[ssh_x509] Support for x509v3-rsa2048-sha256?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Apr 6 13:43:45 EEST 2019


Hi Alex,

> Hi Roumen,
> I checked your archives and saw that this was asked about two years ago and at the time you were not yet adding x509v3-rsa2048-sha25 to PKIX-SSH. I was wondering if that support had moved up on your roadmap at all.
It is open-source project and fastest way go get some functionality is 
to propose a patch. Also near one year as source is managed in public 
repository (GitLab).


Long story is how algorithms ware implemented. From developer point of 
adding new item to "key type" enumeration is simple and fast way to 
implement new algorithm.
This approach was use more then 15 year ago. Implementation is changed 
(slowly) in another direction - to be "algorithm centric". Since long 
time on client side key material (key type) could be used in many 
algorithms. Version 11.0, released 1.5 years ago, was first what offers 
similar functionality for host (server) keys.

I note benefit of "algorithm centric" with implementation of 
"rsa-sha2-256" or "rsa-sha2-512". In origin version it costs more then 
four releases to get it working. Similar for custom certificates based 
on rsa-sha2-256 - at least two releases.

Soon I will finish transition to fully "algorithm centric" code. This s 
one of commits - 
https://gitlab.com/secsh/pkixssh/commit/202143d6df346c617c21a06e7150d7ea73db16cd 
. Another one(s) will be commited soon and will be in next release 12.0.
So release 12.0 will be fully "algorithm centric".


After release we could thing more how to implement extra algorithms.

Main issue with  x509v3-rsa2048-sha256 is compatibility testing. For instance x509v3-ssh-rsa, x509v3-ecdsa-sha2-* and x509v3-ssh-dss are tested with other implementations.

How to test x509v3-rsa2048-sha256?

> Thanks,
> Alex

Roumen




More information about the ssh_x509 mailing list