class Net::SSH::Authentication::Certificate

Class for representing an SSH certificate.

cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain

Attributes

critical_options[RW]
extensions[RW]
key[RW]
key_id[RW]
nonce[RW]
reserved[RW]
serial[RW]
signature[RW]
signature_key[RW]
type[RW]
valid_after[RW]
valid_before[RW]
valid_principals[RW]

Public Class Methods

read_certblob(buffer, type) click to toggle source

Read a certificate blob associated with a key of the given type.

# File lib/net/ssh/authentication/certificate.rb, line 23
def self.read_certblob(buffer, type)
  cert = Certificate.new
  cert.nonce = buffer.read_string
  cert.key = buffer.read_keyblob(type)
  cert.serial = buffer.read_int64
  cert.type = type_symbol(buffer.read_long)
  cert.key_id = buffer.read_string
  cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
  cert.valid_after = Time.at(buffer.read_int64)
  cert.valid_before = Time.at(buffer.read_int64)
  cert.critical_options = read_options(buffer)
  cert.extensions = read_options(buffer)
  cert.reserved = buffer.read_string
  cert.signature_key = buffer.read_buffer.read_key
  cert.signature = buffer.read_string
  cert
end

Public Instance Methods

fingerprint() click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 69
def fingerprint
  key.fingerprint
end
sign(key, sign_nonce=nil) click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 85
def sign(key, sign_nonce=nil)
  cert = clone
  cert.sign!(key, sign_nonce)
end
sign!(key, sign_nonce=nil) click to toggle source

Signs the certificate with key.

# File lib/net/ssh/authentication/certificate.rb, line 74
def sign!(key, sign_nonce=nil)
  # ssh-keygen uses 32 bytes of nonce.
  self.nonce = sign_nonce || SecureRandom.random_bytes(32)
  self.signature_key = key
  self.signature = Net::SSH::Buffer.from(
    :string, key.ssh_signature_type,
    :mstring, key.ssh_do_sign(to_blob_without_signature)
  ).to_s
  self
end
signature_valid?() click to toggle source

Checks whether the certificate's signature was signed by signature key.

# File lib/net/ssh/authentication/certificate.rb, line 91
def signature_valid?
  buffer = Buffer.new(signature)
  buffer.read_string # skip signature format
  signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
end
ssh_do_sign(data) click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 57
def ssh_do_sign(data)
  key.ssh_do_sign(data)
end
ssh_do_verify(sig, data) click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 61
def ssh_do_verify(sig, data)
  key.ssh_do_verify(sig, data)
end
ssh_signature_type() click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 45
def ssh_signature_type
  key.ssh_type
end
ssh_type() click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 41
def ssh_type
  key.ssh_type + "-cert-v01@openssh.com"
end
to_blob() click to toggle source

Serializes the certificate (and key).

# File lib/net/ssh/authentication/certificate.rb, line 50
def to_blob
  Buffer.from(
    :raw, to_blob_without_signature,
    :string, signature
  ).to_s
end
to_pem() click to toggle source
# File lib/net/ssh/authentication/certificate.rb, line 65
def to_pem
  key.to_pem
end