[ssh_x509] x509v3-sign-rsa public key format (for public key auth)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Mar 15 23:56:06 EET 2017


Hi Nick,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
>
> I'm trying to figure out how to get public key auth going using
> x509v3-ssh-rsa and x509v3-ssh-dss.  In your release notes you noted
> some differences between the current and older versions in how the
> publickey blob is encoded.  Can you elaborate on this?
Only ecdsa keys  are impacted.
rsa and dsa format is implemented for first time in version 10.0 , so 
there is no need to be backward compatible for those algorithms.

> I've tried the
> following from the RFC to encode the public public key with cert chain
> but it doesn't seem to be working.
>
>       string  "x509v3-ssh-dss" / "x509v3-ssh-rsa" /
>               "x509v3-rsa2048-sha256" / "x509v3-ecdsa-sha2-[identifier]"
Version before 1.0 does not encode algorithm identifier.
>       uint32  certificate-count
>       string  certificate[1..certificate-count]
>
> Thanks,
>
> Nick

I have one dump of server host rsa key in 6187 format
....
server_host_public
0000: 00 00 00 0e 78 35 30 39 76 33 2d 73 73 68 2d 72 ....x509v3-ssh-r
0016: 73 61 00 00 00 03 00 00 05 09 30 82 05 05 30 82 sa........0...0.
0032: 04 6e a0 03 02 01 02 02 09 20 04 02 16 09 06 00  .n....... ......
0048: 00 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 ..0...*.H.......
0064: 00 30 81 a5 31 0b 30 09 06 03 55 04 06 13 02 58 .0..1.0...U....X
0080: 58 31 0e 30 0c 06 03 55 04 08 0c 05 57 6f 72 6c X1.0...U....Worl
0096: 64 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 d1.0...U....Some
0112: 77 68 65 72 65 31 16 30 14 06 03 55 04 0a 0c 0d where1.0...U....
0128: 53 53 48 20 54 65 73 74 20 54 65 61 6d 31 14 30  SSH Test Team1.0
0144: 12 06 03 55 04 0b 0c 0b 53 53 48 20 54 65 73 74  ...U....SSH Test
0160: 65 72 73 31 22 30 20 06 03 55 04 0b 0c 19 53 53  ers1"0 ..U....SS
0176: 48 20 54 65 73 74 65 72 73 20 72 73 61 5f 73 68  H Testers rsa_sh
0192: 61 31 20 6b 65 79 73 31 20 30 1e 06 03 55 04 03  a1 keys1 0...U..
0208: 0c 17 53 53 48 20 54 65 73 74 43 41 20 72 73 61  ..SSH TestCA rsa
0224: 5f 73 68 61 31 20 6b 65 79 30 1e 17 0d 31 37 30  _sha1 key0...170
0240: 32 31 31 31 31 33 33 31 36 5a 17 0d 31 37 30 34 211113316Z..1704
0256: 31 32 31 31 33 33 31 36 5a 30 81 9f 31 0b 30 09 12113316Z0..1.0.
0272: 06 03 55 04 06 13 02 58 58 31 0e 30 0c 06 03 55 ..U....XX1.0...U
0288: 04 08 0c 05 57 6f 72 6c 64 31 16 30 14 06 03 55 ....World1.0...U
0304: 04 0a 0c 0d 53 53 48 20 54 65 73 74 20 54 65 61  ....SSH Test Tea
.... + about 200 lines more

In RFC 6187 Appendix A.  provides one same but with small error length 
of algorithm - 0x0D -> 0x0E
After algorithm idenfitier, dump above shows 3 certificates, 0x509 is 
length of first certificate , then DER encoded certificate and etc.

Roumen



-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/





More information about the ssh_x509 mailing list