Add revoke command

cassh-keyfile.sh

@@ -27,7 +27,7 @@ fi
 cassh_command=$2
 needs_agent=false
 case $cassh_command in
-issue)
+issue|revoke)
 	needs_agent=true
 	;;
 esac

cassh.1

@@ -38,6 +38,12 @@
 .Ic known_hosts
 .Op hostnames ...
 .Ek
+.Nm
+.Bk -words
+.Cm revoke
+.Op Fl qv
+.Ar
+.Ek
 .Sh DESCRIPTION
 .Nm
 is a small utility for issuing and revoking OpenSSH Certificates.
@@ -56,9 +62,14 @@ A Certification Authority directory consists of a
 .Pa ./ca.pub
 file corresponding to the public key of it, a
 .Pa ./pubkeys/
-directory which holds the public keys to be signed, and an optional
+directory which holds the public keys to be signed, an optional
+.Pa ./krl
+file corresponding to the last issued Key Revocation List, and optional
 .Pa ./serial.txt
-file holding the current serial number for the issued certificates.
+and
+.Pa ./krl_serial.txt
+files corresponding to the current serial number for the issued certificates
+and Key Revocation Lists.
 .Pp
 The following commands are available to
 .Nm :
@@ -128,15 +139,34 @@ are concatenated with commas and copied verbatim to the output.
 See
 .Xr sshd 8 SSH_KNOWN_HOSTS FILE FORMAT
 for details.
+.It Cm revoke Oo Fl qv Oc Ar
+Generates a Key Revocation List for the current Certification Authority.
+All recognized options are passed down to
+.Xr ssh-keygen 1
+process.
+See
+.Xr ssh-keygen 1 KEY REVOCATION LISTS
+for details on the file format for input files.
+If
+.Pa ./krl
+exists,
+.Cm revoke
+will update.
+.Pa ./krl
+can be synced back with the input files by first removing it.
 .El
 .Sh FILES
-.Bl -tag -width MMMMMMMMMMMMMM -compact
+.Bl -tag -width MMMMMMMMMMMMMMMMMM -compact
 .It Pa ./ca.pub
 Certification Authority public key
 .It Pa ./pubkeys/
 Directory containing the public keys to be signed
+.It Pa ./krl
+Key Revocation List
 .It Pa ./serial.txt
-Last issued serial
+Last issued serial for certificates
+.It Pa ./krl_serial.txt
+Last issued serial for KRLs
 .El
 .Sh EXIT STATUS
 .Ex -std

cassh.sh

@@ -205,10 +205,42 @@ main_mkfile()
 	cat "$PATH_CA_PUB"
 }
 
+main_revoke()
+{
+	qflag=
+	vflag=
+	while getopts fqv flag; do
+		case $flag in
+		q)	qflag=-q ;;
+		v)	vflag=${vflag:--}v ;;
+		*)	usage ;;
+		esac
+	done
+	shift $(($OPTIND - 1))
+
+	if [ ! -f "$PATH_KRL_SERIAL" ]; then
+		echo 1 >"$PATH_KRL_SERIAL"
+	fi
+	read -r serial <"$PATH_KRL_SERIAL"
+
+	uflag=
+	if [ -f "$PATH_KRL" ]; then
+		uflag=-u
+	fi
+
+	ssh-keygen -kf "$PATH_KRL" -Us "$PATH_CA_PUB" -z "$serial" \
+	    $qflag $vflag $uflag "$@" || exit 1
+
+	serial=$(($serial + 1))
+	echo $serial >"$PATH_KRL_SERIAL"
+}
+
 set -u
 
 PATH_CA_PUB=./ca.pub
 PATH_CA_SERIAL=./serial.txt
+PATH_KRL=./krl
+PATH_KRL_SERIAL=./krl_serial.txt
 PATH_PUBKEYS_DIR=./pubkeys
 
 if [ $# -lt 1 ]; then
@@ -220,5 +252,6 @@ shift
 case $cmd in
 issue)	main_issue "$@" ;;
 mkfile)	main_mkfile "$@" ;;
+revoke)	main_revoke "$@" ;;
 *)	usage ;;
 esac