[ssh_x509] empty x509v3-ecdsa-sha2-nistp256 key?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Feb 9 16:37:17 EET 2017


Hi Roumen,

I am the Maverick API developer and had initial contact with Kent regarding this and the empty algorithm name.


> On 8 Feb 2017, at 21:30, ssh_x509 at roumenpetrov.info <mailto:ssh_x509 at roumenpetrov.info> wrote:
> 
> I did some tests with Maverick SSH 1.7.3 and I note some other incompatibilities but I think that my is correct.
> 
> Encoding of certificate chain - maverick sends [LEN+DER1+DER2], where LEN is common length of all DER encoded certificates.
> It should be <LEN1+DER1><LEN2+DER2>…

Yes this is correct and a bug in our API.

> 
> For RSA keys name of signature is only ssh-rsa. Maverick sends name of algorithm, i.e. x509v3-ssh-rsa.

Yes its sending the public key algorithm name. This has been fixed to send private key algorithm which remains to be ssh-rsa.

> 
> Finally I could connect to PKIX-SSH using SshX509RsaPublicKeyRfc6187 in following situation:
> - fixed key encoding in PKIX-SSH
> - work-around in PKIX-SSH to accept x509v3-ssh-rsa
> - pkcs#12 file has only one certificate!
> 

I had tested originally with your patch most likely using a self-signed certificate which explains why certificate encoding passed. Did you get more strict on the signature algorithm name at any point? I’m pretty sure the tests passed at that stage. 

I've made the necessary amendments to our API and released an interim update which can be found at the URL below.

https://s3-eu-west-1.amazonaws.com/sshtools-public/maverick/1.7.4-SNAPSHOT/maverick.zip <https://s3-eu-west-1.amazonaws.com/sshtools-public/maverick/1.7.4-SNAPSHOT/maverick.zip>

Regards

Lee

> 
> 
> Tests with EC keys are in progress.
> 
> Roumen
> 
> 
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info <mailto:ssh_x509 at roumenpetrov.info>
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info <http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info>



More information about the ssh_x509 mailing list