upstream: Support for KRL extensions.
This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. ok markus OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
This commit is contained in:
parent
18ea857770
commit
449566f64c
51
PROTOCOL.krl
51
PROTOCOL.krl
|
@ -37,6 +37,7 @@ The available section types are:
|
||||||
#define KRL_SECTION_FINGERPRINT_SHA1 3
|
#define KRL_SECTION_FINGERPRINT_SHA1 3
|
||||||
#define KRL_SECTION_SIGNATURE 4
|
#define KRL_SECTION_SIGNATURE 4
|
||||||
#define KRL_SECTION_FINGERPRINT_SHA256 5
|
#define KRL_SECTION_FINGERPRINT_SHA256 5
|
||||||
|
#define KRL_SECTION_EXTENSION 255
|
||||||
|
|
||||||
2. Certificate section
|
2. Certificate section
|
||||||
|
|
||||||
|
@ -64,6 +65,7 @@ The certificate section types are:
|
||||||
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
|
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
|
||||||
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
|
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
|
||||||
#define KRL_SECTION_CERT_KEY_ID 0x23
|
#define KRL_SECTION_CERT_KEY_ID 0x23
|
||||||
|
#define KRL_SECTION_CERT_EXTENSION 0x39
|
||||||
|
|
||||||
2.1 Certificate serial list section
|
2.1 Certificate serial list section
|
||||||
|
|
||||||
|
@ -114,6 +116,29 @@ associated with a particular identity, e.g. a host or a user.
|
||||||
This section must contain at least one "key_id". This section may appear
|
This section must contain at least one "key_id". This section may appear
|
||||||
multiple times.
|
multiple times.
|
||||||
|
|
||||||
|
2.5. Certificate Extension subsections
|
||||||
|
|
||||||
|
This subsection type provides a generic extension mechanism to the
|
||||||
|
certificates KRL section that may be used to provide optional or critical
|
||||||
|
data.
|
||||||
|
|
||||||
|
Extensions are stored in subsections of type
|
||||||
|
KRL_SECTION_CERT_EXTENSION with the following contents:
|
||||||
|
|
||||||
|
string extension_name
|
||||||
|
boolean is_critical
|
||||||
|
string extension_contents.
|
||||||
|
|
||||||
|
Where "extension_name" describes the type of extension. It is
|
||||||
|
recommended that user extensions follow "cert-name@domain.org" naming.
|
||||||
|
|
||||||
|
The "is_critical" indicates whether this extension is mandatory or
|
||||||
|
optional. If true, then any unsupported extension encountered should
|
||||||
|
result in KRL parsing failure. If false, then it may be safely be
|
||||||
|
ignored.
|
||||||
|
|
||||||
|
The "extension_contents" contains the body of the extension.
|
||||||
|
|
||||||
3. Explicit key sections
|
3. Explicit key sections
|
||||||
|
|
||||||
These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys
|
These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys
|
||||||
|
@ -144,7 +169,29 @@ as a big-endian integer.
|
||||||
|
|
||||||
This section may appear multiple times.
|
This section may appear multiple times.
|
||||||
|
|
||||||
5. KRL signature sections
|
5. Extension sections
|
||||||
|
|
||||||
|
This section type provides a generic extension mechanism to the KRL
|
||||||
|
format that may be used to provide optional or critical data.
|
||||||
|
|
||||||
|
Extensions are recorded in sections of type KRL_SECTION_EXTENSION
|
||||||
|
with the following contents:
|
||||||
|
|
||||||
|
string extension_name
|
||||||
|
boolean is_critical
|
||||||
|
string extension_contents.
|
||||||
|
|
||||||
|
Where "extension_name" describes the type of extension. It is
|
||||||
|
recommended that user extensions follow "name@domain.org" naming.
|
||||||
|
|
||||||
|
The "is_critical" indicates whether this extension is mandatory or
|
||||||
|
optional. If true, then any unsupported extension encountered should
|
||||||
|
result in KRL parsing failure. If false, then it may be safely be
|
||||||
|
ignored.
