aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/stripe/krl/format.go
blob: 4a4b8226f160833f7511bb78c387f5c4a46d28da (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
package krl

import "math/big"

// We (unfortunately) make extensive use of x/crypto/ssh.Unmarshal's "rest"
// parameter here. The KRL specification makes extensive use of sections placed
// back-to-back, and there's no other way to get x/crypto/ssh.Unmarshal to emit
// the portion of the input that has not yet been parsed.

const krlMagic = 0x5353484b524c0a00

/*
#define KRL_MAGIC		0x5353484b524c0a00ULL  /* "SSHKRL\n\0" * /
#define KRL_FORMAT_VERSION	1

	uint64	KRL_MAGIC
	uint32	KRL_FORMAT_VERSION
	uint64	krl_version
	uint64	generated_date
	uint64	flags
	string	reserved
	string	comment
*/
type krlHeader struct {
	KRLMagic         uint64
	KRLFormatVersion uint32
	KRLVersion       uint64
	GeneratedDate    uint64
	Flags            uint64
	Reserved         []byte
	Comment          string

	Rest []byte `ssh:"rest"`
}

/*
	byte	section_type
	string	section_data

#define KRL_SECTION_CERTIFICATES		1
#define KRL_SECTION_EXPLICIT_KEY		2
#define KRL_SECTION_FINGERPRINT_SHA1		3
#define KRL_SECTION_SIGNATURE			4
*/
type krlSection struct {
	SectionType byte
	SectionData []byte

	Rest []byte `ssh:"rest"`
}

/*
	string ca_key
	string reserved
*/
type krlCertificateSectionHeader struct {
	CAKey    []byte
	Reserved []byte

	Rest []byte `ssh:"rest"`
}

/*
	byte	cert_section_type
	string	cert_section_data

#define KRL_SECTION_CERT_SERIAL_LIST	0x20
#define KRL_SECTION_CERT_SERIAL_RANGE	0x21
#define KRL_SECTION_CERT_SERIAL_BITMAP	0x22
#define KRL_SECTION_CERT_KEY_ID		0x23
*/
type krlCertificateSection struct {
	CertSectionType byte
	CertSectionData []byte

	Rest []byte `ssh:"rest"`
}

const (
	krlSectionCertSerialList   = 0x20
	krlSectionCertSerialRange  = 0x21
	krlSectionCertSerialBitmap = 0x22
	krlSectionCertKeyId        = 0x23
)

/*
	uint64	revoked_cert_serial
	uint64	...
*/
type krlSerialList struct {
	RevokedCertSerial uint64

	Rest []byte `ssh:"rest"`
}

/*
	uint64	serial_min
	uint64	serial_max
*/
type krlSerialRange struct {
	SerialMin uint64
	SerialMax uint64
}

/*
	uint64	serial_offset
	mpint	revoked_keys_bitmap
*/
type krlSerialBitmap struct {
	SerialOffset      uint64
	RevokedKeysBitmap *big.Int
}

/*
	string	key_id[0]
	...
*/
type krlKeyID struct {
	KeyID string

	Rest []byte `ssh:"rest"`
}

/*
	string	public_key_blob[0]
	....
*/
type krlExplicitKey struct {
	PublicKeyBlob []byte

	Rest []byte `ssh:"rest"`
}

/*
	string	public_key_hash[0]
	....
*/
type krlFingerprintSHA1 struct {
	PublicKeyHash []byte

	Rest []byte `ssh:"rest"`
}

/*
	byte	KRL_SECTION_SIGNATURE
	string	signature_key
	string	signature

We split this struct into two parts: krlSignatureHeader is included in the
signature, and so the inverse of its "Rest" key is the data coverd by the
signature.
*/
type krlSignatureHeader struct {
	SignatureKey []byte `sshtype:"4"`

	Rest []byte `ssh:"rest"`
}

type krlSignature struct {
	Signature []byte

	Rest []byte `ssh:"rest"`
}