Hello OpenSSH community,
I haven't found a good Rust library to verify that a presented OpenSSH
public certificate is valid. My plan is to compare the signature_key to my
trusted CA certs and verify the signature in the user's public certificate.
Here is what I tried but it isn't working:
* create an openssl RSA public key using the n and e from the signature_key
* decrypt the signature with that key to get the hash
* create a hash from all the base64 bytes up to but not including the
signature using SHA1
* compare the hashes, but they do not match
To create my own hash, I'm skipping the opening text identifier in the
cert, but using the "ssh-rsa-cert-v01@openssh.com" string as part of the
octet string.
Am I on the right track? If so, I'll give some details of what I'm doing
so we can hopefully pinpoint where I'm going wrong. (Or if someone knows a
rust crate that actually verifies a certificate instead of just parsing it,
that would be awesome!)
--
Digant Chimanlal "DC" Kasundra
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
I haven't found a good Rust library to verify that a presented OpenSSH
public certificate is valid. My plan is to compare the signature_key to my
trusted CA certs and verify the signature in the user's public certificate.
Here is what I tried but it isn't working:
* create an openssl RSA public key using the n and e from the signature_key
* decrypt the signature with that key to get the hash
* create a hash from all the base64 bytes up to but not including the
signature using SHA1
* compare the hashes, but they do not match
To create my own hash, I'm skipping the opening text identifier in the
cert, but using the "ssh-rsa-cert-v01@openssh.com" string as part of the
octet string.
Am I on the right track? If so, I'll give some details of what I'm doing
so we can hopefully pinpoint where I'm going wrong. (Or if someone knows a
rust crate that actually verifies a certificate instead of just parsing it,
that would be awesome!)
--
Digant Chimanlal "DC" Kasundra
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev