class Net::SSH::Authentication::Certificate

Class for representing an SSH certificate.

cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain

Attributes

critical_options[RW]

extensions[RW]

key[RW]

key_id[RW]

nonce[RW]

reserved[RW]

serial[RW]

signature[RW]

signature_key[RW]

type[RW]

valid_after[RW]

valid_before[RW]

valid_principals[RW]

Public Class Methods

read_certblob(buffer, type) click to toggle source

Read a certificate blob associated with a key of the given type.

# File lib/net/ssh/authentication/certificate.rb, line 25
def self.read_certblob(buffer, type)
  cert = Certificate.new
  cert.nonce = buffer.read_string
  cert.key = buffer.read_keyblob(type)
  cert.serial = buffer.read_int64
  cert.type = type_symbol(buffer.read_long)
  cert.key_id = buffer.read_string
  cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
  cert.valid_after = Time.at(buffer.read_int64)
  cert.valid_before = Time.at(buffer.read_int64)
  cert.critical_options = read_options(buffer)
  cert.extensions = read_options(buffer)
  cert.reserved = buffer.read_string
  cert.signature_key = buffer.read_buffer.read_key
  cert.signature = buffer.read_string
  cert
end

Public Instance Methods

fingerprint() click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 71
def fingerprint
  key.fingerprint
end

sign(key, sign_nonce=nil) click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 87
def sign(key, sign_nonce=nil)
  cert = clone
  cert.sign!(key, sign_nonce)
end

sign!(key, sign_nonce=nil) click to toggle source

Signs the certificate with key.

# File lib/net/ssh/authentication/certificate.rb, line 76
def sign!(key, sign_nonce=nil)
  # ssh-keygen uses 32 bytes of nonce.
  self.nonce = sign_nonce || SecureRandom.random_bytes(32)
  self.signature_key = key
  self.signature = Net::SSH::Buffer.from(
    :string, key.ssh_signature_type,
    :mstring, key.ssh_do_sign(to_blob_without_signature)
  ).to_s
  self
end

signature_valid?() click to toggle source

Checks whether the certificate's signature was signed by signature key.

# File lib/net/ssh/authentication/certificate.rb, line 93
def signature_valid?
  buffer = Buffer.new(signature)
  buffer.read_string # skip signature format
  signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
end

ssh_do_sign(data) click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 59
def ssh_do_sign(data)
  key.ssh_do_sign(data)
end

ssh_do_verify(sig, data) click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 63
def ssh_do_verify(sig, data)
  key.ssh_do_verify(sig, data)
end

ssh_signature_type() click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 47
def ssh_signature_type
  key.ssh_type
end

ssh_type() click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 43
def ssh_type
  key.ssh_type + "-cert-v01@openssh.com"
end

to_blob() click to toggle source

Serializes the certificate (and key).

# File lib/net/ssh/authentication/certificate.rb, line 52
def to_blob
  Buffer.from(
    :raw, to_blob_without_signature,
    :string, signature
  ).to_s
end

to_pem() click to toggle source

# File lib/net/ssh/authentication/certificate.rb, line 67
def to_pem
  key.to_pem
end