Mailing List Archive

ssh-keygen -Ql: avoid repeated SHA256: in output
Hello list,

If a key is revoked by public key, when printing it, ssh-keygen adds a
hardcoded "SHA256:" prefix and then prints the result of
sshkey_fingerprint, which does already include that "SHA256:" prefix.
Patch below, with extra context lines.

Also, while verifying this didn't mess up the output for other formats,
I realized that if you create a KRL with an input file like

sha256: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDx8M2XyhHYN9SS1JzTXNipKfLN2P8ybBqi9S16o1sZs

or

hash: SHA256:K2Qu+94rdYJHJ62DTON67p5YejCsW4j3tA6fuTEpMmo

when printed, it gets printed as

hash: SHA256:2b642efbde2b75824727ad834ce37aee9e587a30ac5b88f7b40e9fb93129326a

which is quite unusual. In particular, ssh-keygen itself isn't able to
parse that kind of lines. I know that ssh-keygen -Ql output aims to be
*similar*, but not necessarily compatible, with the input format. Also
I didn't find any "tob64" function to replace "tohex" call.

-Lucas

diff c70493106c794797cfb174ed7460065b1a4a89f7 /usr/src
blob - 1975ae6005abdad42436f049c7ed5511c66ea151
file + usr.bin/ssh/krl.c
--- usr.bin/ssh/krl.c
+++ usr.bin/ssh/krl.c
@@ -1382,15 +1382,15 @@ krl_dump(struct ssh_krl *krl, FILE *f)
}
if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
SSH_FP_DEFAULT)) == NULL) {
ret = SSH_ERR_INVALID_FORMAT;
error("sshkey_fingerprint failed");
continue;
}
- fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+ fprintf(f, "hash: %s # %s\n", fp, sshkey_ssh_name(key));
free(fp);
free(key);
}
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
fp = tohex(rb->blob, rb->len);
fprintf(f, "hash: SHA256:%s\n", fp);
free(fp);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-keygen -Ql: avoid repeated SHA256: in output [ In reply to ]
Lucas <lucas@sexy.is> wrote:
> If a key is revoked by public key, when printing it, ssh-keygen adds a
> hardcoded "SHA256:" prefix and then prints the result of
> sshkey_fingerprint, which does already include that "SHA256:" prefix.
> Patch below, with extra context lines.
>
> Also, while verifying this didn't mess up the output for other formats,
> I realized that if you create a KRL with an input file like
>
> sha256: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDx8M2XyhHYN9SS1JzTXNipKfLN2P8ybBqi9S16o1sZs
>
> or
>
> hash: SHA256:K2Qu+94rdYJHJ62DTON67p5YejCsW4j3tA6fuTEpMmo
>
> when printed, it gets printed as
>
> hash: SHA256:2b642efbde2b75824727ad834ce37aee9e587a30ac5b88f7b40e9fb93129326a
>
> which is quite unusual. In particular, ssh-keygen itself isn't able to
> parse that kind of lines. I know that ssh-keygen -Ql output aims to be
> *similar*, but not necessarily compatible, with the input format. Also
> I didn't find any "tob64" function to replace "tohex" call.

Bump.

diff c70493106c794797cfb174ed7460065b1a4a89f7 /usr/src
blob - 1975ae6005abdad42436f049c7ed5511c66ea151
file + usr.bin/ssh/krl.c
--- usr.bin/ssh/krl.c
+++ usr.bin/ssh/krl.c
@@ -1382,15 +1382,15 @@ krl_dump(struct ssh_krl *krl, FILE *f)
}
if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
SSH_FP_DEFAULT)) == NULL) {
ret = SSH_ERR_INVALID_FORMAT;
error("sshkey_fingerprint failed");
continue;
}
- fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+ fprintf(f, "hash: %s # %s\n", fp, sshkey_ssh_name(key));
free(fp);
free(key);
}
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
fp = tohex(rb->blob, rb->len);
fprintf(f, "hash: SHA256:%s\n", fp);
free(fp);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-keygen -Ql: avoid repeated SHA256: in output [ In reply to ]
Lucas <lucas@sexy.is> wrote:
> Hello list,
>
> If a key is revoked by public key, when printing it, ssh-keygen adds a
> hardcoded "SHA256:" prefix and then prints the result of
> sshkey_fingerprint, which does already include that "SHA256:" prefix.
> Patch below, with extra context lines.

Bump again. Is this the correct list or should I send it to tech@
instead?


diff c70493106c794797cfb174ed7460065b1a4a89f7 /usr/src
blob - 1975ae6005abdad42436f049c7ed5511c66ea151
file + usr.bin/ssh/krl.c
--- usr.bin/ssh/krl.c
+++ usr.bin/ssh/krl.c
@@ -1382,15 +1382,15 @@ krl_dump(struct ssh_krl *krl, FILE *f)
}
if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
SSH_FP_DEFAULT)) == NULL) {
ret = SSH_ERR_INVALID_FORMAT;
error("sshkey_fingerprint failed");
continue;
}
- fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
+ fprintf(f, "hash: %s # %s\n", fp, sshkey_ssh_name(key));
free(fp);
free(key);
}
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
fp = tohex(rb->blob, rb->len);
fprintf(f, "hash: SHA256:%s\n", fp);
free(fp);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-keygen -Ql: avoid repeated SHA256: in output [ In reply to ]
applied - thanks!

On Mon, 25 Apr 2022, Lucas wrote:

> Lucas <lucas@sexy.is> wrote:
> > Hello list,
> >
> > If a key is revoked by public key, when printing it, ssh-keygen adds a
> > hardcoded "SHA256:" prefix and then prints the result of
> > sshkey_fingerprint, which does already include that "SHA256:" prefix.
> > Patch below, with extra context lines.
>
> Bump again. Is this the correct list or should I send it to tech@
> instead?
>
>
> diff c70493106c794797cfb174ed7460065b1a4a89f7 /usr/src
> blob - 1975ae6005abdad42436f049c7ed5511c66ea151
> file + usr.bin/ssh/krl.c
> --- usr.bin/ssh/krl.c
> +++ usr.bin/ssh/krl.c
> @@ -1382,15 +1382,15 @@ krl_dump(struct ssh_krl *krl, FILE *f)
> }
> if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
> SSH_FP_DEFAULT)) == NULL) {
> ret = SSH_ERR_INVALID_FORMAT;
> error("sshkey_fingerprint failed");
> continue;
> }
> - fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key));
> + fprintf(f, "hash: %s # %s\n", fp, sshkey_ssh_name(key));
> free(fp);
> free(key);
> }
> RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) {
> fp = tohex(rb->blob, rb->len);
> fprintf(f, "hash: SHA256:%s\n", fp);
> free(fp);
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev