Support for SSH key signing #15
Comments
|
@dnaka91 good suggestion! I'll see if I can get it into the next release |
|
Glad to hear! Should I start working on this or do you prefer to implement it yourself? Currently only have the sign variant, not the verify part yet, but there are definitely some details that are not obvious from the protocol docs. Took me a while, looking at the signature with a hex editor, to find out how it's actually structured. |
|
I plan on doing a pass on If you want to push up a PR before that though, I can use that or work off of it. |
|
@dnaka91 what did you find difficult or ambiguous about that spec? It looks fairly straightforward to me. FYI, there will be a part of this which is a bit tricky, namely how to abstract over all of the various algorithm-specific backends in a way that can accommodate both the existing support for OpenSSH certificate signing / CAs as well as "sshsig". That will likely require some refactoring of the current implementation. |
|
I guess it was rather lack of knowledge about OpenSSH. One, rather easy, pitfall was that I read The other one was, what they meant by the encoding for So in the end not really something missing from the spec, but rather me not fully understanding some common things in OpenSSH 😅. Sorry, have been distracted by another project, so didn't try to integrate my code into |
|
Yeah, this crate already includes an implementation of SSH's serialization formats, including one-pass decoding/encoding to/from PEM, e.g. https://github.com/RustCrypto/SSH/blob/master/ssh-key/src/decode.rs I'll take a look at trying to implement support this weekend, and after that, this crate should be ready for the next release. |
|
How is this coming along? I'd be interested in taking over if it has stalled. |
|
I plan on having a PR up this weekend |
|
Draft PR here: #28 Would appreciate early feedback on the API prior to a final release. |
|
This looks awesome 🤩 Had a look at the PR changes and this is so clean, as you have access to the internal encoding APIs. Mine is much more hacky as I had to re-implement those parts. Saw a few lines where allocations could maybe be avoided, but that's rather nitpicking and probably not an issue (also, would make the code less readable). Will give it a try later today and see how it goes. |
|
@dnaka91 curious what allocations you think could be avoided. The main one that might at first look like it could be avoided is encoding Even
|
|
Also, the encoding APIs will soon be public: #29 |
|
I should probably rephrase that. Not fully being avoided, but instead being delayed, so that in case of an error, it wouldn't allocate. One was during sign, where the And the other one I thought of was during decoding, where the So really just super subtle things and only in case of errors. Probably not really worth changing 😔 |
|
This has now been implemented. Closing. |
|
If anyone would like to try this out before a final release, it's included in |
|
Got to try it out today. Works like a charm 👍 |
Make error implement std::io::Error and remove associated Agent's Error type
I tried implementing the new commit signing of Git with the
git2andssh-keycrate. This crate was a great help and contained almost all the pieces I needed to create working signatures.Took me a few hours of searching around and fiddling with the signature format, but got a working implementation of the signing part. Definitely needs tons of tests and more verification, but it's a start.
The main part that is missing, is this SSH signature scheme: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig
I was wondering if this is something that would make sense to include into
ssh-key, or may it be out of scope? Would try to start integrating my current solution into the crate and open a PR, if there is interest.The text was updated successfully, but these errors were encountered: