PROTOCOL.krl 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172
  1. This describes the key/certificate revocation list format for OpenSSH.
  2. 1. Overall format
  3. The KRL consists of a header and zero or more sections. The header is:
  4. #define KRL_MAGIC 0x5353484b524c0a00ULL /* "SSHKRL\n\0" */
  5. #define KRL_FORMAT_VERSION 1
  6. uint64 KRL_MAGIC
  7. uint32 KRL_FORMAT_VERSION
  8. uint64 krl_version
  9. uint64 generated_date
  10. uint64 flags
  11. string reserved
  12. string comment
  13. Where "krl_version" is a version number that increases each time the KRL
  14. is modified, "generated_date" is the time in seconds since 1970-01-01
  15. 00:00:00 UTC that the KRL was generated, "comment" is an optional comment
  16. and "reserved" an extension field whose contents are currently ignored.
  17. No "flags" are currently defined.
  18. Following the header are zero or more sections, each consisting of:
  19. byte section_type
  20. string section_data
  21. Where "section_type" indicates the type of the "section_data". An exception
  22. to this is the KRL_SECTION_SIGNATURE section, that has a slightly different
  23. format (see below).
  24. The available section types are:
  25. #define KRL_SECTION_CERTIFICATES 1
  26. #define KRL_SECTION_EXPLICIT_KEY 2
  27. #define KRL_SECTION_FINGERPRINT_SHA1 3
  28. #define KRL_SECTION_SIGNATURE 4
  29. #define KRL_SECTION_FINGERPRINT_SHA256 5
  30. 2. Certificate section
  31. These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
  32. serial number or key ID. The consist of the CA key that issued the
  33. certificates to be revoked and a reserved field whose contents is currently
  34. ignored.
  35. string ca_key
  36. string reserved
  37. Where "ca_key" is the standard SSH wire serialisation of the CA's
  38. public key. Alternately, "ca_key" may be an empty string to indicate
  39. the certificate section applies to all CAs (this is most useful when
  40. revoking key IDs).
  41. Followed by one or more sections:
  42. byte cert_section_type
  43. string cert_section_data
  44. The certificate section types are:
  45. #define KRL_SECTION_CERT_SERIAL_LIST 0x20
  46. #define KRL_SECTION_CERT_SERIAL_RANGE 0x21
  47. #define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
  48. #define KRL_SECTION_CERT_KEY_ID 0x23
  49. 2.1 Certificate serial list section
  50. This section is identified as KRL_SECTION_CERT_SERIAL_LIST. It revokes
  51. certificates by listing their serial numbers. The cert_section_data in this
  52. case contains:
  53. uint64 revoked_cert_serial
  54. uint64 ...
  55. This section may appear multiple times.
  56. 2.2. Certificate serial range section
  57. These sections use type KRL_SECTION_CERT_SERIAL_RANGE and hold
  58. a range of serial numbers of certificates:
  59. uint64 serial_min
  60. uint64 serial_max
  61. All certificates in the range serial_min <= serial <= serial_max are
  62. revoked.
  63. This section may appear multiple times.
  64. 2.3. Certificate serial bitmap section
  65. Bitmap sections use type KRL_SECTION_CERT_SERIAL_BITMAP and revoke keys
  66. by listing their serial number in a bitmap.
  67. uint64 serial_offset
  68. mpint revoked_keys_bitmap
  69. A bit set at index N in the bitmap corresponds to revocation of a keys with
  70. serial number (serial_offset + N).
  71. This section may appear multiple times.
  72. 2.4. Revoked key ID sections
  73. KRL_SECTION_CERT_KEY_ID sections revoke particular certificate "key
  74. ID" strings. This may be useful in revoking all certificates
  75. associated with a particular identity, e.g. a host or a user.
  76. string key_id[0]
  77. ...
  78. This section must contain at least one "key_id". This section may appear
  79. multiple times.
  80. 3. Explicit key sections
  81. These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys
  82. (not certificates). They are less space efficient than serial numbers,
  83. but are able to revoke plain keys.
  84. string public_key_blob[0]
  85. ....
  86. This section must contain at least one "public_key_blob". The blob
  87. must be a raw key (i.e. not a certificate).
  88. This section may appear multiple times.
  89. 4. SHA1/SHA256 fingerprint sections
  90. These sections, identified as KRL_SECTION_FINGERPRINT_SHA1 and
  91. KRL_SECTION_FINGERPRINT_SHA256, revoke plain keys (i.e. not
  92. certificates) by listing their hashes:
  93. string public_key_hash[0]
  94. ....
  95. This section must contain at least one "public_key_hash". The hash blob
  96. is obtained by taking the SHA1 or SHA256 hash of the public key blob.
  97. Hashes in this section must appear in numeric order, treating each hash
  98. as a big-endian integer.
  99. This section may appear multiple times.
  100. 5. KRL signature sections
  101. The KRL_SECTION_SIGNATURE section serves a different purpose to the
  102. preceding ones: to provide cryptographic authentication of a KRL that
  103. is retrieved over a channel that does not provide integrity protection.
  104. Its format is slightly different to the previously-described sections:
  105. in order to simplify the signature generation, it includes as a "body"
  106. two string components instead of one.
  107. byte KRL_SECTION_SIGNATURE
  108. string signature_key
  109. string signature
  110. The signature is calculated over the entire KRL from the KRL_MAGIC
  111. to this subsection's "signature_key", including both and using the
  112. signature generation rules appropriate for the type of "signature_key".
  113. This section must appear last in the KRL. If multiple signature sections
  114. appear, they must appear consecutively at the end of the KRL file.
  115. Implementations that retrieve KRLs over untrusted channels must verify
  116. signatures. Signature sections are optional for KRLs distributed by
  117. trusted means.
  118. $OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $