Add rsa-sha2 certificates

Damien Miller djm at mindrot.org
Thu May 24 12:26:06 AEST 2018


I have a similar diff on https://bugzilla.mindrot.org/show_bug.cgi?id=2799
I'm not sure whether it is the right way to do this though - I have to
think about it some more.

On Thu, 24 May 2018, Yegor Ievlev wrote:

> This PR adds capability to create and use rsa-sha2 certificates.
> 
> diff --git a/ssh-rsa.c b/ssh-rsa.c
> index 49e71c8..69de09c 100644
> --- a/ssh-rsa.c
> +++ b/ssh-rsa.c
> @@ -57,9 +57,11 @@ rsa_hash_alg_from_ident(const char *ident)
>   if (strcmp(ident, "ssh-rsa") == 0 ||
>       strcmp(ident, "ssh-rsa-cert-v01 at openssh.com") == 0)
>   return SSH_DIGEST_SHA1;
> - if (strcmp(ident, "rsa-sha2-256") == 0)
> + if (strcmp(ident, "rsa-sha2-256") == 0 ||
> +     strcmp(ident, "rsa-sha2-256-cert-v01 at openssh.com") == 0)
>   return SSH_DIGEST_SHA256;
> - if (strcmp(ident, "rsa-sha2-512") == 0)
> + if (strcmp(ident, "rsa-sha2-512") == 0 ||
> +     strcmp(ident, "rsa-sha2-512-cert-v01 at openssh.com") == 0)
>   return SSH_DIGEST_SHA512;
>   return -1;
>  }
> diff --git a/sshkey.c b/sshkey.c
> index 7712fba..2d43887 100644
> --- a/sshkey.c
> +++ b/sshkey.c
> @@ -110,6 +110,8 @@ static const struct keytype keytypes[] = {
>  #  endif /* OPENSSL_HAS_NISTP521 */
>  # endif /* OPENSSL_HAS_ECC */
>   { "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
> + { "rsa-sha2-256-cert-v01 at openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 1 },
> + { "rsa-sha2-512-cert-v01 at openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 1 },
>   { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
>  # ifdef OPENSSL_HAS_ECC
>   { "ecdsa-sha2-nistp256-cert-v01 at openssh.com", "ECDSA-CERT",
> 
> Please set email of commit to koops1997+github at gmail.com and name to
> Yegor Ievlev, so commit will be attributed to me on GitHub.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list