[ssh_x509] other key formats from RFC 6187

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun May 22 12:25:12 EEST 2016


ssh_x509 at roumenpetrov.info wrote:
> [SNIP]
>
> I've been trying to get Maverick legacy client to work with PKIX-SSH 
> using its "SshX509EcdsaSha2Nist256Rfc6187" key, but so far no luck (I 
> think the issue is in how I'm creating the certificate for the 
> elliptical key).
Perhaps you could try with keys and certificates generated for 
regression tests.


> FWIW, I was previously able to get Maverick legacy client to work with 
> PKIX-SSH using its " SshX509RsaPublicKey" key, which maps to 
> x509v3-sign-rsa, which makes the issue I'm having now all the more 
> frustrating  ;)
I just finish successfully a test with open source version 1.5.5 of 
Maverick legacy client.
The test use pkcs12 file "testid_rsa-rsa_sha1.p12" created by PKIX-SSH 
regression test.
Code is based on X509Connect sample with modification to use 
x509v3-sign-rsa algorithm ( see attachment 
j2ssh-maverick-1.5.5-example.patch ).


I have issue with know host file - j2ssh crash on lines in format 
"<algorithm> <distinguished name>" even if line start with comment '#'.
Otherwise client skip "unsupported base64 encoded keys":
Invalid host entry in .../.ssh/known_hosts
<host> ssh-ed25519 AAAA....
Not so important but expected is comments to be ignored.

> I was really hoping that PKIX-SSH supported any of x509v3-ssh-dss, 
> x509v3-ssh-rsa, or x509v3-rsa2048-sha256 - as that would be closer to 
> what I had working before...
For sure it will be implemented if I found a smart way from single 
"keystore (private key+x.509 certificate+issuer certificates)" to encode 
keys for various public key algorithms.
For historical reasons a "public key" could be just appended to 
"authorized keys file". This should be taken into account.


[SNIP]

Roumen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: j2ssh-maverick-1.5.5-example.patch
Type: text/x-diff
Size: 1812 bytes
Desc: not available
URL: <http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/attachments/20160522/2ea34403/attachment-0001.bin>


More information about the ssh_x509 mailing list