[ssh_x509] empty x509v3-ecdsa-sha2-nistp256 key?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Mar 9 22:11:38 EET 2017


Hi Lee,
[SNIP]

> I’ve updated X509Connect.java example to use certificate chain.
I did some test with development branch of j2ssh-maverick - 1.5.6(?) .

Test PublicKeyConnect.java pass with host keys x509v3-ecdsa-sha2-*, 
x509v3-ssh-rsa and x509v3-ssh-dss.

X509Connect.java fail with : java.lang.ClassCastException: 
[Ljava.security.cert.Certificate; cannot be cast to 
[Ljava.security.cert.X509Certificate;
Substitution  X509Certificate -> Certificate resolves cast issue.


> [SNIP]
> For users interested in our open source API, the RFC 6187 implementations are now available in that version also, currently in the develop branch. https://github.com/sshtools/j2ssh-maverick/ <https://github.com/sshtools/j2ssh-maverick/>
Encoding of of RFC 6187 keys is not expected
Lets review for instance method getEncoded in 
SshX509RsaPublicKeyRfc6187.java.
Whole chain is written as string (1) where each certificate is written 
also as string (2).
It should be only (2), i.e.
....
             writer.writeInt(certs.length);
             for(Certificate c : certs) {
                 writer.writeBinaryString(c.getEncoded());
             }
....
Use of ByteArrayWriter chain (1) is extra.


Next issue is count of OCSP responses -  twice is written zero.


After correction of two cases mentioned above PKIX-SSH server reject 
signature because name is "x509v3-ssh-rsa" instead "ssh-rsa".


Situation is same for EC and DSA RFC 6187 keys .


> Regards
>
> Lee


Regards
Roumen




More information about the ssh_x509 mailing list