2994 – SSH certificate signing does not work with SHA256 hashing algorithm

Bug 2994 - SSH certificate signing does not work with SHA256 hashing algorithm

Summary: SSH certificate signing does not work with SHA256 hashing algorithm

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-keygen (show other bugs)
Version:	7.9p1
Hardware:	amd64 Mac OS X

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-16 06:00 AEST by denisenkom
Modified:	2021-04-23 15:03 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description denisenkom 2019-04-16 06:00:43 AEST

Repro instructions:
ssh-keygen -f server_ca
ssh-keygen -f userkey
ssh-keygen -s server_ca -I ident -t rsa-sha2-256 -n user userkey.pub && ssh-keygen -L -f userkey-cert.pub
Signed user key userkey-cert.pub: id "ident" serial 0 for user valid forever
userkey-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:vGA3iSIWLZNdTjBoKzzAGH8daBV9Kvf9yZ3AhTyZ6IM
        Signing CA: RSA SHA256:TgQchZRAwiD8VRLdOmIDqoIyc6btwxIbPFMYI/JAUag
        Key ID: "ident"
        Serial: 0
        Valid: forever
        Principals: 
                user
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

As you can see certificate type is ssh-rsa-cert-v0, it should be rsa-sha2-256-cert-v01 instead.

The problem seems to be with sshkey_ssh_name function, which takes first matching key type (which is SHA1), if that is the right place than this function should be changed to also take into account hash algorithm.

Comment 1 Damien Miller 2019-05-10 14:38:19 AEST

The key type remains ssh-rsa-cert-v01@openssh.com regardless of signature.

OpenSSH 8.0 includes the signature type in ssh-keygen -L output and this allows your to check the that it is what you expect. E.g. (note the "Signing CA" line)

[djm@hako ssh]$ ssh-keygen -Lf /tmp/k_rsa-cert.pub 
/tmp/k_rsa-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:/4T+gq8FyJEPTdXS1VaghSypcBubXiFW5AW4V0/a6VM
        Signing CA: RSA SHA256:sy2Nq/dLCwg2dESiOgCT0NmASiVIUCapmlkANCjTr2s (using rsa-sha2-256)
        Key ID: "id"
        Serial: 0
        Valid: forever
        Principals: (none)
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

Comment 2 Damien Miller 2021-04-23 15:03:35 AEST

closing resolved bugs as of 8.6p1 release