Awesome, thanks! On Tue, Feb 9, 2021 at 3:38 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > On Mon, 8 Feb 2021, Digant Kasundra wrote: > > > Hello OpenSSH community, > > > > I haven't found a good Rust library to verify that a presented OpenSSH > > public certificate is valid. My plan is to compare the signature_key to > my > > trusted CA certs and verify the signature in the user's public > certificate. > > > > Here is what I tried but it isn't working: > > * create an openssl RSA public key using the n and e from the > signature_key > > * decrypt the signature with that key to get the hash > > * create a hash from all the base64 bytes up to but not including the > > signature using SHA1 > > Current versions of OpenSSH use sha-256 for certificate signatures by > default, so that's one possile problem. > > > * compare the hashes, but they do not match > > Your approach seems reasonable. The certificate signature is made using > exactly the same rules and structure as other SSH signatures. Are you > following these? If so, then the only other possibility is that you are > including the wrong bytes in the hash :) > > > To create my own hash, I'm skipping the opening text identifier in the > > cert, but using the "ssh-rsa-cert-v01@xxxxxxxxxxx" string as part of the > > octet string. > > The signed hash definitely includes this (and the four byte length before > it) > > > Am I on the right track? If so, I'll give some details of what I'm doing > > so we can hopefully pinpoint where I'm going wrong. (Or if someone > knows a > > rust crate that actually verifies a certificate instead of just parsing > it, > > that would be awesome!) > > My advice is to take a copy of OpenSSH, insert a > sshbuf_dump_data(sshbuf_ptr(key->cert->certblob), signed_len, stderr) > in sshkey.c:cert_parse() right before the sshkey_verify() call and > compare what is you are including in your hash to what OpenSSH is. > I've never solved a signature verification bug without printf debugging :) > > -d > -- Digant Chimanlal "DC" Kasundra _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
