Hello,
I am currently using the KRL functionality of OpenSSH, and have
written a convenience function for getting the set of revoked keys (in
whatever format they have been stored) in the KRL. The patch, with the
openssh-portable commit ID b109ce92aae0ca0376dce9513d953be60e449ae1 as
the reference, is inline because I'm not sure if the list server
accepts x-patch MIME type (so apologies for the long email). I would
be happy to modify this if there are standards that I have failed to
follow. This is my first time contributing to a OpenBSD project, so
things may not be completely up to scratch on my end. I would also be
happy to answer any questions about this.
Thanks,
Doug
diff --git a/krl.c b/krl.c
index e271a193..9fa03e68 100644
--- a/krl.c
+++ b/krl.c
@@ -28,6 +28,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <inttypes.h>
#include "sshbuf.h"
#include "ssherr.h"
@@ -37,6 +38,7 @@
#include "log.h"
#include "digest.h"
#include "bitmap.h"
+#include "uuencode.h"
#include "krl.h"
@@ -185,6 +187,50 @@ ssh_krl_free(struct ssh_krl *krl)
}
void
+ssh_krl_dump(struct ssh_krl *krl)
+{
+ struct revoked_certs *rc, *trc;
+ struct revoked_key_id *rki, *tki;
+ struct revoked_serial *rs, *trs;
+ struct revoked_blob *rb, *trb;
+ struct sshbuf *sect;
+ int retval;
+
+ if (krl == NULL)
+ return;
+
+ TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) {
+ RB_FOREACH_SAFE(rki, revoked_key_id_tree,
&rc->revoked_key_ids, tki) {
+ KRL_DBG(("%s: Key ID %s", __func__,
rki->key_id));
+ printf("Key ID: %s\n", rki->key_id);
+ }
+ RB_FOREACH_SAFE(rs, revoked_serial_tree,
&rc->revoked_serials, trs) {
+ KRL_DBG(("%s: serial range %zu-%zu\n",
__func__, rs->lo, rs->hi));
+ if(rs->lo == rs->hi) {
+ printf("Serial Number: %zu\n",
rs->lo);
+ }
+ else {
+ printf("Serial Range: %zu-%zu\n",
rs->lo, rs->hi);
+ }
+ }
+ }
+ if ((sect = sshbuf_new()) == NULL)
+ fatal("Error allocating buffer");
+ RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb)
{
+ retval = 0;
+ /* binary -> base64 will always be less than twice the
size of the binary repr */
+ retval = uuencode(rb->blob, rb->len,
sshbuf_mutable_ptr(sect), 2 * rb->len);
+ if (retval == -1) {
+ fatal("Error encoding SHA1 blob");
+ }
+ KRL_DBG(("%s: SHA1 %s\n", __func__, rb->blob));
+ printf("SHA1 Digest: %s\n", sshbuf_ptr(sect));
+ sshbuf_reset(sect);
+ }
+ sshbuf_free(sect);
+}
+
+void
ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version)
{
krl->krl_version = version;
diff --git a/krl.h b/krl.h
index 675496cc..bf5b7e3f 100644
--- a/krl.h
+++ b/krl.h
@@ -59,6 +59,7 @@ int ssh_krl_from_blob(struct sshbuf *buf, struct
ssh_krl **krlp,
const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);
+void ssh_krl_dump(struct ssh_krl *krl);
#endif /* _KRL_H */
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index ce2213c7..17c873d5 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -134,7 +134,7 @@
.Nm ssh-keygen
.Fl Q
.Fl f Ar krl_file
-.Ar
+.Op Ar
.Ek
.Sh DESCRIPTION
.Nm
@@ -494,7 +494,7 @@ The program will prompt for the file
containing the private key, for the old passphrase, and twice for the
new passphrase.
.It Fl Q
-Test whether keys have been revoked in a KRL.
+Test whether keys have been revoked, or display all revoked keys
stored, in a KRL.
.It Fl q
Silence
.Nm ssh-keygen .
@@ -793,6 +793,8 @@ then
.Nm
will exit with a non-zero exit status.
A zero exit status will only be returned if no key was revoked.
+If no keys are provided, then all revoked keys stored in the KRL are printed.
+The format of the output depends on how each of the revoked keys were stored.
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.ssh/identity
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 2a7939bf..233f7025 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -2199,6 +2199,9 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
sshkey_free(k);
free(comment);
}
+ if (argc == 0) {
+ ssh_krl_dump(krl);
+ }
ssh_krl_free(krl);
exit(ret);
}