123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101 |
- This document describes a lightweight SSH Signature format
- that is compatible with SSH keys and wire formats.
- At present, only detached and armored signatures are supported.
- 1. Armored format
- The Armored SSH signatures consist of a header, a base64
- encoded blob, and a footer.
- The header is the string "-----BEGIN SSH SIGNATURE-----"
- followed by a newline. The footer is the string
- "-----END SSH SIGNATURE-----" immediately after a newline.
- The header MUST be present at the start of every signature.
- Files containing the signature MUST start with the header.
- Likewise, the footer MUST be present at the end of every
- signature.
- The base64 encoded blob SHOULD be broken up by newlines
- every 76 characters.
- Example:
- -----BEGIN SSH SIGNATURE-----
- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJKxoLBJBivUPNTUJUSslQTt2hD
- jozKvHarKeN8uYFqgAAAADZm9vAAAAAAAAAFMAAAALc3NoLWVkMjU1MTkAAABAKNC4IEbt
- Tq0Fb56xhtuE1/lK9H9RZJfON4o6hE9R4ZGFX98gy0+fFJ/1d2/RxnZky0Y7GojwrZkrHT
- FgCqVWAQ==
- -----END SSH SIGNATURE-----
- 2. Blob format
- #define MAGIC_PREAMBLE "SSHSIG"
- #define SIG_VERSION 0x01
- byte[6] MAGIC_PREAMBLE
- uint32 SIG_VERSION
- string publickey
- string namespace
- string reserved
- string hash_algorithm
- string signature
- The publickey field MUST contain the serialisation of the
- public key used to make the signature using the usual SSH
- encoding rules, i.e RFC4253, RFC5656,
- draft-ietf-curdle-ssh-ed25519-ed448, etc.
- Verifiers MUST reject signatures with versions greater than those
- they support.
- The purpose of the namespace value is to specify a unambiguous
- interpretation domain for the signature, e.g. file signing.
- This prevents cross-protocol attacks caused by signatures
- intended for one intended domain being accepted in another.
- The namespace value MUST NOT be the empty string.
- The reserved value is present to encode future information
- (e.g. tags) into the signature. Implementations should ignore
- the reserved field if it is not empty.
- Data to be signed is first hashed with the specified hash_algorithm.
- This is done to limit the amount of data presented to the signature
- operation, which may be of concern if the signing key is held in limited
- or slow hardware or on a remote ssh-agent. The supported hash algorithms
- are "sha256" and "sha512".
- The signature itself is made using the SSH signature algorithm and
- encoding rules for the chosen key type. For RSA signatures, the
- signature algorithm must be "rsa-sha2-512" or "rsa-sha2-256" (i.e.
- not the legacy RSA-SHA1 "ssh-rsa").
- This blob is encoded as a string using the RFC4253 encoding
- rules and base64 encoded to form the middle part of the
- armored signature.
- 3. Signed Data, of which the signature goes into the blob above
- #define MAGIC_PREAMBLE "SSHSIG"
- byte[6] MAGIC_PREAMBLE
- string namespace
- string reserved
- string hash_algorithm
- string H(message)
- The preamble is the six-byte sequence "SSHSIG". It is included to
- ensure that manual signatures can never be confused with any message
- signed during SSH user or host authentication.
- The reserved value is present to encode future information
- (e.g. tags) into the signature. Implementations should ignore
- the reserved field if it is not empty.
- The data is concatenated and passed to the SSH signing
- function.
- $OpenBSD: PROTOCOL.sshsig,v 1.4 2020/08/31 00:17:41 djm Exp $
|