Documentation ¶
Overview ¶
Package krl provides functionality for reading and writing SSH Key Revocation Lists (KRLs).
References:
https://raw.githubusercontent.com/openssh/openssh-portable/master/PROTOCOL.krl
Index ¶
- type KRL
- type KRLCertificateKeyID
- type KRLCertificateSection
- type KRLCertificateSerialBitmap
- type KRLCertificateSerialList
- type KRLCertificateSerialRange
- type KRLCertificateSubsection
- type KRLExplicitKeySection
- type KRLFingerprintSHA256Section
- type KRLFingerprintSection
- type KRLSection
- type KRLSigningErrors
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KRL ¶
type KRL struct { // Version is a number that increases every time the KRL is modified. // When marshaling a KRL, if Version is zero GeneratedDate will be used // instead. Version uint64 // GeneratedDate is the Unix timestamp the KRL was generated at. When // marshaling a KRL, if GeneratedDate is zero the current Unix timestamp // will be used instead. GeneratedDate uint64 // Comment is an optional comment for the KRL. Comment string // Sections is a list of public key and certificate selectors that this // KRL applies to. Sections []KRLSection // SigningKeys is set by ParseKRL and Marshal to the list of Signers // that signed (or which claimed to sign) the KRL in the order they // appeared (i.e., innermost-first). SigningKeys []ssh.PublicKey }
KRL, or Key Revocation List, is a list of revoked keys, certificates, and identities, possibly signed by some authority. The zero value of KRL is appropriate for use, and represents an empty list.
func ParseKRL ¶
ParseKRL parses a KRL. If the KRL was signed by one or more authorities, those signatures will be checked, and any verification errors will be returned.
type KRLCertificateKeyID ¶
type KRLCertificateKeyID []string
KRLCertificateKeyID revokes certificates by listing key ids. This may be useful in revoking all certificates associated with a particular identity, for instance hosts or users.
type KRLCertificateSection ¶
type KRLCertificateSection struct { // CA is the certificate authority whose keys are being revoked by this // section. If CA is nil, this section applies to keys signed by any // certificate authority. CA ssh.PublicKey // Sections is a list of certificate selectors. Sections []KRLCertificateSubsection }
KRLCertificateSection revokes SSH certificates by certificate authority and either serial numbers or key ids.
type KRLCertificateSerialBitmap ¶
KRLCertificateSerialBitmap revokes certificates densely using a bitmap. If bit N of the bitmap is set, the certificate with serial Offset + N is revoked.
type KRLCertificateSerialList ¶
type KRLCertificateSerialList []uint64
KRLCertificateSerialList revokes certificates by listing their serial numbers.
type KRLCertificateSerialRange ¶
type KRLCertificateSerialRange struct {
Min, Max uint64
}
KRLCertificateSerialRange revokes all certificates with serial numbers in the range between Min and Max, inclusive.
type KRLCertificateSubsection ¶
type KRLCertificateSubsection interface {
// contains filtered or unexported methods
}
KRLCertificateSubsection describes a subsection of a KRL certificate selection, and selects certain certificates for revocation. The concrete types KRLCertificateSerialList, KRLCertificateSerialRange, KRLCertificateSerialBitmap, and KRLCertificateSerialBitmap satisfy this interface, and correspond to the four subsections currently defined.
type KRLExplicitKeySection ¶
KRLExplicitKeySection revokes keys by explicitly listing them.
type KRLFingerprintSHA256Section ¶
KRLFingerprintSHA256Section revokes keys by their SHA256 fingerprints. It is semantically equivalent to--but is more space efficient than-- KRLExplicitKeySection.
type KRLFingerprintSection ¶
KRLFingerprintSection revokes keys by their SHA1 fingerprints. It is semantically equivalent to--but is more space efficient than-- KRLExplicitKeySection.
type KRLSection ¶
type KRLSection interface {
// contains filtered or unexported methods
}
KRLSection describes a section of a KRL, which selects certain certificates and keys for revocation. The concrete types KRLCertificateSection, KRLExplicitKeySection, and KRLFingerprintSection satisfy this interface, and correspond to the three types of KRL sections currently defined.
type KRLSigningErrors ¶
type KRLSigningErrors []error
KRLSigningErrors is a slice of error messages which correspond one-to-one with KRL.SigningKeys.
func (KRLSigningErrors) Error ¶
func (k KRLSigningErrors) Error() string