Lucas <lucas@xxxxxxx> wrote: > If a key is revoked by public key, when printing it, ssh-keygen adds a > hardcoded "SHA256:" prefix and then prints the result of > sshkey_fingerprint, which does already include that "SHA256:" prefix. > Patch below, with extra context lines. > > Also, while verifying this didn't mess up the output for other formats, > I realized that if you create a KRL with an input file like > > sha256: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDx8M2XyhHYN9SS1JzTXNipKfLN2P8ybBqi9S16o1sZs > > or > > hash: SHA256:K2Qu+94rdYJHJ62DTON67p5YejCsW4j3tA6fuTEpMmo > > when printed, it gets printed as > > hash: SHA256:2b642efbde2b75824727ad834ce37aee9e587a30ac5b88f7b40e9fb93129326a > > which is quite unusual. In particular, ssh-keygen itself isn't able to > parse that kind of lines. I know that ssh-keygen -Ql output aims to be > *similar*, but not necessarily compatible, with the input format. Also > I didn't find any "tob64" function to replace "tohex" call. Bump. diff c70493106c794797cfb174ed7460065b1a4a89f7 /usr/src blob - 1975ae6005abdad42436f049c7ed5511c66ea151 file + usr.bin/ssh/krl.c --- usr.bin/ssh/krl.c +++ usr.bin/ssh/krl.c @@ -1382,15 +1382,15 @@ krl_dump(struct ssh_krl *krl, FILE *f) } if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) { ret = SSH_ERR_INVALID_FORMAT; error("sshkey_fingerprint failed"); continue; } - fprintf(f, "hash: SHA256:%s # %s\n", fp, sshkey_ssh_name(key)); + fprintf(f, "hash: %s # %s\n", fp, sshkey_ssh_name(key)); free(fp); free(key); } RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) { fp = tohex(rb->blob, rb->len); fprintf(f, "hash: SHA256:%s\n", fp); free(fp); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev