From 449566f64c21b4578d5c0c431badd0328adc53ed Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 17 Jul 2023 03:57:21 +0000 Subject: upstream: Support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. ok markus OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7 --- PROTOCOL.krl | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) (limited to 'PROTOCOL.krl') diff --git a/PROTOCOL.krl b/PROTOCOL.krl index 115f80e5d..f4213156e 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl @@ -37,6 +37,7 @@ The available section types are: #define KRL_SECTION_FINGERPRINT_SHA1 3 #define KRL_SECTION_SIGNATURE 4 #define KRL_SECTION_FINGERPRINT_SHA256 5 +#define KRL_SECTION_EXTENSION 255 2. Certificate section @@ -64,6 +65,7 @@ The certificate section types are: #define KRL_SECTION_CERT_SERIAL_RANGE 0x21 #define KRL_SECTION_CERT_SERIAL_BITMAP 0x22 #define KRL_SECTION_CERT_KEY_ID 0x23 +#define KRL_SECTION_CERT_EXTENSION 0x39 2.1 Certificate serial list section @@ -114,6 +116,29 @@ associated with a particular identity, e.g. a host or a user. This section must contain at least one "key_id". This section may appear multiple times. +2.5. Certificate Extension subsections + +This subsection type provides a generic extension mechanism to the +certificates KRL section that may be used to provide optional or critical +data. + +Extensions are stored in subsections of type +KRL_SECTION_CERT_EXTENSION with the following contents: + + string extension_name + boolean is_critical + string extension_contents. + +Where "extension_name" describes the type of extension. It is +recommended that user extensions follow "cert-name@domain.org" naming. + +The "is_critical" indicates whether this extension is mandatory or +optional. If true, then any unsupported extension encountered should +result in KRL parsing failure. If false, then it may be safely be +ignored. + +The "extension_contents" contains the body of the extension. + 3. Explicit key sections These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys @@ -144,7 +169,29 @@ as a big-endian integer. This section may appear multiple times. -5. KRL signature sections +5. Extension sections + +This section type provides a generic extension mechanism to the KRL +format that may be used to provide optional or critical data. + +Extensions are recorded in sections of type KRL_SECTION_EXTENSION +with the following contents: + + string extension_name + boolean is_critical + string extension_contents. + +Where "extension_name" describes the type of extension. It is +recommended that user extensions follow "name@domain.org" naming. + +The "is_critical" indicates whether this extension is mandatory or +optional. If true, then any unsupported extension encountered should +result in KRL parsing failure. If false, then it may be safely be +ignored. + +The "extension_contents" contains the body of the extension. + +6. KRL signature sections The KRL_SECTION_SIGNATURE section serves a different purpose to the preceding ones: to provide cryptographic authentication of a KRL that @@ -168,4 +215,4 @@ Implementations that retrieve KRLs over untrusted channels must verify signatures. Signature sections are optional for KRLs distributed by trusted means. -$OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $ +$OpenBSD: PROTOCOL.krl,v 1.6 2023/07/17 03:57:21 djm Exp $ -- cgit v1.2.3