Corrupt KRL file when using multiple CA.

Peter Ankerstål peter at pean.org
Fri Nov 14 18:26:31 EST 2014


On 11/14/2014 03:34 AM, Damien Miller wrote:
> What version of OpenSSH are you using? I fixed a bug in KRL generation
> a few months ago:
>
> https://anongit.mindrot.org/openssh.git/commit/krl.c?id=2cd7929250cf9e9f658d70dcd452f529ba08c942
>
> On Thu, 13 Nov 2014, Peter Ankerst?l wrote:
>
>> Hi!
>>
>> It seems to be a problem when I have revoked keys from multiple CAs in one KRL
>> file.
>>
>> ssh refuses access and says:
>> Nov 13 13:32:15 q sshd[35438]: error: buffer_get_string_ptr: bad string length
>> 268032
>> Nov 13 13:32:15 q sshd[35438]: error: parse_revoked_certs: buffer error
>> Nov 13 13:32:15 q sshd[35438]: error: Invalid KRL, refusing public key
>> authentication
>>
>> How would I revoke keys from multiple CAs then? if I put multiple RevokedKeys
>> it only considers one file.
>>
>> The KRL is generated by:
>> ssh-keygen -k -u -f revoked_keys.bin -s ca1.pub revoked_keys1
>> ssh-keygen -k -u -f revoked_keys.bin -s ca2.pub revoked_keys2
>>
>>
>> revokes_keys[1-2] has the format:
>> serial: 2134
>> serial: 2343
>> serial: 2842
>> serial: 8795
>>
>>
>
I recompiled openssh with that line added to krl.c but it gives the same 
result:

debug1: KRL version 0 generated at 20141114T080704
debug3: ssh_krl_from_blob: first pass, section 0x01
debug3: ssh_krl_from_blob: first pass, section 0x01
debug3: ssh_krl_from_blob: second pass, section 0x01
debug3: parse_revoked_certs: subsection type 0x20
debug3: revoked_certs_for_ca_key: new CA RSA
debug3: parse_revoked_certs: subsection type 0x22
debug3: parse_revoked_certs: subsection type 0x20
debug3: ssh_krl_from_blob: second pass, section 0x01
debug3: parse_revoked_certs: subsection type 0x20
debug3: parse_revoked_certs: subsection type 0x22
debug3: parse_revoked_certs: subsection type 0x20
buffer_get_string_ptr: bad string length 268032
parse_revoked_certs: buffer error
Invalid KRL, refusing public key authentication

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141114/7b86c49b/attachment-0001.bin>


More information about the openssh-unix-dev mailing list