x509v3-sign-rsa authentication type...

Roumen Petrov openssh at roumenpetrov.info
Mon May 12 23:07:40 EST 2003

  May be problem is different implementation of cert. support in ssh.com 
and SecureCRT.

More about how to compute signatures in OpenSSH:
- "ssh-rsa.c" call openssl functions:

- my patch call:

- openssl define :
#define EVP_SignInit(a,b)         EVP_DigestInit(a,b)
#define EVP_SignUpdate(a,b,c)             EVP_DigestUpdate(a,b,c)

EVP_SignFinal(...) call EVP_DigestFinal(...), but after this behave 

"ca-bundle.crt" from modssl project show that we have following 
signature algorithms:
- md2WithRSAEncryption
- md5WithRSAEncryption
- sha1WithRSAEncryption

As I can remember may be (it was tested before release of my first 
version and today I cannot remember results) you patch support only "md5 
with rsa encryption" but not other (md2 and sha1) alg. .

As result we should change "ssh-rsa.c" code too. Same changes we should 
do in "ssh-dsa.c". It is simple to have new method with support for both 
key types "x509v3-sign-rsa" and "x509v3-sign-dss".

To be sure that my patch support all cases "make check" generate cert. 
with following sing. alg. for rsa and dsa private keys:
- dsaWithSHA1
- md2WithRSAEncryption
- md4WithRSAEncryption
- md5WithRSAEncryption
- ripemd160WithRSA
- sha1WithRSAEncryption
, i.e. 12 different certificates: 6 for ssh key type "x509v3-sign-rsa" 
and 6 for "x509v3-sign-dss".

Note: windows nt4 (service pack ?) has problems with md4 (?)

I can confirm that SecureCRT windows client can use all 12 combinations 
as identity key in session to OpenSSH server with my patch.

SecureCRT cannot accept certificates as hostkey, but this should be 
tested with new version(s) !

About ssh.com client I don't have any information.

"ssh-x509.c" is base/core of my patch. all other (distinguished name and 
x509 store, manual pages, agent) is to make x509 cert. support in 
OpenSSH more usefull. As example "ssh-keygen -f xxx -y" print a cert. in 
OpenSSH "pub. key" format, "ssh-add -L" print subject (distinguished 
name) and etc.

Markus, can you confirm that you patch is compatible with ssh.com client 
at least for certificate with sing.alg. "md2WithRSAEncryption", 
"md5WithRSAEncryption" and "sha1WithRSAEncryption" ?

Markus Friedl wrote:

>oops, here's the patch
>On Fri, May 09, 2003 at 06:29:23PM +0200, Markus Friedl wrote:
>>On Fri, May 09, 2003 at 10:56:55AM -0400, Kevin Stefanik wrote:
>>>Sorry to pester, but I'd really like to get interoperability with Windows 
>>>clients using certificates in the mainline openssh.  Since the heavy lifting 
>>>has already been done (and well!), I hope it's possible.
>>i've been using this patch for hostkeys+x509 support.
>>interop with ssh.com's windows client w/o problem. 
>>but Roumen sees problems with this approach.

More information about the openssh-unix-dev mailing list