summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2020-04-03 02:26:57 +0000
committerDamien Miller <djm@cvs.openbsd.org>2020-04-03 02:26:57 +0000
commit2586386661cc7dbd67c42858e911510d538f6776 (patch)
tree9bc1f70edf86d06d6f8b89a0dc30a848b292c18c
parent0a9e502fb5f90821bcf7e50896863e66ace08476 (diff)
give ssh-keygen the ability to dump the contents of a binary key
revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker
-rw-r--r--usr.bin/ssh/krl.c94
-rw-r--r--usr.bin/ssh/krl.h3
-rw-r--r--usr.bin/ssh/ssh-add/Makefile4
-rw-r--r--usr.bin/ssh/ssh-agent/Makefile4
-rw-r--r--usr.bin/ssh/ssh-keygen.18
-rw-r--r--usr.bin/ssh/ssh-keygen.c10
-rw-r--r--usr.bin/ssh/ssh-keysign/Makefile4
7 files changed, 113 insertions, 14 deletions
diff --git a/usr.bin/ssh/krl.c b/usr.bin/ssh/krl.c
index dc9830e2d1a..c4d9f00febc 100644
--- a/usr.bin/ssh/krl.c
+++ b/usr.bin/ssh/krl.c
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.c,v 1.47 2020/01/25 23:02:13 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.48 2020/04/03 02:26:56 djm Exp $ */
#include <sys/types.h>
#include <sys/tree.h>
@@ -36,6 +36,7 @@
#include "log.h"
#include "digest.h"
#include "bitmap.h"
+#include "utf8.h"
#include "krl.h"
@@ -1353,3 +1354,94 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
errno = oerrno;
return r;
}
+
+int
+krl_dump(struct ssh_krl *krl, FILE *f)
+{
+ struct sshkey *key = NULL;
+ struct revoked_blob *rb;
+ struct revoked_certs *rc;
+ struct revoked_serial *rs;
+ struct revoked_key_id *rki;
+ int r, ret = 0;
+ char *fp, timestamp[64];
+
+ /* Try to print in a KRL spec-compatible format */
+ format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
+ fprintf(f, "# KRL version %lld\n", krl->krl_version);
+ fprintf(f, "# Generated at %s\n", timestamp);
+ if (krl->comment != NULL && *krl->comment != '\0') {
+ r = INT_MAX;
+ asmprintf(&fp, INT_MAX, &r, "%s", krl->comment);
+ fprintf(f, "# Comment: %s\n", fp);
+ free(fp);
+ }
+ fputc('\n', f);
+
+ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
+ if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) {
+ ret = SSH_ERR_INVALID_FORMAT;
+ error("Parse key in KRL: %s", ssh_err(r));
+ continue;
+ }
+ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+ SSH_FP_DEFAULT)) == NULL) {
+ ret = SSH_ERR_INVALID_FORMAT;
+ error("sshkey_fingerprint failed");
+ continue;
+ }
+ fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+ free(fp);
+ free(key);
+ }
+ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
+ fp = tohex(rb->blob, rb->len);
+ fprintf(f, "hash: SHA256:%s\n", fp);
+ free(fp);
+ }
+ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
+ /*
+ * There is not KRL spec keyword for raw SHA1 hashes, so
+ * print them as comments.
+ */
+ fp = tohex(rb->blob, rb->len);
+ fprintf(f, "# hash SHA1:%s\n", fp);
+ free(fp);
+ }
+
+ TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
+ fputc('\n', f);
+ if (rc->ca_key == NULL)
+ fprintf(f, "# Wildcard CA\n");
+ else {
+ if ((fp = sshkey_fingerprint(rc->ca_key,
+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) {
+ ret = SSH_ERR_INVALID_FORMAT;
+ error("sshkey_fingerprint failed");
+ continue;
+ }
+ fprintf(f, "# CA key %s %s\n",
+ sshkey_ssh_name(rc->ca_key), fp);
+ free(fp);
+ }
+ RB_FOREACH(rs, revoked_serial_tree, &rc->revoked_serials) {
+ if (rs->lo == rs->hi)
+ fprintf(f, "serial: %lld\n", rs->lo);
+ else {
+ fprintf(f, "serial: %lld-%lld\n",
+ rs->lo, rs->hi);
+ }
+ }
+ RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
+ /*
+ * We don't want key IDs with embedded newlines to
+ * mess up the display.
+ */
+ r = INT_MAX;
+ asmprintf(&fp, INT_MAX, &r, "%s", rki->key_id);
+ fprintf(f, "id: %s\n", fp);
+ free(fp);
+ }
+ }
+ return ret;
+}
diff --git a/usr.bin/ssh/krl.h b/usr.bin/ssh/krl.h
index ce534a11136..ca6d3f2843f 100644
--- a/usr.bin/ssh/krl.h
+++ b/usr.bin/ssh/krl.h
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.h,v 1.7 2019/06/21 04:21:04 djm Exp $ */
+/* $OpenBSD: krl.h,v 1.8 2020/04/03 02:26:56 djm Exp $ */
#ifndef _KRL_H
#define _KRL_H
@@ -61,6 +61,7 @@ int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);
+int krl_dump(struct ssh_krl *krl, FILE *f);
#endif /* _KRL_H */
diff --git a/usr.bin/ssh/ssh-add/Makefile b/usr.bin/ssh/ssh-add/Makefile
index 93f92547f5f..6e9a2b45869 100644
--- a/usr.bin/ssh/ssh-add/Makefile
+++ b/usr.bin/ssh/ssh-add/Makefile
@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.30 2020/01/25 23:02:14 djm Exp $
+# $OpenBSD: Makefile,v 1.31 2020/04/03 02:26:56 djm Exp $
.PATH: ${.CURDIR}/..
SRCS= ssh-add.c
-SRCS+= authfd.c cleanup.c fatal.c readpass.c
+SRCS+= authfd.c cleanup.c fatal.c readpass.c utf8.c
SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL}
SRCS+= ${SRCS_SK_CLIENT}
diff --git a/usr.bin/ssh/ssh-agent/Makefile b/usr.bin/ssh/ssh-agent/Makefile
index a263c18a74f..9e3a0d47001 100644
--- a/usr.bin/ssh/ssh-agent/Makefile
+++ b/usr.bin/ssh/ssh-agent/Makefile
@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.37 2020/01/25 23:02:14 djm Exp $
+# $OpenBSD: Makefile,v 1.38 2020/04/03 02:26:56 djm Exp $
.PATH: ${.CURDIR}/..
SRCS= ssh-agent.c ${SRCS_PKCS11_CLIENT}
-SRCS+= compat.c fatal.c readpass.c
+SRCS+= compat.c fatal.c readpass.c utf8.c
SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL}
SRCS+= ${SRCS_SK_CLIENT}
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index 6294309728b..059c1b0341e 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.202 2020/02/24 04:27:58 dtucker Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.203 2020/04/03 02:26:56 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: February 24 2020 $
+.Dd $Mdocdate: April 3 2020 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -135,6 +135,7 @@
.Ar
.Nm ssh-keygen
.Fl Q
+.Op Fl l
.Fl f Ar krl_file
.Ar
.Nm ssh-keygen
@@ -521,6 +522,9 @@ containing the private key, for the old passphrase, and twice for the
new passphrase.
.It Fl Q
Test whether keys have been revoked in a KRL.
+If the
+.Fl l
+option is also specified then the contents of the KRL will be printed.
.It Fl q
Silence
.Nm ssh-keygen .
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 7291fea0e68..dd676c01967 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.404 2020/03/13 03:17:07 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.405 2020/04/03 02:26:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2417,7 +2417,7 @@ do_gen_krl(struct passwd *pw, int updating, const char *ca_key_path,
}
static void
-do_check_krl(struct passwd *pw, int argc, char **argv)
+do_check_krl(struct passwd *pw, int print_krl, int argc, char **argv)
{
int i, r, ret = 0;
char *comment;
@@ -2427,6 +2427,8 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
if (*identity_file == '\0')
fatal("KRL checking requires an input file");
load_krl(identity_file, &krl);
+ if (print_krl)
+ krl_dump(krl, stdout);
for (i = 0; i < argc; i++) {
if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)
fatal("Cannot load public key %s: %s",
@@ -3064,7 +3066,7 @@ usage(void)
" ssh-keygen -A [-f prefix_path]\n"
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
" file ...\n"
- " ssh-keygen -Q -f krl_file file ...\n"
+ " ssh-keygen -Q [-l] -f krl_file [file ...]\n"
" ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"
" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
" ssh-keygen -Y sign -f key_file -n namespace file ...\n"
@@ -3416,7 +3418,7 @@ main(int argc, char **argv)
return (0);
}
if (check_krl) {
- do_check_krl(pw, argc, argv);
+ do_check_krl(pw, print_fingerprint, argc, argv);
return (0);
}
if (ca_key_path != NULL) {
diff --git a/usr.bin/ssh/ssh-keysign/Makefile b/usr.bin/ssh/ssh-keysign/Makefile
index 7505ccda145..90ef21bf108 100644
--- a/usr.bin/ssh/ssh-keysign/Makefile
+++ b/usr.bin/ssh/ssh-keysign/Makefile
@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.20 2020/01/25 23:02:14 djm Exp $
+# $OpenBSD: Makefile,v 1.21 2020/04/03 02:26:56 djm Exp $
.PATH: ${.CURDIR}/..
SRCS= ssh-keysign.c readconf.c compat.c
SRCS+= cleanup.c fatal.c
-SRCS+= uidswap.c
+SRCS+= uidswap.c utf8.c
SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_PKT} \
${SRCS_UTL} ${SRCS_SK_CLIENT}
PROG= ssh-keysign