|
||||||
|
|
||||||
|
The "extension_contents" contains the body of the extension.
|
||||||
|
|
||||||
|
6. KRL signature sections
|
||||||
|
|
||||||
The KRL_SECTION_SIGNATURE section serves a different purpose to the
|
The KRL_SECTION_SIGNATURE section serves a different purpose to the
|
||||||
preceding ones: to provide cryptographic authentication of a KRL that
|
preceding ones: to provide cryptographic authentication of a KRL that
|
||||||
|
@ -168,4 +215,4 @@ Implementations that retrieve KRLs over untrusted channels must verify
|
||||||
signatures. Signature sections are optional for KRLs distributed by
|
signatures. Signature sections are optional for KRLs distributed by
|
||||||
trusted means.
|
trusted means.
|
||||||
|
|
||||||
$OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $
|
$OpenBSD: PROTOCOL.krl,v 1.6 2023/07/17 03:57:21 djm Exp $
|
||||||
|
|
86
krl.c
86
krl.c
|
@ -14,7 +14,7 @@
|
||||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $OpenBSD: krl.c,v 1.55 2023/03/14 07:28:47 dtucker Exp $ */
|
/* $OpenBSD: krl.c,v 1.56 2023/07/17 03:57:21 djm Exp $ */
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
|
|
||||||
|
@ -840,6 +840,45 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
cert_extension_subsection(struct sshbuf *subsect, struct ssh_krl *krl)
|
||||||
|
{
|
||||||
|
int r = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
u_char critical = 1;
|
||||||
|
struct sshbuf *value = NULL;
|
||||||
|
char *name = NULL;
|
||||||
|
|
||||||
|
if ((r = sshbuf_get_cstring(subsect, &name, NULL)) != 0 ||
|
||||||
|
(r = sshbuf_get_u8(subsect, &critical)) != 0 ||
|
||||||
|
(r = sshbuf_froms(subsect, &value)) != 0) {
|
||||||
|
debug_fr(r, "parse");
|
||||||
|
error("KRL has invalid certificate extension subsection");
|
||||||
|
r = SSH_ERR_INVALID_FORMAT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (sshbuf_len(subsect) != 0) {
|
||||||
|
error("KRL has invalid certificate extension subsection: "
|
||||||
|
"trailing data");
|
||||||
|
r = SSH_ERR_INVALID_FORMAT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
debug_f("cert extension %s critical %u len %zu",
|
||||||
|
name, critical, sshbuf_len(value));
|
||||||
|
/* no extensions are currently supported */
|
||||||
|
if (critical) {
|
||||||
|
error("KRL contains unsupported critical certificate "
|
||||||
|
"subsection \"%s\"", name);
|
||||||
|
r = SSH_ERR_FEATURE_UNSUPPORTED;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
/* success */
|
||||||
|
r = 0;
|
||||||
|
out:
|
||||||
|
free(name);
|
||||||
|
sshbuf_free(value);
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
|
parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
|
||||||
{
|
{
|
||||||
|
@ -931,6 +970,10 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
|
||||||
key_id = NULL;
|
key_id = NULL;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case KRL_SECTION_CERT_EXTENSION:
|
||||||
|
if ((r = cert_extension_subsection(subsect, krl)) != 0)
|
||||||
|
goto out;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
error("Unsupported KRL certificate section %u", type);
|
error("Unsupported KRL certificate section %u", type);
|
||||||
r = SSH_ERR_INVALID_FORMAT;
|
r = SSH_ERR_INVALID_FORMAT;
|
||||||
|
@ -977,6 +1020,43 @@ blob_section(struct sshbuf *sect, struct revoked_blob_tree *target_tree,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
extension_section(struct sshbuf *sect, struct ssh_krl *krl)
|
||||||
|
{
|
||||||
|
int r = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
u_char critical = 1;
|
||||||
|
struct sshbuf *value = NULL;
|
||||||
|
char *name = NULL;
|
||||||
|
|
||||||
|
if ((r = sshbuf_get_cstring(sect, &name, NULL)) != 0 ||
|
||||||
|
(r = sshbuf_get_u8(sect, &critical)) != 0 ||
|
||||||
|
(r = sshbuf_froms(sect, &value)) != 0) {
|
||||||
|
debug_fr(r, "parse");
|
||||||
|
error("KRL has invalid extension section");
|
||||||
|
r = SSH_ERR_INVALID_FORMAT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (sshbuf_len(sect) != 0) {
|
||||||
|
error("KRL has invalid extension section: trailing data");
|
||||||
|
r = SSH_ERR_INVALID_FORMAT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
debug_f("extension %s critical %u len %zu",
|
||||||
|
name, critical, sshbuf_len(value));
|
||||||
|
/* no extensions are currently supported */
|
||||||
|
if (critical) {
|
||||||
|
error("KRL contains unsupported critical section \"%s\"", name);
|
||||||
|
r = SSH_ERR_FEATURE_UNSUPPORTED;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
/* success */
|
||||||
|
r = 0;
|
||||||
|
out:
|
||||||
|
free(name);
|
||||||
|
sshbuf_free(value);
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
|
/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
|
||||||
int
|
int
|
||||||
ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
|
ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
|
||||||
|
@ -1144,6 +1224,10 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
|
||||||
&krl->revoked_sha256s, 32)) != 0)
|
&krl->revoked_sha256s, 32)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
break;
|
break;
|
||||||
|
case KRL_SECTION_EXTENSION:
|
||||||
|
if ((r = extension_section(sect, krl)) != 0)
|
||||||
|
goto out;
|
||||||
|
break;
|
||||||
case KRL_SECTION_SIGNATURE:
|
case KRL_SECTION_SIGNATURE:
|
||||||
/* Handled above, but still need to stay in synch */
|
/* Handled above, but still need to stay in synch */
|
||||||
sshbuf_free(sect);
|
sshbuf_free(sect);
|
||||||
|
|
4
krl.h
4
krl.h
|
@ -14,7 +14,7 @@
|
||||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $OpenBSD: krl.h,v 1.8 2020/04/03 02:26:56 djm Exp $ */
|
/* $OpenBSD: krl.h,v 1.9 2023/07/17 03:57:21 djm Exp $ */
|
||||||
|
|
||||||
#ifndef _KRL_H
|
#ifndef _KRL_H
|
||||||
#define _KRL_H
|
#define _KRL_H
|
||||||
|
@ -30,12 +30,14 @@
|
||||||
#define KRL_SECTION_FINGERPRINT_SHA1 3
|
#define KRL_SECTION_FINGERPRINT_SHA1 3
|
||||||
#define KRL_SECTION_SIGNATURE 4
|
#define KRL_SECTION_SIGNATURE 4
|
||||||
#define KRL_SECTION_FINGERPRINT_SHA256 5
|
#define KRL_SECTION_FINGERPRINT_SHA256 5
|
||||||
|
#define KRL_SECTION_EXTENSION 255
|
||||||
|
|
||||||
/* KRL_SECTION_CERTIFICATES subsection types */
|
/* KRL_SECTION_CERTIFICATES subsection types */
|
||||||
#define KRL_SECTION_CERT_SERIAL_LIST 0x20
|
#define KRL_SECTION_CERT_SERIAL_LIST 0x20
|
||||||
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
|
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
|
||||||
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
|
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
|
||||||
#define KRL_SECTION_CERT_KEY_ID 0x23
|
#define KRL_SECTION_CERT_KEY_ID 0x23
|
||||||
|
#define KRL_SECTION_CERT_EXTENSION 0x39
|
||||||
|
|
||||||
struct sshkey;
|
struct sshkey;
|
||||||
struct sshbuf;
|
struct sshbuf;
|
||||||
|
|
Loading…
Reference in New Issue