I have a similar diff on https://bugzilla.mindrot.org/show_bug.cgi?id=2799
I'm not sure whether it is the right way to do this though - I have to
think about it some more.
On Thu, 24 May 2018, Yegor Ievlev wrote:
> This PR adds capability to create and use rsa-sha2 certificates.
>
> diff --git a/ssh-rsa.c b/ssh-rsa.c
> index 49e71c8..69de09c 100644
> --- a/ssh-rsa.c
> +++ b/ssh-rsa.c
> @@ -57,9 +57,11 @@ rsa_hash_alg_from_ident(const char *ident)
> if (strcmp(ident, "ssh-rsa") == 0 ||
> strcmp(ident, "ssh-rsa-cert-v01 at openssh.com") == 0)
> return SSH_DIGEST_SHA1;
> - if (strcmp(ident, "rsa-sha2-256") == 0)
> + if (strcmp(ident, "rsa-sha2-256") == 0 ||
> + strcmp(ident, "rsa-sha2-256-cert-v01 at openssh.com") == 0)
> return SSH_DIGEST_SHA256;
> - if (strcmp(ident, "rsa-sha2-512") == 0)
> + if (strcmp(ident, "rsa-sha2-512") == 0 ||
> + strcmp(ident, "rsa-sha2-512-cert-v01 at openssh.com") == 0)
> return SSH_DIGEST_SHA512;
> return -1;
> }
> diff --git a/sshkey.c b/sshkey.c
> index 7712fba..2d43887 100644
> --- a/sshkey.c
> +++ b/sshkey.c
> @@ -110,6 +110,8 @@ static const struct keytype keytypes[] = {
> # endif /* OPENSSL_HAS_NISTP521 */
> # endif /* OPENSSL_HAS_ECC */
> { "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT",
KEY_RSA_CERT, 0, 1, 0 },
> + { "rsa-sha2-256-cert-v01 at openssh.com", "RSA-CERT",
KEY_RSA_CERT, 0, 1, 1 },
> + { "rsa-sha2-512-cert-v01 at openssh.com", "RSA-CERT",
KEY_RSA_CERT, 0, 1, 1 },
> { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT",
KEY_DSA_CERT, 0, 1, 0 },
> # ifdef OPENSSL_HAS_ECC
> { "ecdsa-sha2-nistp256-cert-v01 at openssh.com",
"ECDSA-CERT",
>
> Please set email of commit to koops1997+github at gmail.com and name to
> Yegor Ievlev, so commit will be attributed to me on GitHub.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>