Struct sshcerts::Certificate

pub struct Certificate {

    pub key_type: KeyType,
    pub nonce: Vec<u8>,
    pub key: PublicKey,
    pub serial: u64,
    pub cert_type: CertType,
    pub key_id: String,
    pub principals: Vec<String>,
    pub valid_after: u64,
    pub valid_before: u64,
    pub critical_options: HashMap<String, String>,
    pub extensions: HashMap<String, String>,
    pub reserved: Vec<u8>,
    pub signature_key: PublicKey,
    pub signature: Vec<u8>,
    pub comment: Option<String>,
    pub serialized: Vec<u8>,
}

A type which represents an OpenSSH certificate key. Please refer to [PROTOCOL.certkeys] for more details about OpenSSH certificates. [PROTOCOL.certkeys]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD

Fields

key_type: KeyType

Type of key.

nonce: Vec<u8>

Cryptographic nonce.

key: PublicKey

Public key part of the certificate.

serial: u64

Serial number of certificate.

cert_type: CertType

Represents the type of the certificate.

key_id: String

Key identity.

principals: Vec<String>

The list of valid principals for the certificate.

valid_after: u64

Time after which certificate is considered as valid.

valid_before: u64

Time before which certificate is considered as valid.

critical_options: HashMap<String, String>

Critical options of the certificate. Generally used to control features which restrict access.

extensions: HashMap<String, String>

Certificate extensions. Extensions are usually used to enable features that grant access.

reserved: Vec<u8>

The reserved field is currently unused and is ignored in this version of the protocol.

signature_key: PublicKey

Signature key contains the CA public key used to sign the certificate.

signature: Vec<u8>

Signature of the certificate.

comment: Option<String>

Associated comment, if any.

serialized: Vec<u8>

The entire serialized certificate, used for exporting

Implementations

impl Certificate

pub fn from_path<P: AsRef<Path>>(path: P) -> Result<Certificate, Error>

Reads an OpenSSH certificate from a given path.

Example

    let cert = Certificate::from_path("/path/to/id_ed25519-cert.pub").unwrap();
    println!("{}", cert);

pub fn from_string(s: &str) -> Result<Certificate, Error>

Reads an OpenSSH certificate from a given string.

Example

use sshcerts::Certificate;

let cert = Certificate::from_string(concat!(
    "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGZlEWgv+aRvfJZiREMOKR0PVSTEstkuSeOyRgx",
    "wI1v2AAAAIAwPJZIwmYs+W7WHNPneMUIAkQnBVw1LP0yQdfh7lT/S/v7+/v7+/v4AAAABAAAADG9iZWxpc2tAdGVzdAAAAAsAAAAHb2JlbGlzawAAAAAAAAAA///",
    "///////8AAAAiAAAADWZvcmNlLWNvbW1hbmQAAAANAAAACS9iaW4vdHJ1ZQAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQ",
    "tZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADM",
    "AAAALc3NoLWVkMjU1MTkAAAAgXRsP8RFzML3wJDAqm2ENwOrRAHez5QqtcEpyBvwvniYAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMo0Akv0eyr269StM2zBd0Alzjx",
    "XAC6krgBQex2O31at8r550oCIelfgj8YwZIaXG9DmleP525LcseJ16Z8e5Aw= obelisk@exclave.lan"
)).unwrap();
println!("{:?}", cert);

pub fn builder(
    pubkey: &PublicKey,
    cert_type: CertType,
    signing_key: &PublicKey
) -> Result<Certificate, Error>

Create a new empty SSH certificate. Values must then be filled in using the mutator methods below.

Example

    let ssh_pubkey = PublicKey::from_string("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOhHAGJtT9s6zPW4OdQMzGbXEyj0ntkESrE1IZBgaCUSh9fWK1gRz+UJOcCB1JTC/kF2EPlwkX6XEpQToZl51oo= obelisk@exclave.lan").unwrap();
    let cert = Certificate::builder(&ssh_pubkey, CertType::User, &ssh_pubkey).unwrap()
       .serial(0xFEFEFEFEFEFEFEFE)
       .key_id("key_id")
       .principal("obelisk")
       .valid_after(0)
       .valid_before(0xFFFFFFFFFFFFFFFF)
       .set_critical_options(CriticalOptions::None)
       .set_extensions(Extensions::Standard)
       .sign(test_signer);
 
    match cert {
      Ok(cert) => println!("{}", cert),
      Err(e) => println!("Encountered an error while creating certificate: {}", e),
    }

pub fn serial(self, serial: u64) -> Self

Set the serial of a certificate builder

pub fn key_id<S: AsRef<str>>(self, key_id: S) -> Self

Set the Key ID of a certificate builder

pub fn principal<S: AsRef<str>>(self, principal: S) -> Self

Add a principal to the certificate

pub fn set_principals(self, principals: &[String]) -> Self

Set the principals of the certificate

pub fn valid_after(self, valid_after: u64) -> Self

Set the initial validity time of the certificate

pub fn valid_before(self, valid_before: u64) -> Self

Set the expiry of the certificate

pub fn critical_option<S: AsRef<str>>(self, option: S, value: S) -> Self

Add a critical option to the certificate

pub fn set_critical_options(self, critical_options: CriticalOptions) -> Self

Set the critical options of the certificate

pub fn extension<S: AsRef<str>>(self, option: S, value: S) -> Self

Add a critical option to the certificate

pub fn set_extensions(self, extensions: Extensions) -> Self

Set the critical options of the certificate

pub fn comment<S: AsRef<str>>(self, comment: S) -> Self

Set the critical options of the certificate

pub fn tbs_certificate(&self) -> Vec<u8>

Get the certificate data without the signature field at the end.

pub fn add_signature(self, signature: &[u8]) -> Result<Self, Error>

Attempts to add the given signature to the certificate. This function returns an error if the signature provided is not valid for the certificate under the set CA key.

pub fn sign(
    self,
    signer: impl FnOnce(&[u8]) -> Option<Vec<u8>>
) -> Result<Self, Error>

Take the certificate settings and generate a valid signature using the provided signer function

Trait Implementations

impl Debug for Certificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for Certificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.