diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-07-17 05:57:21 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-07-17 06:52:20 +0200 |
| commit | 449566f64c21b4578d5c0c431badd0328adc53ed (patch) | |
| tree | 41c4c599dd618ab8f271209e924d0ced2fe1b076 /PROTOCOL.krl | |
| parent | upstream: Include stdint.h for SIZE_MAX. Fixes OPENSSL=no build. (diff) | |
| download | openssh-449566f64c21b4578d5c0c431badd0328adc53ed.tar.xz openssh-449566f64c21b4578d5c0c431badd0328adc53ed.zip | |
upstream: Support for KRL extensions.
This defines wire formats for optional KRL extensions and implements
parsing of the new submessages. No actual extensions are supported at
this point.
ok markus
OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
Diffstat (limited to 'PROTOCOL.krl')
| -rw-r--r-- | PROTOCOL.krl | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl index 115f80e5d..f4213156e 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl @@ -37,6 +37,7 @@ The available section types are: #define KRL_SECTION_FINGERPRINT_SHA1 3 #define KRL_SECTION_SIGNATURE 4 #define KRL_SECTION_FINGERPRINT_SHA256 5 +#define KRL_SECTION_EXTENSION 255 2. Certificate section @@ -64,6 +65,7 @@ The certificate section types are: #define KRL_SECTION_CERT_SERIAL_RANGE 0x21 #define KRL_SECTION_CERT_SERIAL_BITMAP 0x22 #define KRL_SECTION_CERT_KEY_ID 0x23 +#define KRL_SECTION_CERT_EXTENSION 0x39 2.1 Certificate serial list section @@ -114,6 +116,29 @@ associated with a particular identity, e.g. a host or a user. This section must contain at least one "key_id". This section may appear multiple times. +2.5. Certificate Extension subsections + +This subsection type provides a generic extension mechanism to the +certificates KRL section that may be used to provide optional or critical +data. + +Extensions are stored in subsections of type +KRL_SECTION_CERT_EXTENSION with the following contents: + + string extension_name + boolean is_critical + string extension_contents. + +Where "extension_name" describes the type of extension. It is +recommended that user extensions follow "cert-name@domain.org" naming. + +The "is_critical" indicates whether this extension is mandatory or +optional. If true, then any unsupported extension encountered should +result in KRL parsing failure. If false, then it may be safely be +ignored. + +The "extension_contents" contains the body of the extension. + 3. Explicit key sections These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys @@ -144,7 +169,29 @@ as a big-endian integer. This section may appear multiple times. -5. KRL signature sections +5. Extension sections + +This section type provides a generic extension mechanism to the KRL +format that may be used to provide optional or critical data. + +Extensions are recorded in sections of type KRL_SECTION_EXTENSION +with the following contents: + + string extension_name + boolean is_critical + string extension_contents. + +Where "extension_name" describes the type of extension. It is +recommended that user extensions follow "name@domain.org" naming. + +The "is_critical" indicates whether this extension is mandatory or +optional. If true, then any unsupported extension encountered should +result in KRL parsing failure. If false, then it may be safely be +ignored. + +The "extension_contents" contains the body of the extension. + +6. KRL signature sections The KRL_SECTION_SIGNATURE section serves a different purpose to the preceding ones: to provide cryptographic authentication of a KRL that @@ -168,4 +215,4 @@ Implementations that retrieve KRLs over untrusted channels must verify signatures. Signature sections are optional for KRLs distributed by trusted means. -$OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $ +$OpenBSD: PROTOCOL.krl,v 1.6 2023/07/17 03:57:21 djm Exp $ |