proposal: x/crypto/ssh: add SSHSIG support #68197
Description
Proposal Details
I'd like to propose we support encoding and decoding SSHSIG signature format.
I already have a working implementation (armoring a *ssh.Signature and then parsing it back into the signed data), but I'm not sure what the api should look like.
We have a couple of steps to create a signature:
- create a blob
- sign the blob (this signing step is already implemented here)
- create the signed data
- encode it into a PEM format
To verify a signature, we need to:
- create a blob
- decode the previously created PEM formatted signature
- call
publickey.Verify(blob, decodedBlod)
Given all this, I'd suggest the following functions:
func CreateBlob(r io.Reader) ([]byte, error) // or (io.Reader, error)
func Encode(pk ssh.PublicKey, sig *ssh.Signature) ([]byte, error) // or (io.Reader, error)
func Decode(r io.Reader) (*ssh.Signature, ssh.PublicKey, error)We would also need these two structs:
// Blob according to the SSHSIG protocol.
type Blob struct {
Namespace string
Reserved string
HashAlgorithm string
Hash string
}
// SignedData according to the SSHSIG protocol.
type SignedData struct {
MagicPreamble [6]byte
Version uint32
PublicKey string
Namespace string
Reserved string
HashAlgorithm string
Signature string
}and some constants:
const (
magicPreamble = "SSHSIG"
version = 1
namespace = "file"
hashAlgorithm = "sha512"
armorType = "SSH SIGNATURE"
)There's also the discussion of which hash algorithms to support... only rsa-sha2-512 or rsa-sha2-256, which I think it's easy enough to support both.
Finally, the namespace, not sure if we allow to customize that or not.
Anyway, I would love to work on this, just need some direction on how the API should look like.