feat: use SSH host certificates (#3786)

This commit is contained in:
miampf 2025-07-01 12:47:04 +02:00 committed by GitHub
parent 95f17a6d06
commit 7ea5c41f9b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
34 changed files with 706 additions and 117 deletions

View file

@ -17,6 +17,7 @@ import (
"fmt"
"io"
"math/big"
"time"
"golang.org/x/crypto/hkdf"
"golang.org/x/crypto/ssh"
@ -77,6 +78,28 @@ func GenerateEmergencySSHCAKey(seed []byte) (ssh.Signer, error) {
return ca, nil
}
// GenerateSSHHostCertificate takes a given public key and CA to generate a host certificate.
func GenerateSSHHostCertificate(principals []string, publicKey ssh.PublicKey, ca ssh.Signer) (*ssh.Certificate, error) {
certificate := ssh.Certificate{
CertType: ssh.HostCert,
ValidPrincipals: principals,
ValidAfter: uint64(time.Now().Unix()),
ValidBefore: ssh.CertTimeInfinity,
Reserved: []byte{},
Key: publicKey,
KeyId: principals[0],
Permissions: ssh.Permissions{
CriticalOptions: map[string]string{},
Extensions: map[string]string{},
},
}
if err := certificate.SignCert(rand.Reader, ca); err != nil {
return nil, err
}
return &certificate, nil
}
// PemToX509Cert takes a list of PEM-encoded certificates, parses the first one and returns it
// as an x.509 certificate.
func PemToX509Cert(raw []byte) (*x509.Certificate, error) {