Bugzilla – Attachment 3367 Details for
Bug 3132
No command to list the content of an SSH KRL
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Support for dumping KRL contents via ssh-keygen
0001-support-for-dumping-KRL-contents.patch (text/plain), 7.82 KB, created by
Damien Miller
on 2020-03-13 18:35:31 AEDT
(
hide
)
Description:
Support for dumping KRL contents via ssh-keygen
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2020-03-13 18:35:31 AEDT
Size:
7.82 KB
patch
obsolete
>From a2fa385380546b42896f61097824c67c472c42db Mon Sep 17 00:00:00 2001 >From: Damien Miller <djm@mindrot.org> >Date: Fri, 13 Mar 2020 18:31:33 +1100 >Subject: [PATCH] support for dumping KRL contents > >--- > krl.c | 92 ++++++++++++++++++++++++++++++++++++++++++++ > krl.h | 1 + > ssh-add/Makefile | 2 +- > ssh-agent/Makefile | 2 +- > ssh-keygen.1 | 4 ++ > ssh-keygen.c | 8 ++-- > ssh-keysign/Makefile | 2 +- > utf8.c | 14 +++++++ > utf8.h | 3 ++ > 9 files changed, 122 insertions(+), 6 deletions(-) > >diff --git a/krl.c b/krl.c >index dc9830e..1153fa1 100644 >--- a/krl.c >+++ b/krl.c >@@ -36,6 +36,7 @@ > #include "log.h" > #include "digest.h" > #include "bitmap.h" >+#include "utf8.h" > > #include "krl.h" > >@@ -1353,3 +1354,94 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key) > errno = oerrno; > return r; > } >+ >+int >+krl_dump(struct ssh_krl *krl, FILE *f) >+{ >+ struct sshkey *key = NULL; >+ struct revoked_blob *rb; >+ struct revoked_certs *rc; >+ struct revoked_serial *rs; >+ struct revoked_key_id *rki; >+ int r, ret = 0; >+ char *fp, timestamp[64]; >+ >+ /* Try to print in a KRL spec-compatible format */ >+ format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); >+ fprintf(f, "# KRL version %lld\n", krl->krl_version); >+ fprintf(f, "# Generated at %s\n", timestamp); >+ if (krl->comment != NULL && *krl->comment != '\0') { >+ r = INT_MAX; >+ asmprintf(&fp, INT_MAX, &r, "%s", krl->comment); >+ fprintf(f, "# Comment: %s\n", fp); >+ free(fp); >+ } >+ fputc('\n', f); >+ >+ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { >+ if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) { >+ ret = SSH_ERR_INVALID_FORMAT; >+ error("Parse key in KRL: %s", ssh_err(r)); >+ continue; >+ } >+ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, >+ SSH_FP_DEFAULT)) == NULL) { >+ ret = SSH_ERR_INVALID_FORMAT; >+ error("sshkey_fingerprint failed"); >+ continue; >+ } >+ fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key)); >+ free(fp); >+ free(key); >+ } >+ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) { >+ fp = tohex(rb->blob, rb->len); >+ fprintf(f, "hash: SHA256:%s\n", fp); >+ free(fp); >+ } >+ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { >+ /* >+ * There is not KRL spec keyword for raw SHA1 hashes, so >+ * print them as comments. >+ */ >+ fp = tohex(rb->blob, rb->len); >+ fprintf(f, "# hash SHA1:%s\n", fp); >+ free(fp); >+ } >+ >+ TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { >+ fputc('\n', f); >+ if (rc->ca_key == NULL) >+ fprintf(f, "# Wildcard CA\n"); >+ else { >+ if ((fp = sshkey_fingerprint(rc->ca_key, >+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) { >+ ret = SSH_ERR_INVALID_FORMAT; >+ error("sshkey_fingerprint failed"); >+ continue; >+ } >+ fprintf(f, "# CA key %s %s\n", >+ sshkey_ssh_name(rc->ca_key), fp); >+ free(fp); >+ } >+ RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) { >+ if (rs->lo == rs->hi) >+ fprintf(f, "serial: %lld\n", rs->lo); >+ else { >+ fprintf(f, "serial: %lld-%lld\n", >+ rs->lo, rs->hi); >+ } >+ } >+ RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { >+ /* >+ * We don't want key IDs with embedded newlines to >+ * mess up the display. >+ */ >+ r = INT_MAX; >+ asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id); >+ fprintf(f, "id: %s\n", fp); >+ free(fp); >+ } >+ } >+ return ret; >+} >diff --git a/krl.h b/krl.h >index ce534a1..c816878 100644 >--- a/krl.h >+++ b/krl.h >@@ -61,6 +61,7 @@ int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, > const struct sshkey **sign_ca_keys, size_t nsign_ca_keys); > int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key); > int ssh_krl_file_contains_key(const char *path, const struct sshkey *key); >+int krl_dump(struct ssh_krl *krl, FILE *f); > > #endif /* _KRL_H */ > >diff --git a/ssh-add/Makefile b/ssh-add/Makefile >index 93f9254..aca0b30 100644 >--- a/ssh-add/Makefile >+++ b/ssh-add/Makefile >@@ -3,7 +3,7 @@ > .PATH: ${.CURDIR}/.. > > SRCS= ssh-add.c >-SRCS+= authfd.c cleanup.c fatal.c readpass.c >+SRCS+= authfd.c cleanup.c fatal.c readpass.c utf8.c > SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL} > SRCS+= ${SRCS_SK_CLIENT} > >diff --git a/ssh-agent/Makefile b/ssh-agent/Makefile >index a263c18..7e595d8 100644 >--- a/ssh-agent/Makefile >+++ b/ssh-agent/Makefile >@@ -3,7 +3,7 @@ > .PATH: ${.CURDIR}/.. > > SRCS= ssh-agent.c ${SRCS_PKCS11_CLIENT} >-SRCS+= compat.c fatal.c readpass.c >+SRCS+= compat.c fatal.c readpass.c utf8.c > SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL} > SRCS+= ${SRCS_SK_CLIENT} > >diff --git a/ssh-keygen.1 b/ssh-keygen.1 >index 6294309..eb0829f 100644 >--- a/ssh-keygen.1 >+++ b/ssh-keygen.1 >@@ -135,6 +135,7 @@ > .Ar > .Nm ssh-keygen > .Fl Q >+.Op Fl l > .Fl f Ar krl_file > .Ar > .Nm ssh-keygen >@@ -521,6 +522,9 @@ containing the private key, for the old passphrase, and twice for the > new passphrase. > .It Fl Q > Test whether keys have been revoked in a KRL. >+If the >+.Fl l >+option is also specified then the contents of the KRL will be printed. > .It Fl q > Silence > .Nm ssh-keygen . >diff --git a/ssh-keygen.c b/ssh-keygen.c >index 7291fea..8e55a28 100644 >--- a/ssh-keygen.c >+++ b/ssh-keygen.c >@@ -2417,7 +2417,7 @@ do_gen_krl(struct passwd *pw, int updating, const char *ca_key_path, > } > > static void >-do_check_krl(struct passwd *pw, int argc, char **argv) >+do_check_krl(struct passwd *pw, int print_krl, int argc, char **argv) > { > int i, r, ret = 0; > char *comment; >@@ -2427,6 +2427,8 @@ do_check_krl(struct passwd *pw, int argc, char **argv) > if (*identity_file == '\0') > fatal("KRL checking requires an input file"); > load_krl(identity_file, &krl); >+ if (print_krl) >+ krl_dump(krl, stdout); > for (i = 0; i < argc; i++) { > if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0) > fatal("Cannot load public key %s: %s", >@@ -3064,7 +3066,7 @@ usage(void) > " ssh-keygen -A [-f prefix_path]\n" > " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" > " file ...\n" >- " ssh-keygen -Q -f krl_file file ...\n" >+ " ssh-keygen -Q [-l] -f krl_file [file ...]\n" > " ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n" > " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" > " ssh-keygen -Y sign -f key_file -n namespace file ...\n" >@@ -3416,7 +3418,7 @@ main(int argc, char **argv) > return (0); > } > if (check_krl) { >- do_check_krl(pw, argc, argv); >+ do_check_krl(pw, print_fingerprint, argc, argv); > return (0); > } > if (ca_key_path != NULL) { >diff --git a/ssh-keysign/Makefile b/ssh-keysign/Makefile >index 7505ccd..651f51c 100644 >--- a/ssh-keysign/Makefile >+++ b/ssh-keysign/Makefile >@@ -4,7 +4,7 @@ > > SRCS= ssh-keysign.c readconf.c compat.c > SRCS+= cleanup.c fatal.c >-SRCS+= uidswap.c >+SRCS+= uidswap.c utf8.c > SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_PKT} \ > ${SRCS_UTL} ${SRCS_SK_CLIENT} > PROG= ssh-keysign >diff --git a/utf8.c b/utf8.c >index 2b49bba..ca0c31b 100644 >--- a/utf8.c >+++ b/utf8.c >@@ -246,6 +246,20 @@ snmprintf(char *str, size_t sz, int *wp, const char *fmt, ...) > return ret; > } > >+int >+asmprintf(char **outp, size_t sz, int *wp, const char *fmt, ...) >+{ >+ va_list ap; >+ int ret; >+ >+ *outp = NULL; >+ va_start(ap, fmt); >+ ret = vasnmprintf(outp, sz, wp, fmt, ap); >+ va_end(ap); >+ >+ return ret; >+} >+ > /* > * To stay close to the standard interfaces, the following functions > * return the number of non-NUL bytes written. >diff --git a/utf8.h b/utf8.h >index 43ce1d5..4acb6d1 100644 >--- a/utf8.h >+++ b/utf8.h >@@ -22,3 +22,6 @@ int fmprintf(FILE *, const char *, ...) > int vfmprintf(FILE *, const char *, va_list); > int snmprintf(char *, size_t, int *, const char *, ...) > __attribute__((format(printf, 4, 5))); >+int asmprintf(char **, size_t, int *, const char *, ...) >+ __attribute__((format(printf, 4, 5))); >+ >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 3132
: 3367