mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-27 23:53:26 +08:00
f3747bf401
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
64 lines
2.5 KiB
C
64 lines
2.5 KiB
C
/*
|
|
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
/* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */
|
|
|
|
#ifndef _KRL_H
|
|
#define _KRL_H
|
|
|
|
/* Functions to manage key revocation lists */
|
|
|
|
#define KRL_MAGIC "SSHKRL\n\0"
|
|
#define KRL_FORMAT_VERSION 1
|
|
|
|
/* KRL section types */
|
|
#define KRL_SECTION_CERTIFICATES 1
|
|
#define KRL_SECTION_EXPLICIT_KEY 2
|
|
#define KRL_SECTION_FINGERPRINT_SHA1 3
|
|
#define KRL_SECTION_SIGNATURE 4
|
|
|
|
/* KRL_SECTION_CERTIFICATES subsection types */
|
|
#define KRL_SECTION_CERT_SERIAL_LIST 0x20
|
|
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
|
|
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
|
|
#define KRL_SECTION_CERT_KEY_ID 0x23
|
|
|
|
struct ssh_krl;
|
|
|
|
struct ssh_krl *ssh_krl_init(void);
|
|
void ssh_krl_free(struct ssh_krl *krl);
|
|
void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
|
|
void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key);
|
|
void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
|
|
int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
|
|
u_int64_t serial);
|
|
int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
|
|
u_int64_t lo, u_int64_t hi);
|
|
int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
|
|
const char *key_id);
|
|
int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key);
|
|
int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key);
|
|
int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key);
|
|
int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
|
|
u_int nsign_keys);
|
|
int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
|
|
const Key **sign_ca_keys, u_int nsign_ca_keys);
|
|
int ssh_krl_check_key(struct ssh_krl *krl, const Key *key);
|
|
int ssh_krl_file_contains_key(const char *path, const Key *key);
|
|
|
|
#endif /* _KRL_H */
|
|
|