Bug 3132

Summary: No command to list the content of an SSH KRL
Product: Portable OpenSSH Reporter: rik.theys
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: ahmedsayeed1982, djm, dtucker
Priority: P5    
Version: 8.2p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 3117    
Attachments:
Description Flags
Support for dumping KRL contents via ssh-keygen dtucker: ok+

Description rik.theys 2020-03-09 23:23:02 AEDT 
Hi,

The ssh-keygen command allows generation of a KRL in a binary format. It also has a command line option (-Q) to check if a specific certificate/public key is on the KRL.

I did not find any command that will display the full content of a KRL so see which certificates/serial nr/hashes are on the revocation list.

It would be nice to have such a command so we can easily check which certificates have been revoked in the past.

Regards,
Rik
Comment 1 Damien Miller 2020-03-13 18:35:31 AEDT 
Created attachment 3367 [details]
Support for dumping KRL contents via ssh-keygen

This patch adds support for dumping KRL contents via "ssh-keygen -Qlf /path/krl"

The dump format is similar to the KRL specification format described in ssh-keygen(1)'s KEY REVOCATION section. Some things we need to print don't fit the format, so I print them as comments.

Example:

> $ ssh-keygen -lQf obj/krl-all     
> # KRL version 0
> # Generated at 20200313T181736
> 
> hash: SHA256:SHA256:s8ltKq+ldDA2KIlB5dqI0BfEI4UyV+pJujwg6Q2uKIU # ssh-dss
> hash: SHA256:SHA256:zbEIKMbhOkp/jZWE/cW67PnEwSyv0Oju1c4PH1N70/k # ssh-ed25519
> hash: SHA256:SHA256:VZS9t21+vjrGDece9Pc6i23kPcVw5QsVOtxBCuIOyRw # ecdsa-sha2-nistp256
> hash: SHA256:SHA256:jHnudyvRBF93GK/jA9NO7wpUd5emyeCq9NlIEI6dVQA # sk-ecdsa-sha2-nistp256@openssh.com
> # CA key ssh-ed25519 SHA256:7Y4hOrk8kHvyTeXl+VU/zwD28qqCK9e5M35LTwe0OpM
> serial: 1
> serial: 4
> serial: 90
> serial: 500-799
> serial: 999
> serial: 10000-20000
> id: revoked 795
> id: revoked 796
> id: revoked 797
> id: revoked 798
Comment 2 Damien Miller 2020-04-03 13:27:10 AEDT 
This has been committed and will be in openssh-8.3
Comment 3 Damien Miller 2021-04-23 14:58:46 AEST 
closing resolved bugs as of 8.6p1 release
Comment 4 Ahmed Sayeed 2021-10-14 01:42:44 AEDT 
[spam removed]