remove vestigal support for KRL signatures

When the KRL format was originally defined, it included support for
signing of KRL objects. However, the code to sign KRLs and verify KRL
signatues was nev

remove vestigal support for KRL signatures

When the KRL format was originally defined, it included support for
signing of KRL objects. However, the code to sign KRLs and verify KRL
signatues was never completed in OpenSSH.

Now, some years later, we have SSHSIG support in ssh-keygen that is
more general, well tested and actually works. So this removes the
semi-finished KRL signing/verification support from OpenSSH and
refactors the remaining code to realise the benefit - primarily, we
no longer need to perform multiple parsing passes over KRL objects.

ok markus@

show more ...

Support for KRL extensions.

This defines wire formats for optional KRL extensions and implements
parsing of the new submessages. No actual extensions are supported at
this point.

ok markus

allow key revocation by SHA256 hash and allow ssh-keygen to create KRLs
using SHA256/base64 key fingerprints; ok markus@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

permit KRLs that revoke certificates by serial number or key ID
without scoping to a particular CA; ok markus@

RCD IDs help us keep portable in synch

add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate

add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.

feedback and ok markus@

show more ...