Crate sshcerts

The ’sshcerts` crate provides types and methods for parsing OpenSSH keys, and parsing, verifying, and creating SSH certificates.

The following OpenSSH key types are supported.

• RSA
• ECDSA
• ED25519

The following OpenSSH certificate types are supported.

• ssh-rsa-cert-v01@openssh.com
• ecdsa-sha2-nistp256-cert-v01@openssh.com
• ecdsa-sha2-nistp384-cert-v01@openssh.com
• ssh-ed25519-cert-v01@openssh.com

Why no ecdsa-sha2-nistp521-cert-v01@openssh.com?

That curve is not supported on a standard yubikey nor in ring. This means I cannot implement any signing or verification routines. If this changes, I will update this crate with support.

The crate also provides functionality for provision key slots on Yubikeys to handle signing operations. This is provided in the optional yubikey submodule

Re-exports

• pub use ssh::CertType;
• pub use ssh::Certificate;
• pub use ssh::PrivateKey;
• pub use ssh::PublicKey;

Modules

• error
  The sshcerts error enum
• ssh
  Functions or structs for dealing with SSH Certificates. Parsing, and creating certs happens here. This module is a heavily modified version of the sshkeys crate that adds certificate verification, and many other things to support that. The original licence for the code is in the source code provided
• utils
  Utility functions for dealing with SSH certificates, signatures or conversions