search for: subjectpublickeyinfo

ssh-keygen already supports importing and exporting ssh keys using various formats. The "-m PEM" which should have been the easiest to be used with various of external application expects PKCS#1 encoded key, while many applications use SubjectPublicKeyInfo encoded key. This change adds SubjectPublicKeyInfo support, to ease integration with applications. Examples: ## convert SubjectPublicKeyInfo public key to SSH public key $ openssl req -newkey rsa:2048 -nodes -pubkey -subj "/CN=test" \ -noout -keyout /dev/null | \ ssh-keygen -i -...

...----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwXDZs8EBb/JyZ9daB3Zk9WHxD ULpek5NANbuHikHe8drH+QdE6DZ8qo4IXroDlT53yR7y39hmB8c1a+vryqORe2dl gK6WAlyIopjS7MY/4+gEgeXnkKjNWf9DavY/XySWwxDBEbX8DUzsBoJFeAsvu6tl CeINpU3Fvv/7Vfcy5wIDAQAB - -----END PUBLIC KEY----- i think this is the X.509 subjectPublicKeyInfo format. the public keys that tinc generates look like that - -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALBcNmzwQFv8nJn11oHdmT1YfENQul6Tk0A1u4eKQd7x2sf5B0ToNnyq jgheugOVPnfJHvLf2GYHxzVr6+vKo5F7Z2WArpYCXIiimNLsxj/j6ASB5eeQqM1Z /0Nq9j9fJJbDEMERtfwNTOwGgkV4Cy+7q2UJ4g2lTcW+//tV9zLnAgMBAAE= - -----END RSA...

...t;man ssh-config", "-m" support following formats: "?PKCS8? (PEM PKCS8 public key)" and "?PEM? (PEM public key)". This is not true. First of all they are both PEM (Base64 encoded DER). And PKCS8 is for *private* keys only. What you call "PKCS8" is "SubjectPublicKeyInfo" and it is encoded in PEM. What you call "PEM" is RSA public key encoded in PEM. People are confused: http://crypto.stackexchange.com/questions/27913/why-can-ssh-keygen-export-a-public-key-in-pem-pkcs8-format http://crypto.stackexchange.com/questions/35093/why-ssh-gen-makes-differ...

...er client cert fingerprints or public key fingerprints (the digest algorithm can be configured with smtpd_tls_fingerprint_digest). I can't see why %{x509} should digest the certificate and not merely PEM-encode it, but having another %{pubkey} variable expanding to the (PEM-encoded) cert's SubjectPublicKeyInfo block would surely be useful :-) I wonder if there are other folks interested in having the client cert available in the passdb. Thanks, cheers, -- Guilhem. [1] http://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2BAC8-authentication [2] http://www.postfix.org/post...