Struct sshcerts::Certificate

pub struct Certificate {
    pub key_type: KeyType,
    pub nonce: Vec<u8>,
    pub key: PublicKey,
    pub serial: u64,
    pub cert_type: CertType,
    pub key_id: String,
    pub principals: Vec<String>,
    pub valid_after: u64,
    pub valid_before: u64,
    pub critical_options: HashMap<String, String>,
    pub extensions: HashMap<String, String>,
    pub reserved: Vec<u8>,
    pub signature_key: PublicKey,
    pub signature: Vec<u8>,
    pub comment: Option<String>,
    pub serialized: Vec<u8>,
}

A type which represents an OpenSSH certificate key. Please refer to [PROTOCOL.certkeys] for more details about OpenSSH certificates. [PROTOCOL.certkeys]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD

Fields

key_type: KeyType

Type of key.

nonce: Vec<u8>

Cryptographic nonce.

key: PublicKey

Public key part of the certificate.

serial: u64

Serial number of certificate.

cert_type: CertType

Represents the type of the certificate.

key_id: String

Key identity.

principals: Vec<String>

The list of valid principals for the certificate.

valid_after: u64

Time after which certificate is considered as valid.

valid_before: u64

Time before which certificate is considered as valid.

critical_options: HashMap<String, String>

Critical options of the certificate. Generally used to control features which restrict access.

extensions: HashMap<String, String>

Certificate extensions. Extensions are usually used to enable features that grant access.

reserved: Vec<u8>

The reserved field is currently unused and is ignored in this version of the protocol.

signature_key: PublicKey

Signature key contains the CA public key used to sign the certificate.

signature: Vec<u8>

Signature of the certificate.

comment: Option<String>

Associated comment, if any.

serialized: Vec<u8>

The entire serialized certificate, used for exporting

Implementations

impl Certificate

pub fn from_path<P: AsRef<Path>>(path: P) -> Result<Certificate, Error>

Reads an OpenSSH certificate from a given path.

Example

    let cert = Certificate::from_path("/path/to/id_ed25519-cert.pub").unwrap();
    println!("{}", cert);

pub fn from_string(s: &str) -> Result<Certificate, Error>

Reads an OpenSSH certificate from a given string.

Example

use sshcerts::Certificate;

let cert = Certificate::from_string(concat!(
    "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGZlEWgv+aRvfJZiREMOKR0PVSTEstkuSeOyRgx",
    "wI1v2AAAAIAwPJZIwmYs+W7WHNPneMUIAkQnBVw1LP0yQdfh7lT/S/v7+/v7+/v4AAAABAAAADG9iZWxpc2tAdGVzdAAAAAsAAAAHb2JlbGlzawAAAAAAAAAA///",
    "///////8AAAAiAAAADWZvcmNlLWNvbW1hbmQAAAANAAAACS9iaW4vdHJ1ZQAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQ",
    "tZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADM",
    "AAAALc3NoLWVkMjU1MTkAAAAgXRsP8RFzML3wJDAqm2ENwOrRAHez5QqtcEpyBvwvniYAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMo0Akv0eyr269StM2zBd0Alzjx",
    "XAC6krgBQex2O31at8r550oCIelfgj8YwZIaXG9DmleP525LcseJ16Z8e5Aw= obelisk@exclave.lan"
)).unwrap();
println!("{:?}", cert);

pub fn builder(
    pubkey: &PublicKey,
    cert_type: CertType,
    signing_key: &PublicKey
) -> Result<Certificate, Error>

Create a new empty SSH certificate. Values must then be filled in using the mutator methods below.

Example

    let ssh_pubkey = PublicKey::from_string("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOhHAGJtT9s6zPW4OdQMzGbXEyj0ntkESrE1IZBgaCUSh9fWK1gRz+UJOcCB1JTC/kF2EPlwkX6XEpQToZl51oo= obelisk@exclave.lan").unwrap();
    let cert = Certificate::builder(&ssh_pubkey, CertType::User, &ssh_pubkey).unwrap()
       .serial(0xFEFEFEFEFEFEFEFE)
       .key_id("key_id")
       .principal("obelisk")
       .valid_after(0)
       .valid_before(0xFFFFFFFFFFFFFFFF)
       .set_critical_options(CriticalOptions::None)
       .set_extensions(Extensions::Standard)
       .sign(test_signer);
 
       match cert {
           Ok(cert) => println!("{}", cert),
           Err(e) => println!("Encountered an error while creating certificate: {}", e),
       }

pub fn serial(self, serial: u64) -> Self

Set the serial of a certificate builder

pub fn key_id<S: AsRef<str>>(self, key_id: S) -> Self

Set the Key ID of a certificate builder

pub fn principal<S: AsRef<str>>(self, principal: S) -> Self

Add a principal to the certificate

pub fn set_principals(self, principals: &[String]) -> Self

Set the principals of the certificate

pub fn valid_after(self, valid_after: u64) -> Self

Set the initial validity time of the certificate

pub fn valid_before(self, valid_before: u64) -> Self

Set the expiry of the certificate

pub fn critical_option<S: AsRef<str>>(self, option: S, value: S) -> Self

Add a critical option to the certificate

pub fn set_critical_options(self, critical_options: CriticalOptions) -> Self

Set the critical options of the certificate

pub fn extension<S: AsRef<str>>(self, option: S, value: S) -> Self

Add a critical option to the certificate

pub fn set_extensions(self, extensions: Extensions) -> Self

Set the critical options of the certificate

pub fn comment<S: AsRef<str>>(self, comment: S) -> Self

Set the critical options of the certificate

pub fn sign(
    self,
    signer: impl FnOnce(&[u8]) -> Option<Vec<u8>>
) -> Result<Self, Error>

Take the certificate settings and generate a valid signature using the provided signer function

Trait Implementations

impl Debug for Certificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for Certificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.