Lines Matching defs:krl
17 /* $OpenBSD: krl.c,v 1.39 2017/03/10 07:18:32 dtucker Exp $ */
41 #include "krl.h"
133 struct ssh_krl *krl;
135 if ((krl = calloc(1, sizeof(*krl))) == NULL)
137 RB_INIT(&krl->revoked_keys);
138 RB_INIT(&krl->revoked_sha1s);
139 TAILQ_INIT(&krl->revoked_certs);
140 return krl;
162 ssh_krl_free(struct ssh_krl *krl)
167 if (krl == NULL)
170 free(krl->comment);
171 RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) {
172 RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb);
176 RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) {
177 RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb);
181 TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) {
182 TAILQ_REMOVE(&krl->revoked_certs, rc, entry);
188 ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version)
190 krl->krl_version = version;
194 ssh_krl_set_comment(struct ssh_krl *krl, const char *comment)
196 free(krl->comment);
197 if ((krl->comment = strdup(comment)) == NULL)
207 revoked_certs_for_ca_key(struct ssh_krl *krl, const struct sshkey *ca_key,
214 TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
234 TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry);
315 ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const struct sshkey *ca_key,
318 return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial);
322 ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl,
330 if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0)
336 ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const struct sshkey *ca_key,
343 if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0)
399 ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const struct sshkey *key)
408 return revoke_blob(&krl->revoked_keys, blob, len);
412 ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const struct sshkey *key)
422 return revoke_blob(&krl->revoked_sha1s, blob, len);
426 ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key)
429 return ssh_krl_revoke_key_sha1(krl, key);
432 return ssh_krl_revoke_cert_by_key_id(krl,
436 return ssh_krl_revoke_cert_by_serial(krl,
443 * Select the most compact section type to emit next in a KRL based on
447 * that will minimise the size of the resultant KRL.
544 /* Generate a KRL_SECTION_CERTIFICATES KRL section */
705 ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
715 if (krl->generated_date == 0)
716 krl->generated_date = time(NULL);
724 (r = sshbuf_put_u64(buf, krl->krl_version)) != 0 ||
725 (r = sshbuf_put_u64(buf, krl->generated_date)) != 0 ||
726 (r = sshbuf_put_u64(buf, krl->flags)) != 0 ||
728 (r = sshbuf_put_cstring(buf, krl->comment)) != 0)
732 TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
743 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
754 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
805 parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
841 if ((r = ssh_krl_revoke_cert_by_serial(krl,
850 if ((r = ssh_krl_revoke_cert_by_serial_range(krl,
876 if ((r = ssh_krl_revoke_cert_by_serial(krl,
888 if ((r = ssh_krl_revoke_cert_by_key_id(krl,
896 error("Unsupported KRL certificate section %u", type);
901 error("KRL certificate section contains unparsed data");
918 /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
924 struct ssh_krl *krl = NULL;
937 debug3("%s: not a KRL", __func__);
941 /* Take a copy of the KRL buffer so we can verify its signature later */
949 if ((krl = ssh_krl_init()) == NULL) {
960 if ((r = sshbuf_get_u64(copy, &krl->krl_version)) != 0 ||
961 (r = sshbuf_get_u64(copy, &krl->generated_date)) != 0 ||
962 (r = sshbuf_get_u64(copy, &krl->flags)) != 0 ||
964 (r = sshbuf_get_cstring(copy, &krl->comment, NULL)) != 0)
967 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
968 debug("KRL version %llu generated at %s%s%s",
969 (long long unsigned)krl->krl_version, timestamp,
970 *krl->comment ? ": " : "", krl->comment);
990 error("KRL contains non-signature section "
1015 /* Check signature over entire KRL up to this point */
1019 /* Check if this key has already signed this KRL */
1022 error("KRL signed more than once with "
1028 /* Record keys used to sign the KRL */
1047 * 2nd pass: parse and load the KRL, skipping the header to the point
1067 if ((r = parse_revoked_certs(sect, krl)) != 0)
1084 &krl->revoked_keys : &krl->revoked_sha1s,
1098 error("Unsupported KRL section %u", type);
1103 error("KRL section contains unparsed data");
1109 /* Check that the key(s) used to sign the KRL weren't revoked */
1112 if (ssh_krl_check_key(krl, ca_used[i]) == 0)
1120 error("All keys used to sign KRL were revoked");
1125 /* If we have CA keys, then verify that one was used to sign the KRL */
1140 error("KRL not signed with any trusted key");
1145 *krlp = krl;
1149 ssh_krl_free(krl);
1196 is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
1207 erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
1218 erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
1229 if ((r = revoked_certs_for_ca_key(krl, key->cert->signature_key,
1237 if ((r = revoked_certs_for_ca_key(krl, NULL, &rc, 0)) != 0)
1249 ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key)
1254 if ((r = is_key_revoked(krl, key)) != 0)
1258 if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0)
1269 struct ssh_krl *krl = NULL;
1286 if ((r = ssh_krl_from_blob(krlbuf, &krl, NULL, 0)) != 0)
1288 debug2("%s: checking KRL %s", __func__, path);
1289 r = ssh_krl_check_key(krl, key);
1294 ssh_krl_free(krl);
