Understanding SSH Certificate signatures
Digant Kasundra
diggyk at gmail.com
Tue Feb 9 17:20:20 AEDT 2021
Hello OpenSSH community,
I haven't found a good Rust library to verify that a presented OpenSSH
public certificate is valid. My plan is to compare the signature_key to my
trusted CA certs and verify the signature in the user's public certificate.
Here is what I tried but it isn't working:
* create an openssl RSA public key using the n and e from the signature_key
* decrypt the signature with that key to get the hash
* create a hash from all the base64 bytes up to but not including the
signature using SHA1
* compare the hashes, but they do not match
To create my own hash, I'm skipping the opening text identifier in the
cert, but using the "ssh-rsa-cert-v01 at openssh.com" string as part of the
octet string.
Am I on the right track? If so, I'll give some details of what I'm doing
so we can hopefully pinpoint where I'm going wrong. (Or if someone knows a
rust crate that actually verifies a certificate instead of just parsing it,
that would be awesome!)
--
Digant Chimanlal "DC" Kasundra
More information about the openssh-unix-dev
mailing list