krl

package module
v0.0.0-...-9dc12b1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2022 License: MIT Imports: 9 Imported by: 4

README

krl

GoDoc

Package krl provides functionality for reading and writing SSH Key Revocation Lists (KRLs).

Documentation

Overview

Package krl provides functionality for reading and writing SSH Key Revocation Lists (KRLs).

References: 

https://raw.githubusercontent.com/openssh/openssh-portable/master/PROTOCOL.krl

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type KRL 

type KRL struct {
	// Version is a number that increases every time the KRL is modified.
	// When marshaling a KRL, if Version is zero GeneratedDate will be used
	// instead.
	Version uint64
	// GeneratedDate is the Unix timestamp the KRL was generated at. When
	// marshaling a KRL, if GeneratedDate is zero the current Unix timestamp
	// will be used instead.
	GeneratedDate uint64
	// Comment is an optional comment for the KRL.
	Comment string
	// Sections is a list of public key and certificate selectors that this
	// KRL applies to.
	Sections []KRLSection
	// SigningKeys is set by ParseKRL and Marshal to the list of Signers
	// that signed (or which claimed to sign) the KRL in the order they
	// appeared (i.e., innermost-first).
	SigningKeys []ssh.PublicKey
}

KRL, or Key Revocation List, is a list of revoked keys, certificates, and identities, possibly signed by some authority. The zero value of KRL is appropriate for use, and represents an empty list.

func ParseKRL 

func ParseKRL(in []byte) (*KRL, error)

ParseKRL parses a KRL. If the KRL was signed by one or more authorities, those signatures will be checked, and any verification errors will be returned.

func (*KRL) IsRevoked 

func (k *KRL) IsRevoked(key ssh.PublicKey) bool

IsRevoked returns true if the given key has been revoked by this KRL.

func (*KRL) Marshal 

func (k *KRL) Marshal(rand io.Reader, keys ...ssh.Signer) ([]byte, error)

Marshal serializes the KRL and optionally signs it with one or more authority keys.

type KRLCertificateKeyID 

type KRLCertificateKeyID []string

KRLCertificateKeyID revokes certificates by listing key ids. This may be useful in revoking all certificates associated with a particular identity, for instance hosts or users.

type KRLCertificateSection 

type KRLCertificateSection struct {
	// CA is the certificate authority whose keys are being revoked by this
	// section. If CA is nil, this section applies to keys signed by any
	// certificate authority.
	CA ssh.PublicKey
	// Sections is a list of certificate selectors.
	Sections []KRLCertificateSubsection
}

KRLCertificateSection revokes SSH certificates by certificate authority and either serial numbers or key ids.

type KRLCertificateSerialBitmap 

type KRLCertificateSerialBitmap struct {
	Offset uint64
	Bitmap *big.Int
}

KRLCertificateSerialBitmap revokes certificates densely using a bitmap. If bit N of the bitmap is set, the certificate with serial Offset + N is revoked.

type KRLCertificateSerialList 

type KRLCertificateSerialList []uint64

KRLCertificateSerialList revokes certificates by listing their serial numbers.

type KRLCertificateSerialRange 

type KRLCertificateSerialRange struct {
	Min, Max uint64
}

KRLCertificateSerialRange revokes all certificates with serial numbers in the range between Min and Max, inclusive.

type KRLCertificateSubsection 

type KRLCertificateSubsection interface {
	// contains filtered or unexported methods
}

KRLCertificateSubsection describes a subsection of a KRL certificate selection, and selects certain certificates for revocation. The concrete types KRLCertificateSerialList, KRLCertificateSerialRange, KRLCertificateSerialBitmap, and KRLCertificateSerialBitmap satisfy this interface, and correspond to the four subsections currently defined.

type KRLExplicitKeySection 

type KRLExplicitKeySection []ssh.PublicKey

KRLExplicitKeySection revokes keys by explicitly listing them.

type KRLFingerprintSHA256Section 

type KRLFingerprintSHA256Section [][sha256.Size]byte

KRLFingerprintSHA256Section revokes keys by their SHA256 fingerprints. It is semantically equivalent to--but is more space efficient than-- KRLExplicitKeySection.

type KRLFingerprintSection 

type KRLFingerprintSection [][sha1.Size]byte

KRLFingerprintSection revokes keys by their SHA1 fingerprints. It is semantically equivalent to--but is more space efficient than-- KRLExplicitKeySection.

type KRLSection 

type KRLSection interface {
	// contains filtered or unexported methods
}

KRLSection describes a section of a KRL, which selects certain certificates and keys for revocation. The concrete types KRLCertificateSection, KRLExplicitKeySection, and KRLFingerprintSection satisfy this interface, and correspond to the three types of KRL sections currently defined.

type KRLSigningErrors 

type KRLSigningErrors []error

KRLSigningErrors is a slice of error messages which correspond one-to-one with KRL.SigningKeys.

func (KRLSigningErrors) Error 

func (k KRLSigningErrors) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.