>diff --git a/ssh-keygen.c b/ssh-keygen.c
>index 7291fea..8e55a28 100644
>--- a/ssh-keygen.c
>+++ b/ssh-keygen.c
>@@ -2417,7 +2417,7 @@ do_gen_krl(struct passwd *pw, int updating, const char *ca_key_path,
> }
> 
> static void
>-do_check_krl(struct passwd *pw, int argc, char **argv)
>+do_check_krl(struct passwd *pw, int print_krl, int argc, char **argv)
> {
> 	int i, r, ret = 0;
> 	char *comment;
>@@ -2427,6 +2427,8 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
> 	if (*identity_file == '\0')
> 		fatal("KRL checking requires an input file");
> 	load_krl(identity_file, &krl);
>+	if (print_krl)
>+		krl_dump(krl, stdout);
> 	for (i = 0; i < argc; i++) {
> 		if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)
> 			fatal("Cannot load public key %s: %s",
>@@ -3064,7 +3066,7 @@ usage(void)
> 	    "       ssh-keygen -A [-f prefix_path]\n"
> 	    "       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
> 	    "                  file ...\n"
>-	    "       ssh-keygen -Q -f krl_file file ...\n"
>+	    "       ssh-keygen -Q [-l] -f krl_file [file ...]\n"
> 	    "       ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"
> 	    "       ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
> 	    "       ssh-keygen -Y sign -f key_file -n namespace file ...\n"
>@@ -3416,7 +3418,7 @@ main(int argc, char **argv)
> 		return (0);
> 	}
> 	if (check_krl) {
>-		do_check_krl(pw, argc, argv);
>+		do_check_krl(pw, print_fingerprint, argc, argv);
> 		return (0);
> 	}
> 	if (ca_key_path != NULL) {
>diff --git a/ssh-keysign/Makefile b/ssh-keysign/Makefile
>index 7505ccd..651f51c 100644
>--- a/ssh-keysign/Makefile
>+++ b/ssh-keysign/Makefile
>@@ -4,7 +4,7 @@
> 
> SRCS=	ssh-keysign.c readconf.c compat.c
> SRCS+=	cleanup.c fatal.c
>-SRCS+=	uidswap.c
>+SRCS+=	uidswap.c utf8.c
> SRCS+=	${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_PKT} \
> 	${SRCS_UTL} ${SRCS_SK_CLIENT}
> PROG=	ssh-keysign
>diff --git a/utf8.c b/utf8.c
>index 2b49bba..ca0c31b 100644
>--- a/utf8.c
>+++ b/utf8.c
>@@ -246,6 +246,20 @@ snmprintf(char *str, size_t sz, int *wp, const char *fmt, ...)
> 	return ret;
> }
> 
>+int
>+asmprintf(char **outp, size_t sz, int *wp, const char *fmt, ...)
>+{
>+	va_list	 ap;
>+	int	 ret;
>+
>+	*outp = NULL;
>+	va_start(ap, fmt);
>+	ret = vasnmprintf(outp, sz, wp, fmt, ap);
>+	va_end(ap);
>+
>+	return ret;
>+}
>+
> /*
>  * To stay close to the standard interfaces, the following functions
>  * return the number of non-NUL bytes written.
>diff --git a/utf8.h b/utf8.h
>index 43ce1d5..4acb6d1 100644
>--- a/utf8.h
>+++ b/utf8.h
>@@ -22,3 +22,6 @@ int	 fmprintf(FILE *, const char *, ...)
> int	 vfmprintf(FILE *, const char *, va_list);
> int	 snmprintf(char *, size_t, int *, const char *, ...)
> 	     __attribute__((format(printf, 4, 5)));
>+int	 asmprintf(char **, size_t, int *, const char *, ...)
>+	     __attribute__((format(printf, 4, 5)));
>+
>-- 
>2.25.1
>

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 3132: 3367