[ssh_x509] empty x509v3-ecdsa-sha2-nistp256 key?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Feb 8 23:30:11 EET 2017

Hello all,

ssh_x509 at roumenpetrov.info wrote:
> Hi Kent,
>> Hi Roumen,
>> I never saw a response to the email  I sent a couple months ago (see 
>> link below).  It's been a while, but I could still use some help, if 
>> you have any suggestions...
> I approve post but it was too late for feedback.
>> http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2016q4/000168.html 
> I did not found why session does not work. Also I'm not able to test 
> compatibility with application.
> Key material is used in verification of signature. In addition X.509 
> certificate is used in validation process.
> I could guess that some incompatibility in message format may raise 
> error like missing keys.
> I cannot say which application is not correct.
> At release time of PKIX-SSH with support X.509 EC keys  there was no 
> other application.
> Functions are x509key_to_blob2 and x509key_from_blob2.

I found that my implementation of rfc 6187 keys is not fully compatible 
with specification.
The key material lack the name of algorithm.
For details lets see sample in  rfc6187 appendix A:
      byte    SSH_MSG_KEXDH_REPLY
      string  0x00 0x00 0xXX 0xXX  -- length of the remaining data in
                                      this string
              0x00 0x00 0x00 0x0D  -- length of string "x509v3-ssh-dss"
              0x00 0x00 0x00 0x02  -- there are 2 certificates
              0x00 0x00 0xXX 0xXX  -- length of sender certificate
              DER-encoded sender certificate
              0x00 0x00 0xXX 0xXX  -- length of issuer certificate
              DER-encoded issuer certificate
              0x00 0x00 0x00 0x01  -- there is 1 OCSP response
              0x00 0x00 0xXX 0xXX  -- length of OCSP response
              DER-encoded OCSP response
      mpint   f
Remark: length of string in sample above should be 0x0E.

Above will be corrected in upcoming release with backward compatibility 
detection of broken version, i.e. if PKIX-SSH detect that remote system 
is old PKIX-SSH  it will not send name of algorithm.

I did some tests with Maverick SSH 1.7.3 and I note some other 
incompatibilities but I think that my is correct.

Encoding of certificate chain - maverick sends [LEN+DER1+DER2], where 
LEN is common length of all DER encoded certificates.
It should be <LEN1+DER1><LEN2+DER2>...

For RSA keys name of signature is only ssh-rsa. Maverick sends name of 
algorithm, i.e. x509v3-ssh-rsa.

Finally I could connect to PKIX-SSH using SshX509RsaPublicKeyRfc6187 in 
following situation:
- fixed key encoding in PKIX-SSH
- work-around in PKIX-SSH to accept x509v3-ssh-rsa
- pkcs#12 file has only one certificate!

Tests with EC keys are in progress.


More information about the ssh_x509 mailing list