Crate sshcerts

The ’sshcerts` crate provides types and methods for parsing OpenSSH keys, and parsing, verifying, and creating SSH certificates.

The following OpenSSH key types are supported.

• RSA
• ECDSA
• ED25519

The following OpenSSH certificate types are supported.

• ssh-rsa-cert-v01@openssh.com
• ecdsa-sha2-nistp256-cert-v01@openssh.com
• ecdsa-sha2-nistp384-cert-v01@openssh.com
• ssh-ed25519-cert-v01@openssh.com

Why no ecdsa-sha2-nistp521-cert-v01@openssh.com?

That curve is not supported on a standard yubikey nor in ring. This means I cannot implement any signing or verification routines. If this changes, I will update this crate with support.

The crate also provides functionality for provision key slots on Yubikeys to handle signing operations. This is provided in the optional yubikey submodule

Re-exports

• pub use ssh::CertType;
• pub use ssh::Certificate;
• pub use ssh::PrivateKey;
• pub use ssh::PublicKey;

Modules

• error
  The sshcerts error enum
• fido
  For dealing with FIDO/U2F tokens such as generating new SSH keys
• ssh
  Functions or structs for dealing with SSH Certificates. Parsing, and creating certs happens here. This module is a heavily modified version of the sshkeys crate that adds certificate verification, and many other things to support that. The original licence for the code is in the source code provided
• utils
  Utility functions for dealing with SSH certificates, signatures or conversions
• x509
  Contains some helper functions for pulling SSH public keys from x509 certificates and CSRs. Is enabled whenever yubikey_support is enabled because some functionality is currently shared.
• yubikey
  Functions for dealing with Yubikey signing. Also contains an SSH submodule containing helper functions to generate SSH encoded versions of it’s normal functions.