[ssh_x509] RFC 6187 Support ?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Feb 5 17:56:54 EET 2019

Fellow PKIXSSH'ers,

 	I was recently writing an SSH Agent that was backed by X.509v3
certificates with RSA keys (on smartcards) and after implementing 
"ssh-rsa" (draft RFC, and RFC 4253) I added support for "x509v3-ssh-rsa" 
keys from RFC 6187.

Specifically RFC 6187 Section 2.1:

 	string  "x509v3-ssh-dss" / "x509v3-ssh-rsa" /
 	        "x509v3-rsa2048-sha256" / "x509v3-ecdsa-sha2-[identifier]"
 	uint32  certificate-count
 	string  certificate[1..certificate-count]
 	uint32  ocsp-response-count
 	string  ocsp-response[0..ocsp-response-count]

So the final result looked something like

 	[0, 0, 0, 14, "x509v3-ssh-rsa",
 	 0, 0, 0,  1, <certifificateLengthAsUint32>, <certificateBytes>,
 	 0, 0, 0, 0]

However the "ssh-add" command that came with PKIXSSH 11.6 could not 
understand this, and instead appeared to only support keys in the older 
"x509v3-sign-rsa" format.  Many of my tools do not work well with 
"x509v3-sign-rsa" format keys since they are unprefixed blobs, unlike 
"x509v3-ssh-rsa" which is tagged with its format.

I read through some of the documentation and there was mention of RFC 6187 
support, but only for EC keys.

Is there any hope of adding RFC 6187 support for RSA keys to PKIXSSH ?

 	Roy Keene

More information about the ssh_x509 mailing list