Expand description
The ’sshcerts` crate provides types and methods for parsing OpenSSH keys, and parsing, verifying, and creating SSH certificates.
The following OpenSSH key types are supported.
- RSA
- ECDSA
- ED25519
The following OpenSSH certificate types are supported.
- ssh-rsa-cert-v01@openssh.com
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
§Why no ecdsa-sha2-nistp521-cert-v01@openssh.com?
That curve is not supported on a standard yubikey nor in ring
. This
means I cannot implement any signing or verification routines. If this
changes, I will update this crate with support.
The crate also provides functionality for provision key slots on
Yubikeys to handle signing operations. This is provided in the
optional yubikey
submodule
Re-exports§
pub use ssh::CertType;
pub use ssh::Certificate;
pub use ssh::PrivateKey;
pub use ssh::PublicKey;
Modules§
- The
sshcerts
error enum - For dealing with FIDO/U2F tokens such as generating new SSH keys
- Functions or structs for dealing with SSH Certificates. Parsing, and creating certs happens here. This module is a heavily modified version of the
sshkeys
crate that adds certificate verification, and many other things to support that. The original licence for the code is in the source code provided - Utility functions for dealing with SSH certificates, signatures or conversions
- Contains some helper functions for pulling SSH public keys from x509 certificates and CSRs. Is enabled whenever yubikey_support is enabled because some functionality is currently shared.
- Functions for dealing with Yubikey signing. Also contains an SSH submodule containing helper functions to generate SSH encoded versions of it’s normal functions.