forked from stripe/krl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
format.go
174 lines (142 loc) · 2.97 KB
/
format.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
package krl
import "math/big"
// We (unfortunately) make extensive use of x/crypto/ssh.Unmarshal's "rest"
// parameter here. The KRL specification makes extensive use of sections placed
// back-to-back, and there's no other way to get x/crypto/ssh.Unmarshal to emit
// the portion of the input that has not yet been parsed.
const krlMagic = 0x5353484b524c0a00
/*
#define KRL_MAGIC 0x5353484b524c0a00ULL /* "SSHKRL\n\0" * /
#define KRL_FORMAT_VERSION 1
uint64 KRL_MAGIC
uint32 KRL_FORMAT_VERSION
uint64 krl_version
uint64 generated_date
uint64 flags
string reserved
string comment
*/
type krlHeader struct {
KRLMagic uint64
KRLFormatVersion uint32
KRLVersion uint64
GeneratedDate uint64
Flags uint64
Reserved []byte
Comment string
Rest []byte `ssh:"rest"`
}
/*
byte section_type
string section_data
#define KRL_SECTION_CERTIFICATES 1
#define KRL_SECTION_EXPLICIT_KEY 2
#define KRL_SECTION_FINGERPRINT_SHA1 3
#define KRL_SECTION_SIGNATURE 4
#define KRL_SECTION_FINGERPRINT_SHA256 5
*/
type krlSection struct {
SectionType byte
SectionData []byte
Rest []byte `ssh:"rest"`
}
/*
string ca_key
string reserved
*/
type krlCertificateSectionHeader struct {
CAKey []byte
Reserved []byte
Rest []byte `ssh:"rest"`
}
/*
byte cert_section_type
string cert_section_data
#define KRL_SECTION_CERT_SERIAL_LIST 0x20
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
#define KRL_SECTION_CERT_KEY_ID 0x23
*/
type krlCertificateSection struct {
CertSectionType byte
CertSectionData []byte
Rest []byte `ssh:"rest"`
}
const (
krlSectionCertSerialList = 0x20
krlSectionCertSerialRange = 0x21
krlSectionCertSerialBitmap = 0x22
krlSectionCertKeyId = 0x23
)
/*
uint64 revoked_cert_serial
uint64 ...
*/
type krlSerialList struct {
RevokedCertSerial uint64
Rest []byte `ssh:"rest"`
}
/*
uint64 serial_min
uint64 serial_max
*/
type krlSerialRange struct {
SerialMin uint64
SerialMax uint64
}
/*
uint64 serial_offset
mpint revoked_keys_bitmap
*/
type krlSerialBitmap struct {
SerialOffset uint64
RevokedKeysBitmap *big.Int
}
/*
string key_id[0]
...
*/
type krlKeyID struct {
KeyID string
Rest []byte `ssh:"rest"`
}
/*
string public_key_blob[0]
....
*/
type krlExplicitKey struct {
PublicKeyBlob []byte
Rest []byte `ssh:"rest"`
}
/*
string public_key_hash[0]
....
*/
type krlFingerprintSHA1 struct {
PublicKeyHash []byte
Rest []byte `ssh:"rest"`
}
/*
string public_key_hash[0]
....
*/
type krlFingerprintSHA256 struct {
PublicKeyHash []byte
Rest []byte `ssh:"rest"`
}
/*
byte KRL_SECTION_SIGNATURE
string signature_key
string signature
We split this struct into two parts: krlSignatureHeader is included in the
signature, and so the inverse of its "Rest" key is the data coverd by the
signature.
*/
type krlSignatureHeader struct {
SignatureKey []byte `sshtype:"4"`
Rest []byte `ssh:"rest"`
}
type krlSignature struct {
Signature []byte
Rest []byte `ssh:"rest"`
}