Struct sshcerts::ssh::Certificate

pub struct Certificate {

    pub key_type: KeyType,
    pub nonce: Vec<u8>,
    pub key: PublicKey,
    pub serial: u64,
    pub cert_type: CertType,
    pub key_id: String,
    pub principals: Vec<String>,
    pub valid_after: u64,
    pub valid_before: u64,
    pub critical_options: HashMap<String, String>,
    pub extensions: HashMap<String, String>,
    pub reserved: Vec<u8>,
    pub signature_key: PublicKey,
    pub signature: Vec<u8>,
    pub comment: Option<String>,
    pub serialized: Vec<u8>,
}

A type which represents an OpenSSH certificate key. Please refer to [PROTOCOL.certkeys] for more details about OpenSSH certificates. [PROTOCOL.certkeys]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD

Fields

key_type: KeyType

Type of key.

nonce: Vec<u8>

Cryptographic nonce.

key: PublicKey

Public key part of the certificate.

serial: u64

Serial number of certificate.

cert_type: CertType

Represents the type of the certificate.

key_id: String

Key identity.

principals: Vec<String>

The list of valid principals for the certificate.

valid_after: u64

Time after which certificate is considered as valid.

valid_before: u64

Time before which certificate is considered as valid.

critical_options: HashMap<String, String>

Critical options of the certificate. Generally used to control features which restrict access.

extensions: HashMap<String, String>

Certificate extensions. Extensions are usually used to enable features that grant access.

reserved: Vec<u8>

The reserved field is currently unused and is ignored in this version of the protocol.

signature_key: PublicKey

Signature key contains the CA public key used to sign the certificate.

signature: Vec<u8>

Signature of the certificate.

comment: Option<String>

Associated comment, if any.

serialized: Vec<u8>

The entire serialized certificate, used for exporting

Implementations

impl Certificate

pub fn from_path<P: AsRef<Path>>(path: P) -> Result<Certificate, Error>

Reads an OpenSSH certificate from a given path.

Example

    let cert = Certificate::from_path("/path/to/id_ed25519-cert.pub").unwrap();
    println!("{}", cert);

pub fn from_string(s: &str) -> Result<Certificate, Error>

Reads an OpenSSH certificate from a given string.

Example

use sshcerts::Certificate;

let cert = Certificate::from_string(concat!(
    "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGZlEWgv+aRvfJZiREMOKR0PVSTEstkuSeOyRgx",
    "wI1v2AAAAIAwPJZIwmYs+W7WHNPneMUIAkQnBVw1LP0yQdfh7lT/S/v7+/v7+/v4AAAABAAAADG9iZWxpc2tAdGVzdAAAAAsAAAAHb2JlbGlzawAAAAAAAAAA///",
    "///////8AAAAiAAAADWZvcmNlLWNvbW1hbmQAAAANAAAACS9iaW4vdHJ1ZQAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQ",
    "tZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADM",
    "AAAALc3NoLWVkMjU1MTkAAAAgXRsP8RFzML3wJDAqm2ENwOrRAHez5QqtcEpyBvwvniYAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMo0Akv0eyr269StM2zBd0Alzjx",
    "XAC6krgBQex2O31at8r550oCIelfgj8YwZIaXG9DmleP525LcseJ16Z8e5Aw= obelisk@exclave.lan"
)).unwrap();
println!("{:?}", cert);

pub fn from_bytes(data: &[u8]) -> Result<Certificate, Error>

Reads an SSH certificate from a given byte sequence.

The byte sequence is expected to be the base64 decoded body of the SSH certificate.

pub fn standard_extensions() -> HashMap<String, String>

Returns the set of standard extensions used for SSH certificates. If you’re unsure about what you need, using the standard extensions is probably what you want.

pub fn builder( pubkey: &PublicKey, cert_type: CertType, signing_key: &PublicKey ) -> Result<Certificate, Error>

Create a new empty SSH certificate. Values must then be filled in using the mutator methods below.

Example

    let private_key = PrivateKey::from_string(concat!(
        "-----BEGIN OPENSSH PRIVATE KEY-----",
        "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW",
        "QyNTUxOQAAACBBvD18M5xE6toNtTkIwVwl7xkJb9DBUSgHfKaKbeTW3gAAAKj3njlq9545",
        "agAAAAtzc2gtZWQyNTUxOQAAACBBvD18M5xE6toNtTkIwVwl7xkJb9DBUSgHfKaKbeTW3g",
        "AAAEBLyc6RR+xrjQFV9hhmW9z5TYEA4IMVG7+xBq0WHjdnNkG8PXwznETq2g21OQjBXCXv",
        "GQlv0MFRKAd8popt5NbeAAAAIW9iZWxpc2tATWl0Y2hlbGxzLU1CUC5sb2NhbGRvbWFpbg",
        "ECAwQ=",
        "-----END OPENSSH PRIVATE KEY-----",
    )).unwrap();
    let ssh_pubkey = PublicKey::from_string("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHk1jR7i5Ao85pfz0X6xAWT3N+Wicm17v3UnYw3ZEGnH").unwrap();
    let cert = Certificate::builder(&ssh_pubkey, CertType::User, &private_key.pubkey).unwrap()
       .serial(0xFEFEFEFEFEFEFEFE)
       .key_id("key_id")
       .principal("obelisk")
       .valid_after(0)
       .valid_before(0xFFFFFFFFFFFFFFFF)
       .set_extensions(Certificate::standard_extensions())
       .sign(&private_key);

    match cert {
      Ok(cert) => println!("{}", cert),
      Err(e) => println!("Encountered an error while creating certificate: {}", e),
    }

pub fn serial(self, serial: u64) -> Self

Set the serial of a certificate builder

pub fn key_id<S: AsRef<str>>(self, key_id: S) -> Self

Set the Key ID of a certificate builder

pub fn principal<S: AsRef<str>>(self, principal: S) -> Self

Add a principal to the certificate

pub fn set_principals(self, principals: &[String]) -> Self

Set the principals of the certificate

pub fn valid_after(self, valid_after: u64) -> Self

Set the initial validity time of the certificate

pub fn valid_before(self, valid_before: u64) -> Self

Set the expiry of the certificate

pub fn critical_option<S: AsRef<str>>(self, option: S, value: S) -> Self

Add a critical option to the certificate

pub fn set_critical_options( self, critical_options: HashMap<String, String> ) -> Self

Set the critical options of the certificate

pub fn extension<S: AsRef<str>>(self, option: S, value: S) -> Self

Add an extension to the certificate

pub fn set_extensions(self, extensions: HashMap<String, String>) -> Self

Set the extensions of the certificate

pub fn comment<S: AsRef<str>>(self, comment: S) -> Self

Set the comment of the certificate

pub fn tbs_certificate(&self) -> Vec<u8>

Get the certificate data without the signature field at the end.

pub fn add_signature(self, signature: &[u8]) -> Result<Self, Error>

Attempts to add the given signature to the certificate. This function returns an error if the signature provided is not valid for the certificate under the set CA key.

pub fn sign<T: SSHCertificateSigner>(self, signer: &T) -> Result<Self, Error>

Take the certificate settings and generate a valid signature using the provided signer function

Trait Implementations

impl Clone for Certificate

fn clone(&self) -> Certificate

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Certificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for Certificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for Certificate

fn eq(&self, other: &Certificate) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for Certificate

impl StructuralPartialEq for Certificate