openssh bugs - Mar 2020 - [Bug 3132] New: No command to list the content of an SSH KRL

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

            Bug ID: 3132
           Summary: No command to list the content of an SSH KRL
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rik.theys at esat.kuleuven.be

Hi,

The ssh-keygen command allows generation of a KRL in a binary format.
It also has a command line option (-Q) to check if a specific
certificate/public key is on the KRL.

I did not find any command that will display the full content of a KRL
so see which certificates/serial nr/hashes are on the revocation list.

It would be nice to have such a command so we can easily check which
certificates have been revoked in the past.

Regards,
Rik

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3367|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3367
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3367&action=edit
Support for dumping KRL contents via ssh-keygen

This patch adds support for dumping KRL contents via "ssh-keygen -Qlf
/path/krl"

The dump format is similar to the KRL specification format described in
ssh-keygen(1)'s KEY REVOCATION section. Some things we need to print
don't fit the format, so I print them as comments.

Example:
> $ ssh-keygen -lQf obj/krl-all     
> # KRL version 0
> # Generated at 20200313T181736
> 
> hash: SHA256:SHA256:s8ltKq+ldDA2KIlB5dqI0BfEI4UyV+pJujwg6Q2uKIU # ssh-dss
> hash: SHA256:SHA256:zbEIKMbhOkp/jZWE/cW67PnEwSyv0Oju1c4PH1N70/k #
ssh-ed25519
> hash: SHA256:SHA256:VZS9t21+vjrGDece9Pc6i23kPcVw5QsVOtxBCuIOyRw #
ecdsa-sha2-nistp256
> hash: SHA256:SHA256:jHnudyvRBF93GK/jA9NO7wpUd5emyeCq9NlIEI6dVQA #
sk-ecdsa-sha2-nistp256 at openssh.com
> # CA key ssh-ed25519 SHA256:7Y4hOrk8kHvyTeXl+VU/zwD28qqCK9e5M35LTwe0OpM
> serial: 1
> serial: 4
> serial: 90
> serial: 500-799
> serial: 999
> serial: 10000-20000
> id: revoked 795
> id: revoked 796
> id: revoked 797
> id: revoked 798
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3117


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3367|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This has been committed and will be in openssh-8.3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3132

Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ahmedsayeed1982 at yahoo.com

--- Comment #4 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> ---
no longer builds on aarch64 (native build) after updating to
glibc-2.33.  http://www-look-4.com/services/usb-type-a/

Due to a glibc 2.33 header file change, the file
nat/aarch64-linux-hw-point.c no longer builds on OSes using this
version of glibc.
https://komiya-dental.com/services/huawei-service/
An enum for PTRACE_SYSEMU is now provided by <sys/ptrace.h>.  In the 
past, PTRACE_SYSEMU was defined only in <asm/ptrace.h>.  This is
http://www.iu-bloomington.com/property/properties-in-turkey/
what it looks like...

In <asm/ptrace.h>:
https://waytowhatsnext.com/crypto/cryptocurrency-taxes/

#define PTRACE_SYSEMU             31
http://www.wearelondonmade.com/health/check-ups/

In <sys/ptrace.h>:
http://www.jopspeech.com/services/surface-duo/
enum __ptrace_request
{ http://joerg.li/services/kia-rio-price/
  ...
  PTRACE_SYSEMU = 31, 
#define PT_SYSEMU PTRACE_SYSEMU

  ... http://connstr.net/services/mobile-games/
}

When <asm/ptrace.h> and <sys/ptrace.h> are both included in a source
file, we run into the following build problem when the former is
included before the latter:
http://embermanchester.uk/tech/google-drive/

In file included from nat/aarch64-linux-hw-point.c:26:
/usr/include/sys/ptrace.h:86:3: error: expected identifier before
numeric constant
   86 |   PTRACE_SYSEMU = 31,
http://www.slipstone.co.uk/technology/cars-interior/
      |   ^~~~~~~~~~~~~

(There are more errors after this one too.)
http://www.logoarts.co.uk/technology/robot-vacuums/
The file builds without error when <asm/ptrace.h> is included after
<sys/ptrace.h>.  I found that this is already done in
http://www.acpirateradio.co.uk/health/transportation-security/ 
nat/aarch64-sve-linux-ptrace.h (which is included by
nat/aarch64-linux-ptrace.c).
http://www.compilatori.com/health/premium-subscription/

A commit for this bug is already on the trunk:
https://www.webb-dev.co.uk/computers/crypto-apps/

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.