1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# [RustCrypto]: SSH Keys and Certificates
[![crate][crate-image]][crate-link]
[![Docs][docs-image]][docs-link]
[![Build Status][build-image]][build-link]
![Apache2/MIT licensed][license-image]
![Rust Version][rustc-image]
[![Project Chat][chat-image]][chat-link]
[Documentation][docs-link]
## About
Pure Rust implementation of SSH key file format decoders/encoders as described
in [RFC4251] and [RFC4253] as well as OpenSSH's [PROTOCOL.key] format
specification.
Additionally provides support for SSH signatures as described in
[PROTOCOL.sshsig], OpenSSH certificates as specified in [PROTOCOL.certkeys]
including certificate validation and certificate authority (CA) support,
FIDO/U2F keys as specified in [PROTOCOL.u2f] (and certificates thereof), and
also the `authorized_keys` and `known_hosts` file formats.
Supports a minimal profile which works on heapless `no_std` targets. See
"Supported algorithms" table below for which key formats work on heapless
targets and which algorithms require `alloc`.
When the `ed25519`, `p256`, and/or `rsa` features of this crate are enabled,
provides key generation and certificate signing/verification support for that
respective SSH key algorithm.
## Features
- [x] Constant-time Base64 decoder/encoder using `base64ct`/`pem-rfc7468` crates
- [x] OpenSSH-compatible decoder/encoders for the following formats:
- [x] OpenSSH public keys
- [x] OpenSSH private keys (i.e. `BEGIN OPENSSH PRIVATE KEY`)
- [x] OpenSSH certificates
- [x] OpenSSH signatures (a.k.a. "sshsig")
- [x] OpenSSH certificate support
- [x] OpenSSH certificate validation
- [x] OpenSSH certificate authority (CA) support i.e. cert builder/signer
- [x] Private key encryption/decryption (`bcrypt-pbkdf` + `aes256-ctr` only)
- [x] Private key generation support: DSA, Ed25519, ECDSA (P-256/P-384/P-521),
and RSA
- [x] FIDO/U2F key support (`sk-*`) as specified in [PROTOCOL.u2f]
- [x] Fingerprint support
- [x] "randomart" fingerprint visualizations
- [x] `no_std` support including support for "heapless" (no-`alloc`) targets
- [x] Parsing `authorized_keys` files
- [x] Parsing `known_hosts` files
- [x] `serde` support
- [x] `zeroize` support for private keys
#### TODO
- [ ] FIDO/U2F signature support
- [ ] Legacy (pre-OpenSSH) SSH key format support
- [ ] PKCS#1 SSH private keys (i.e. RSA-only)
- [ ] PKCS#8 SSH private keys
- [ ] [RFC4716] SSH public keys
- [ ] SEC1 SSH public keys
### Supported Signature Algorithms
| Name | Decode | Encode | Cert | Keygen | Sign | Verify | Feature | `no_std` |
|--------------------------------------|--------|--------|------|--------|------|--------|-----------|----------|
| `ecdsa‑sha2‑nistp256` | ✅ | ✅ | ✅ | ✅️ | ✅️ | ✅️ | `p256` | heapless |
| `ecdsa‑sha2‑nistp384` | ✅ | ✅ | ✅ | ✅️ | ✅️ | ✅️ | `p384` | heapless |
| `ecdsa‑sha2‑nistp521` | ✅ | ✅ | ✅ | ✅️️ | ✅️ ️ | ✅️️ | `p521` | heapless |
| `ssh‑dsa` | ✅ | ✅ | ✅ | ✅ | ✅️ | ✅️ | `dsa` | `alloc` ️ |
| `ssh‑ed25519` | ✅ | ✅ | ✅ | ✅️ | ✅️ | ✅ | `ed25519` | heapless |
| `ssh‑rsa` | ✅ | ✅ | ✅ | ✅️ | ✅️ | ✅ | `rsa` | `alloc` |
| `sk‑ecdsa‑sha2‑nistp256@openssh.com` | ✅ | ✅ | ✅ | ⛔ | ⛔️ | ✅️ | ⛔ | `alloc` |
| `sk‑ssh‑ed25519@openssh.com` | ✅ | ✅ | ✅ | ⛔ | ⛔️ | ✅️️ | `ed25519` | `alloc` |
By default *no SSH signature algorithms are enabled* and you will get an
`Error::AlgorithmUnsupported` error if you try to use them.
Enable the `crypto` feature or the "Feature" for specific algorithms in the
chart above (e.g. `p256`, `rsa`) in order to use cryptographic functionality.
The "Feature" column lists the name of `ssh-key` crate features which can
be enabled to provide full support for the "Keygen", "Sign", and "Verify"
functionality for a particular SSH key algorithm.
## Minimum Supported Rust Version
This crate requires **Rust 1.65** at a minimum.
We may change the MSRV in the future, but it will be accompanied by a minor
version bump.
## License
Licensed under either of:
* [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)
* [MIT license](http://opensource.org/licenses/MIT)
at your option.
### Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you, as defined in the Apache-2.0 license, shall be
dual licensed as above, without any additional terms or conditions.
[//]: # (badges)
[crate-image]: https://buildstats.info/crate/ssh-key
[crate-link]: https://crates.io/crates/ssh-key
[docs-image]: https://docs.rs/ssh-key/badge.svg
[docs-link]: https://docs.rs/ssh-key/
[license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg
[rustc-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg
[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg
[chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/346919-SSH
[build-image]: https://github.com/RustCrypto/SSH/actions/workflows/ssh-key.yml/badge.svg
[build-link]: https://github.com/RustCrypto/SSH/actions/workflows/ssh-key.yml
[//]: # (links)
[RustCrypto]: https://github.com/rustcrypto
[RFC4251]: https://datatracker.ietf.org/doc/html/rfc4251
[RFC4253]: https://datatracker.ietf.org/doc/html/rfc4253
[RFC4716]: https://datatracker.ietf.org/doc/html/rfc4716
[PROTOCOL.certkeys]: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD
[PROTOCOL.key]: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD
[PROTOCOL.sshsig]: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.sshsig?annotate=HEAD
[PROTOCOL.u2f]: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.u2f?annotate=HEAD
|
